free
/
freedombone
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
8001 提交
5 分支
目录树: 9543fea1af
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '9543fea1af'
${ noResults }
freedombone/src/freedombone-utils-ssh

freedombone-utils-ssh 9.5KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # ssh functions

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. SSH_PORT=2222

  32. 

  33. # Settings from bettercrypto.org openssh 6.6+

  34. SSH_CIPHERS="chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr"

  35. SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"

  36. SSH_KEX="curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1"

  37. SSH_HOST_KEY_ALGORITHMS="ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa"

  38. 

  39. function configure_ssh {

  40.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  41.         return

  42.     fi

  43. 

  44.     if ! grep -q 'RhostsRSAAuthentication' /etc/ssh/sshd_config; then

  45.         echo 'RhostsRSAAuthentication yes' >> /etc/ssh/sshd_config

  46.     fi

  47.     sed -i 's|#RhostsRSAAuthentication.*|RhostsRSAAuthentication yes|g' /etc/ssh/sshd_config

  48.     sed -i 's|RhostsRSAAuthentication.*|RhostsRSAAuthentication yes|g' /etc/ssh/sshd_config

  49.     sed -i 's|#StrictModes.*|StrictModes yes|g' /etc/ssh/sshd_config

  50.     sed -i 's|StrictModes.*|StrictModes yes|g' /etc/ssh/sshd_config

  51.     sed -i 's|#KerberosAuthentication.*|KerberosAuthentication no|g' /etc/ssh/sshd_config

  52.     sed -i 's|KerberosAuthentication.*|KerberosAuthentication no|g' /etc/ssh/sshd_config

  53.     sed -i 's|#GSSAPIAuthentication.*|GSSAPIAuthentication no|g' /etc/ssh/sshd_config

  54.     sed -i 's|GSSAPIAuthentication.*|GSSAPIAuthentication no|g' /etc/ssh/sshd_config

  55.     sed -i 's|#IgnoreUserKnownHosts.*|IgnoreUserKnownHosts yes|g' /etc/ssh/sshd_config

  56.     sed -i 's|IgnoreUserKnownHosts.*|IgnoreUserKnownHosts yes|g' /etc/ssh/sshd_config

  57.     sed -i 's|#Compression.*|Compression delayed|g' /etc/ssh/sshd_config

  58.     sed -i 's|Compression.*|Compression delayed|g' /etc/ssh/sshd_config

  59.     if ! grep -q 'HostbasedAuthentication' /etc/ssh/sshd_config; then

  60.         echo 'HostbasedAuthentication no' >> /etc/ssh/sshd_config

  61.     fi

  62.     sed 's|#HostbasedAuthentication.*|HostbasedAuthentication no|g' /etc/ssh/sshd_config

  63.     sed 's|HostbasedAuthentication.*|HostbasedAuthentication no|g' /etc/ssh/sshd_config

  64.     sed -i 's|#PrintLastLog.*|PrintLastLog yes|g' /etc/ssh/sshd_config

  65.     sed -i 's|PrintLastLog.*|PrintLastLog yes|g' /etc/ssh/sshd_config

  66.     sed -i 's|#IgnoreRhosts.*|IgnoreRhosts yes|g' /etc/ssh/sshd_config

  67.     sed -i 's|IgnoreRhosts.*|IgnoreRhosts yes|g' /etc/ssh/sshd_config

  68.     sed -i "s/Port .*/Port $SSH_PORT/g" /etc/ssh/sshd_config

  69.     sed -i "s/#Port ${SSH_PORT}/Port ${SSH_PORT}/g" /etc/ssh/sshd_config

  70.     sed -i 's|#PermitEmptyPasswords.*|PermitEmptyPasswords no|g' /etc/ssh/sshd_config

  71.     sed -i 's|PermitEmptyPasswords.*|PermitEmptyPasswords no|g' /etc/ssh/sshd_config

  72.     sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config

  73.     sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' /etc/ssh/sshd_config

  74.     sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config

  75.     sed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_config

  76.     sed -i 's/ServerKeyBits.*/ServerKeyBits 2048/g' /etc/ssh/sshd_config

  77.     sed -i 's/#ServerKeyBits 2048/ServerKeyBits 2048/g' /etc/ssh/sshd_config

  78.     sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config

  79.     sed -i 's/#TCPKeepAlive no/TCPKeepAlive no/g' /etc/ssh/sshd_config

  80.     sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config

  81.     sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config

  82.     sed -i 's|#HostKey /etc/ssh/ssh_host_ed25519_key|HostKey /etc/ssh/ssh_host_ed25519_key|g' /etc/ssh/sshd_config

  83.     if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then

  84.         echo 'DebianBanner no' >> /etc/ssh/sshd_config

  85.     else

  86.         sed -i 's|DebianBanner.*|DebianBanner no|g' /etc/ssh/sshd_config

  87.     fi

  88.     if grep -q 'ClientAliveInterval' /etc/ssh/sshd_config; then

  89.         sed -i 's/ClientAliveInterval.*/ClientAliveInterval 60/g' /etc/ssh/sshd_config

  90.     else

  91.         echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config

  92.     fi

  93.     sed -i 's/#ClientAliveInterval 60/ClientAliveInterval 60/g' /etc/ssh/sshd_config

  94.     if grep -q 'ClientAliveCountMax' /etc/ssh/sshd_config; then

  95.         sed -i 's/ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config

  96.     else

  97.         echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config

  98.     fi

  99.     sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g' /etc/ssh/sshd_config

