Key lengths same as letsencrypt
This commit is contained in:
parent
99bb2ced9d
commit
3cf283dbe4
|
@ -311,7 +311,7 @@ function add_cert_selfsigned {
|
||||||
|
|
||||||
openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
|
openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
|
||||||
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
|
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
|
||||||
-newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
|
-newkey rsa:2048 -keyout /etc/ssl/private/${CERTFILE}.key \
|
||||||
-out /etc/ssl/certs/${CERTFILE}.crt
|
-out /etc/ssl/certs/${CERTFILE}.crt
|
||||||
chmod 400 /etc/ssl/private/${CERTFILE}.key
|
chmod 400 /etc/ssl/private/${CERTFILE}.key
|
||||||
chmod 640 /etc/ssl/certs/${CERTFILE}.crt
|
chmod 640 /etc/ssl/certs/${CERTFILE}.crt
|
||||||
|
|
|
@ -519,7 +519,7 @@ function install_ipfs_go {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# initialise
|
# initialise
|
||||||
su -c "$IPFS_PATH/ipfs init -b 4096" - $MY_USERNAME
|
su -c "$IPFS_PATH/ipfs init -b 2048" - $MY_USERNAME
|
||||||
if [ ! -d /home/$MY_USERNAME/.ipfs ]; then
|
if [ ! -d /home/$MY_USERNAME/.ipfs ]; then
|
||||||
echo "IPFS could not be initialised for user $MY_USERNAME"
|
echo "IPFS could not be initialised for user $MY_USERNAME"
|
||||||
exit 7358
|
exit 7358
|
||||||
|
|
|
@ -1454,7 +1454,7 @@ function configure_imap_client_certs {
|
||||||
echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf
|
echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf
|
||||||
echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf
|
echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf
|
||||||
echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf
|
echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf
|
||||||
echo 'default_bits = 4096' >> /etc/ssl/dovecot-ca.cnf
|
echo 'default_bits = 2048' >> /etc/ssl/dovecot-ca.cnf
|
||||||
echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf
|
echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf
|
||||||
echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf
|
echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf
|
||||||
echo '' >> /etc/ssl/dovecot-ca.cnf
|
echo '' >> /etc/ssl/dovecot-ca.cnf
|
||||||
|
|
|
@ -154,7 +154,7 @@ function configure_ssh_client {
|
||||||
ssh-keygen -t ed25519 -o -a 100
|
ssh-keygen -t ed25519 -o -a 100
|
||||||
fi
|
fi
|
||||||
if [ ! -f /home/$CURR_USER/.ssh/id_rsa ]; then
|
if [ ! -f /home/$CURR_USER/.ssh/id_rsa ]; then
|
||||||
ssh-keygen -t rsa -b 4096 -o -a 100
|
ssh-keygen -t rsa -b 2048 -o -a 100
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ssh_remove_small_moduli
|
ssh_remove_small_moduli
|
||||||
|
|
|
@ -46,12 +46,13 @@ function configure_ssh {
|
||||||
sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' /etc/ssh/sshd_config
|
sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' /etc/ssh/sshd_config
|
||||||
sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
|
sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
|
||||||
sed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_config
|
sed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_config
|
||||||
sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config
|
sed -i 's/ServerKeyBits.*/ServerKeyBits 2048/g' /etc/ssh/sshd_config
|
||||||
sed -i 's/#ServerKeyBits 4096/ServerKeyBits 4096/g' /etc/ssh/sshd_config
|
sed -i 's/#ServerKeyBits 2048/ServerKeyBits 2048/g' /etc/ssh/sshd_config
|
||||||
sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config
|
sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config
|
||||||
sed -i 's/#TCPKeepAlive no/TCPKeepAlive no/g' /etc/ssh/sshd_config
|
sed -i 's/#TCPKeepAlive no/TCPKeepAlive no/g' /etc/ssh/sshd_config
|
||||||
sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
|
sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
|
||||||
sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
|
sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
|
||||||
|
sed -i 's|#HostKey /etc/ssh/ssh_host_ed25519_key|HostKey /etc/ssh/ssh_host_ed25519_key|g' /etc/ssh/sshd_config
|
||||||
if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then
|
if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then
|
||||||
echo 'DebianBanner no' >> /etc/ssh/sshd_config
|
echo 'DebianBanner no' >> /etc/ssh/sshd_config
|
||||||
else
|
else
|
||||||
|
@ -126,9 +127,9 @@ function configure_ssh_client {
|
||||||
if [ ! -f ~/.ssh/id_ed25519 ]; then
|
if [ ! -f ~/.ssh/id_ed25519 ]; then
|
||||||
ssh-keygen -t ed25519 -o -a 100
|
ssh-keygen -t ed25519 -o -a 100
|
||||||
fi
|
fi
|
||||||
if [ ! -f ~/.ssh/id_rsa ]; then
|
#if [ ! -f ~/.ssh/id_rsa ]; then
|
||||||
ssh-keygen -t rsa -b 4096 -o -a 100
|
# ssh-keygen -t rsa -b 2048 -o -a 100
|
||||||
fi
|
#fi
|
||||||
|
|
||||||
function_check ssh_remove_small_moduli
|
function_check ssh_remove_small_moduli
|
||||||
ssh_remove_small_moduli
|
ssh_remove_small_moduli
|
||||||
|
|
Loading…
Reference in New Issue