From 5bf98b34f84ba1be7763145dafac1f56d90024ea Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Tue, 20 Sep 2016 22:19:10 +0100
Subject: [PATCH] Use current bettercrypto ssh parameters

---
 src/freedombone-client    |   2 +
 src/freedombone-utils-ssh | 174 +++++++++++++++++++-------------------
 2 files changed, 89 insertions(+), 87 deletions(-)

diff --git a/src/freedombone-client b/src/freedombone-client
index bc5cfed4..47b471c6 100755
--- a/src/freedombone-client
+++ b/src/freedombone-client
@@ -121,6 +121,8 @@ function configure_ssh_client {
         sudo mv ~/ssh_config /etc/ssh/ssh_config
         sudo chown root:root /etc/ssh/ssh_config
     fi
+    sudo sed -i "s/HostKeyAlgorithms.*/#HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS/g" /etc/ssh/ssh_config
+
     sudo sed -i "s/Ciphers.*/Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config
     if ! grep -q "Ciphers " /etc/ssh/ssh_config; then
         sudo cp /etc/ssh/ssh_config ~/ssh_config
diff --git a/src/freedombone-utils-ssh b/src/freedombone-utils-ssh
index c5624fdf..6e99f8e2 100755
--- a/src/freedombone-utils-ssh
+++ b/src/freedombone-utils-ssh
@@ -30,113 +30,113 @@
 
 SSH_PORT=2222
 
-# ssh (from https://stribika.github.io/2015/01/04/secure-secure-shell.html)
-SSH_CIPHERS="chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
-SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com"
-SSH_KEX="curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
+# Settings from bettercrypto.org
+SSH_CIPHERS="aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr"
+SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
+SSH_KEX="diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1"
 SSH_HOST_KEY_ALGORITHMS="ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa"
 
 function configure_ssh {
-	if grep -Fxq "configure_ssh" $COMPLETION_FILE; then
-		return
-	fi
-	sed -i "s/Port .*/Port $SSH_PORT/g" /etc/ssh/sshd_config
-	sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
-	sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
-	sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config
-	sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config
-	sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
-	sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
-	if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then
-		echo 'DebianBanner no' >> /etc/ssh/sshd_config
-	else
-		sed -i 's|DebianBanner.*|DebianBanner no|g' /etc/ssh/sshd_config
-	fi
-	if grep -q 'ClientAliveInterval' /etc/ssh/sshd_config; then
-		sed -i 's/ClientAliveInterval.*/ClientAliveInterval 60/g' /etc/ssh/sshd_config
-	else
-		echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config
-	fi
-	if grep -q 'ClientAliveCountMax' /etc/ssh/sshd_config; then
-		sed -i 's/ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
-	else
-		echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config
-	fi
-	if grep -q 'Ciphers' /etc/ssh/sshd_config; then
-		sed -i "s|Ciphers.*|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config
-	else
-		echo "Ciphers $SSH_CIPHERS" >> /etc/ssh/sshd_config
-	fi
-	if grep -q 'MACs' /etc/ssh/sshd_config; then
-		sed -i "s|MACs.*|MACs $SSH_MACS|g" /etc/ssh/sshd_config
-	else
-		echo "MACs $SSH_MACS" >> /etc/ssh/sshd_config
-	fi
-	if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then
-		sed -i "s|KexAlgorithms.*|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config
-	else
-		echo "KexAlgorithms $SSH_KEX" >> /etc/ssh/sshd_config
-	fi
+    if grep -Fxq "configure_ssh" $COMPLETION_FILE; then
+        return
+    fi
+    sed -i "s/Port .*/Port $SSH_PORT/g" /etc/ssh/sshd_config
+    sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
+    sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
+    sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config
+    sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config
+    sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
+    sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
+    if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then
+        echo 'DebianBanner no' >> /etc/ssh/sshd_config
+    else
+        sed -i 's|DebianBanner.*|DebianBanner no|g' /etc/ssh/sshd_config
+    fi
+    if grep -q 'ClientAliveInterval' /etc/ssh/sshd_config; then
+        sed -i 's/ClientAliveInterval.*/ClientAliveInterval 60/g' /etc/ssh/sshd_config
+    else
+        echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config
+    fi
+    if grep -q 'ClientAliveCountMax' /etc/ssh/sshd_config; then
+        sed -i 's/ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
+    else
+        echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config
+    fi
+    if grep -q 'Ciphers' /etc/ssh/sshd_config; then
+        sed -i "s|Ciphers.*|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config
+    else
+        echo "Ciphers $SSH_CIPHERS" >> /etc/ssh/sshd_config
+    fi
+    if grep -q 'MACs' /etc/ssh/sshd_config; then
+        sed -i "s|MACs.*|MACs $SSH_MACS|g" /etc/ssh/sshd_config
+    else
+        echo "MACs $SSH_MACS" >> /etc/ssh/sshd_config
+    fi
+    if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then
+        sed -i "s|KexAlgorithms.*|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config
+    else
+        echo "KexAlgorithms $SSH_KEX" >> /etc/ssh/sshd_config
+    fi
 
