-
Notifications
You must be signed in to change notification settings - Fork 2
/
hologram-openssh.pkg.toml
77 lines (67 loc) · 2.3 KB
/
hologram-openssh.pkg.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
[package]
name = "hologram-openssh"
version = "1.6.0"
description = "hologram: hardened OpenSSH server"
requires = [ "openssh" ]
# enable SSH daemon
[[symlink]]
path = "/etc/systemd/system/multi-user.target.wants/sshd.service"
target = "/usr/lib/systemd/system/sshd.service"
# open SSH port when using hologram-ferm
[[file]]
path = "/etc/ferm.d/incoming-ssh"
content = "proto tcp dport ssh ACCEPT;"
# extend the default SSH configuration with recommendations from
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
# NOTE: support for hmac-ripemd160 MAC has been removed in OpenSSH 7.6
#
# XXX WARNING: There's a typo in here; it should be "ed25519" instead of "ed22519".
# I will fix this when I rotate SSH keys the next time.
# Ref: https://github.com/majewsky/system-configuration/issues/3
[[file]]
path = "/usr/share/holo/files/10-openssh/etc/ssh/sshd_config.holoscript"
mode = "0755"
content = """
#!/bin/sh
cat
cat <<-'EOF'
# custom settings
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Protocol 2
HostKey /etc/ssh/ssh_host_ed22519_key
HostKey /etc/ssh/ssh_host_rsa_key
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
EOF
"""
# filter weak moduli
[[file]]
path = "/usr/share/holo/run-scripts/10-openssh-filter-weak-moduli.sh"
mode = "0755"
content = """
#!/bin/sh
awk '$5 > 2000' < /etc/ssh/moduli > /tmp/ssh-moduli
mv /tmp/ssh-moduli /etc/ssh/moduli
"""
# disable weak host keys by placing invalid symlinks at their location
[[symlink]]
path = "/etc/ssh/ssh_host_key"
target = "ssh_host_key"
[[symlink]]
path = "/etc/ssh/ssh_host_key.pub"
target = "ssh_host_key.pub"
[[symlink]]
path = "/etc/ssh/ssh_host_dsa_key"
target = "ssh_host_dsa_key"
[[symlink]]
path = "/etc/ssh/ssh_host_dsa_key.pub"
target = "ssh_host_dsa_key.pub"
[[symlink]]
path = "/etc/ssh/ssh_host_ecdsa_key"
target = "ssh_host_ecdsa_key"
[[symlink]]
path = "/etc/ssh/ssh_host_ecdsa_key.pub"
target = "ssh_host_ecdsa_key.pub"