  100.     if grep -q 'Ciphers' /etc/ssh/sshd_config; then

  101.         sed -i "s|Ciphers.*|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config

  102.     else

  103.         echo "Ciphers $SSH_CIPHERS" >> /etc/ssh/sshd_config

  104.     fi

  105.     sed -i "s|#Ciphers $SSH_CIPHERS|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config

  106.     if grep -q 'MACs' /etc/ssh/sshd_config; then

  107.         sed -i "s|MACs.*|MACs $SSH_MACS|g" /etc/ssh/sshd_config

  108.     else

  109.         echo "MACs $SSH_MACS" >> /etc/ssh/sshd_config

  110.     fi

  111.     sed -i "s|#MACs $SSH_MACS|MACs $SSH_MACS|g" /etc/ssh/sshd_config

  112.     if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then

  113.         sed -i "s|KexAlgorithms.*|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config

  114.     else

  115.         echo "KexAlgorithms $SSH_KEX" >> /etc/ssh/sshd_config

  116.     fi

  117.     sed -i "s|#KexAlgorithms $SSH_KEX|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config

  118.     if ! grep -q 'UsePrivilegeSeparation' /etc/ssh/sshd_config; then

  119.         echo 'UsePrivilegeSeparation sandbox' >> /etc/ssh/sshd_config

  120.     fi

  121.     sed -i 's|#UsePrivilegeSeparation .*|UsePrivilegeSeparation sandbox|g' /etc/ssh/sshd_config

  122.     sed -i 's|UsePrivilegeSeparation .*|UsePrivilegeSeparation sandbox|g' /etc/ssh/sshd_config

  123. 

  124.     apt-get -yq install vim-common

  125. 

  126.     function_check configure_firewall_for_ssh

  127.     configure_firewall_for_ssh

  128.     mark_completed $FUNCNAME

  129. }

  130. 

  131. # see https://stribika.github.io/2015/01/04/secure-secure-shell.html

  132. function ssh_remove_small_moduli {

  133.     awk '$5 > 2000' /etc/ssh/moduli > ~/moduli

  134.     mv ~/moduli /etc/ssh/moduli

  135. }

  136. 

  137. function configure_ssh_client {

  138.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  139.         return

  140.     fi

  141.     #sed -i 's/#   PasswordAuthentication.*/   PasswordAuthentication no/g' /etc/ssh/ssh_config

  142.     #sed -i 's/#   ChallengeResponseAuthentication.*/   ChallengeResponseAuthentication no/g' /etc/ssh/ssh_config

  143.     sed -i "s/#   HostKeyAlgorithms.*/   HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS/g" /etc/ssh/ssh_config

  144.     sed -i "s/#   Ciphers.*/   Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config

  145.     sed -i "s/#   MACs.*/   MACs $SSH_MACS/g" /etc/ssh/ssh_config

  146.     if ! grep -q "HostKeyAlgorithms" /etc/ssh/ssh_config; then

  147.         echo "   HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS" >> /etc/ssh/ssh_config

  148.     fi

  149.     sed -i "s/Ciphers.*/Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config

  150.     if ! grep -q "Ciphers " /etc/ssh/ssh_config; then

  151.         echo "   Ciphers $SSH_CIPHERS" >> /etc/ssh/ssh_config

  152.     fi

  153.     sed -i "s/MACs.*/MACs $SSH_MACS/g" /etc/ssh/ssh_config

  154.     if ! grep -q "MACs " /etc/ssh/ssh_config; then

  155.         echo "   MACs $SSH_MACS" >> /etc/ssh/ssh_config

  156.     fi

  157. 

  158.     # Create ssh keys

  159.     if [ ! -f ~/.ssh/id_ed25519 ]; then

  160.         ssh-keygen -t ed25519 -o -a 100

  161.     fi

  162.     #if [ ! -f ~/.ssh/id_rsa ]; then

  163.     #    ssh-keygen -t rsa -b 2048 -o -a 100

  164.     #fi

  165. 

  166.     function_check ssh_remove_small_moduli

  167.     ssh_remove_small_moduli

  168.     mark_completed $FUNCNAME

  169. }

  170. 

  171. function regenerate_ssh_keys {

  172.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  173.         return

  174.     fi

  175.     rm -f /etc/ssh/ssh_host_*

  176.     dpkg-reconfigure openssh-server

  177. 

  178.     function_check ssh_remove_small_moduli

  179.     ssh_remove_small_moduli

  180. 

  181.     systemctl restart ssh

  182.     mark_completed $FUNCNAME

  183. }

  184. 

  185. function configure_firewall_for_ssh {

  186.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  187.         return

  188.     fi

  189.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  190.         # docker does its own firewalling

  191.         return

  192.     fi

  193. 

  194.     firewall_add SSH ${SSH_PORT} tcp

  195.     mark_completed $FUNCNAME

  196. }

  197. 

  198. function get_ssh_server_key {

  199.     if [ -f /etc/ssh/ssh_host_rsa_key.pub ]; then

  200.         echo "RSA Md5:       $(ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub | awk -F ' ' '{print $2}')"

  201.         echo "RSA SHA256:    $(awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')"

  202.     fi

  203.     if [ -f /etc/ssh/ssh_host_ed25519_key.pub ]; then

  204.         echo "ED25519 Md5:   $(ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub | awk -F ' ' '{print $2}')"

  205.         echo "ED25519 SHA256:$(awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')"

  206.     fi

  207. }

  208. 

  209. # NOTE: deliberately no exit 0