-	apt-get -y install fail2ban
+    apt-get -y install fail2ban
 
-	function_check configure_firewall_for_ssh
-	configure_firewall_for_ssh
-	echo 'configure_ssh' >> $COMPLETION_FILE
+    function_check configure_firewall_for_ssh
+    configure_firewall_for_ssh
+    echo 'configure_ssh' >> $COMPLETION_FILE
 }
 
 # see https://stribika.github.io/2015/01/04/secure-secure-shell.html
 function ssh_remove_small_moduli {
-	awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
-	mv ~/moduli /etc/ssh/moduli
+    awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
+    mv ~/moduli /etc/ssh/moduli
 }
 
 function configure_ssh_client {
-	if grep -Fxq "configure_ssh_client" $COMPLETION_FILE; then
-		return
-	fi
-	#sed -i 's/#   PasswordAuthentication.*/   PasswordAuthentication no/g' /etc/ssh/ssh_config
-	#sed -i 's/#   ChallengeResponseAuthentication.*/   ChallengeResponseAuthentication no/g' /etc/ssh/ssh_config
-	sed -i "s/#   HostKeyAlgorithms.*/   HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS/g" /etc/ssh/ssh_config
-	sed -i "s/#   Ciphers.*/   Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config
-	sed -i "s/#   MACs.*/   MACs $SSH_MACS/g" /etc/ssh/ssh_config
-	if ! grep -q "HostKeyAlgorithms" /etc/ssh/ssh_config; then
-		echo "   HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS" >> /etc/ssh/ssh_config
-	fi
-	sed -i "s/Ciphers.*/Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config
-	if ! grep -q "Ciphers " /etc/ssh/ssh_config; then
-		echo "   Ciphers $SSH_CIPHERS" >> /etc/ssh/ssh_config
-	fi
-	sed -i "s/MACs.*/MACs $SSH_MACS/g" /etc/ssh/ssh_config
-	if ! grep -q "MACs " /etc/ssh/ssh_config; then
-		echo "   MACs $SSH_MACS" >> /etc/ssh/ssh_config
-	fi
+    if grep -Fxq "configure_ssh_client" $COMPLETION_FILE; then
+        return
+    fi
+    #sed -i 's/#   PasswordAuthentication.*/   PasswordAuthentication no/g' /etc/ssh/ssh_config
+    #sed -i 's/#   ChallengeResponseAuthentication.*/   ChallengeResponseAuthentication no/g' /etc/ssh/ssh_config
+    sed -i "s/#   HostKeyAlgorithms.*/   HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS/g" /etc/ssh/ssh_config
+    sed -i "s/#   Ciphers.*/   Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config
+    sed -i "s/#   MACs.*/   MACs $SSH_MACS/g" /etc/ssh/ssh_config
+    if ! grep -q "HostKeyAlgorithms" /etc/ssh/ssh_config; then
+        echo "   HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS" >> /etc/ssh/ssh_config
+    fi
+    sed -i "s/Ciphers.*/Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config
+    if ! grep -q "Ciphers " /etc/ssh/ssh_config; then
+        echo "   Ciphers $SSH_CIPHERS" >> /etc/ssh/ssh_config
+    fi
+    sed -i "s/MACs.*/MACs $SSH_MACS/g" /etc/ssh/ssh_config
+    if ! grep -q "MACs " /etc/ssh/ssh_config; then
+        echo "   MACs $SSH_MACS" >> /etc/ssh/ssh_config
+    fi
 
-	# Create ssh keys
-	if [ ! -f ~/.ssh/id_ed25519 ]; then
-		ssh-keygen -t ed25519 -o -a 100
-	fi
-	if [ ! -f ~/.ssh/id_rsa ]; then
-		ssh-keygen -t rsa -b 4096 -o -a 100
-	fi
+    # Create ssh keys
+    if [ ! -f ~/.ssh/id_ed25519 ]; then
+        ssh-keygen -t ed25519 -o -a 100
+    fi
+    if [ ! -f ~/.ssh/id_rsa ]; then
+        ssh-keygen -t rsa -b 4096 -o -a 100
+    fi
 
-	function_check ssh_remove_small_moduli
-	ssh_remove_small_moduli
-	echo 'configure_ssh_client' >> $COMPLETION_FILE
+    function_check ssh_remove_small_moduli
+    ssh_remove_small_moduli
+    echo 'configure_ssh_client' >> $COMPLETION_FILE
 }
 
 function regenerate_ssh_keys {
-	if grep -Fxq "regenerate_ssh_keys" $COMPLETION_FILE; then
-		return
-	fi
-	rm -f /etc/ssh/ssh_host_*
-	dpkg-reconfigure openssh-server
+    if grep -Fxq "regenerate_ssh_keys" $COMPLETION_FILE; then
+        return
+    fi
+    rm -f /etc/ssh/ssh_host_*
+    dpkg-reconfigure openssh-server
 
-	function_check ssh_remove_small_moduli
-	ssh_remove_small_moduli
+    function_check ssh_remove_small_moduli
+    ssh_remove_small_moduli
 
     systemctl restart ssh
-	echo 'regenerate_ssh_keys' >> $COMPLETION_FILE
+    echo 'regenerate_ssh_keys' >> $COMPLETION_FILE
 }
 
 # NOTE: deliberately no exit 0