sshd

2 years ago · caa13347f7
parent 35f70d9793
commit caa13347f7
5 changed files with 237 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -9,4 +9,6 @@ on the server: $ ./neato_deploy.tar.gz.self
 $ rm neato_deploy.tar.gz.self
 $ rm install_neato.sh

-## Run $ neato_deploy.sh http://site.com/deployment.txt
+## Run neato_deploy
+$ cd /opt/neatoDemployments
+$ ./neato_deploy.sh http://site.com/deployment.txt
--- a/app/utils/keygen.php
+++ b/app/utils/keygen.php
@ -0,0 +1,21 @@
+<?php
+
+namespace utils;
+
+class keygen {
+    
+  public static function ed25519(string $file, string $pwd = "", string $comment = "") {
+    exec(\neato::get_user_bin . 'ssh-keygen -t ed25519 -f ' . safe_cmd($file) . ' -N \'' . safe_cmd($pwd) . '\' -C \'' . safe_cmd($comment) . '\'', $output, $exit_code);
+    display($output);
+    check_for_error($exit_code, "Unable to run ssh-keygen command: {$file}");
+    return $exit_code;
+  }
+
+ public static function rsa($file, int $size = 4096, string $pwd = "", string $comment = "") {
+    exec(\neato::get_user_bin . 'ssh-keygen -t rsa -b '. safe_cmd($size) .' -f ' . safe_cmd($file) . ' -N \'' . safe_cmd($pwd) . '\' -C \'' . safe_cmd($comment) . '\'', $output, $exit_code);
+    display($output);
+    check_for_error($exit_code, "Unable to run ssh-keygen command: {$file}");
+    return $exit_code;
+  }
+  
+}
--- a/config_files/deploy_ssh_client.php
+++ b/config_files/deploy_ssh_client.php
@ -0,0 +1,37 @@
+<?php
+
+force_normal();
+
+$host = "Host *
+    Protocol 2
+    HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+    StrictHostKeyChecking ask
+    VerifyHostKeyDNS ask
+    User root
+    Port 22
+    ServerAliveInterval 300
+    ServerAliveCountMax 3
+    ForwardAgent no
+    ForwardX11 no
+    ForwardX11Trusted no
+    PermitLocalCommand no
+    HashKnownHosts yes
+    TCPKeepAlive yes
+    SendEnv LANG LC_*";
+
+$home = ($_SERVER['HOME']) ?? false;
+if ($home === false) {
+    echo "Unknown home path!";
+    exit(1);
+}
+
+if (! file_exists("$home/.ssh/config")) {
+    append_to_file("$home/.ssh/config", $host);
+    chmod_file_or_dir("$home/.ssh/config", "config");
+} else {
+    echo "$home/.ssh/config exists! \r\n";
+    echo $host;
+}
--- a/config_files/deploy_sshd.php
+++ b/config_files/deploy_sshd.php
@ -0,0 +1,173 @@
+<?php
+
+$AllowUsers = "bobs";
+$PortNumber = "2299";
+$usePAM = "no";
+
+force_root();
+run_once();
+
+if (file_exists("/etc/ssh/ssh_host_rsa_key")) {
+    cp("/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_rsa_key_backup");
+    rm("/etc/ssh/ssh_host_rsa_key");
+}
+if (file_exists("/etc/ssh/ssh_host_ed25519_key")) {
+    cp("/etc/ssh/ssh_host_ed25519_key", "/etc/ssh/ssh_host_ed25519_key_backup");
+    rm("/etc/ssh/ssh_host_ed25519_key");
+}
+
+do_command('keygen::rsa', "/etc/ssh/ssh_host_rsa_key");
+do_command('keygen::ed25519', "/etc/ssh/ssh_host_ed25519_key");
+
+$sshd = "Protocol 2    
+Port $PortNumber
+#AddressFamily inet
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#TrustedUserCAKeys
+#HostCertificate
+
+# Ciphers and keying
+HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+PubkeyAcceptedKeyTypes sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+RekeyLimit default none
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 2m
+PermitRootLogin no
+AllowUsers $AllowUsers
+StrictModes yes
+MaxAuthTries 6
+MaxSessions 10
+
+PubkeyAuthentication yes
+AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+HostbasedAuthentication no
+IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+AuthenticationMethods publickey,keyboard-interactive:pam
+
+# Kerberos options
+KerberosAuthentication no
+KerberosOrLocalPasswd yes
+KerberosTicketCleanup yes
+KerberosGetAFSToken no
+
+# GSSAPI options
+GSSAPIAuthentication no
+GSSAPICleanupCredentials yes
+GSSAPIStrictAcceptorCheck yes
+GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of \"PermitRootLogin without-password\".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM $usePAM
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+X11DisplayOffset 10
+X11UseLocalhost no
+PermitTTY yes
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+PermitUserEnvironment no
+Compression yes
+ClientAliveInterval 0
+ClientAliveCountMax 3
+UseDNS no
+PidFile /var/run/sshd.pid
+MaxStartups 10:30:100
+PermitTunnel no
+ChrootDirectory none
+VersionAddendum none
+
+DebianBanner no
+Banner /etc/notice.txt
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server'
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+#       Include /etc/ssh/sshd_config_cvs.d/*.conf";
+
+if (file_exists("/etc/ssh/sshd_config")) {
+    mv("/etc/ssh/sshd_config", "/etc/ssh/sshd_config.old");
+}
+
+append_to_file("/etc/ssh/sshd_config", $sshd);
+chmod_file_or_dir("/etc/ssh/sshd_config", "config");
+
+$banner = "***************************************************************************
+NOTICE TO USERS
+
+
+This computer system is the private property of its owner, whether
+individual, corporate or government.  It is for authorized use only.
+Users (authorized or unauthorized) have no explicit or implicit
+expectation of privacy.
+
+Any or all uses of this system and all files on this system may be
+intercepted, monitored, recorded, copied, audited, inspected, and
+disclosed to your employer, to authorized site, government, and law
+enforcement personnel, as well as authorized officials of government
+agencies, both domestic and foreign.
+
+By using this system, the user consents to such interception, monitoring,
+recording, copying, auditing, inspection, and disclosure at the
+discretion of such personnel or officials.  Unauthorized or improper use
+of this system may result in civil and criminal penalties and
+administrative or disciplinary action, as appropriate. By continuing to
+use this system you indicate your awareness of and consent to these terms
+and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
+conditions stated in this warning.
+
+****************************************************************************";
+
+if (! file_exists("/etc/notice.txt")) {
+    append_to_file("/etc/notice.txt", $banner);
+    chmod_file_or_dir("/etc/notice.txt", "normal");
+}
--- a/templates/Ubuntu/ssh/sshd_config
+++ b/templates/Ubuntu/ssh/sshd_config
@ -9,8 +9,8 @@ Port 2299
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
@ -75,7 +75,7 @@ PermitTunnel no

 #MaxStartups 10:30:60
 DebianBanner no
-Banner /etc/issue.net
+Banner /etc/notice.txt

 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*