Robert
2 years ago
parent
35f70d9793
commit
caa13347f7
@ -0,0 +1,21 @@ |
|||||||
|
<?php |
||||||
|
|
||||||
|
namespace utils; |
||||||
|
|
||||||
|
class keygen { |
||||||
|
|
||||||
|
public static function ed25519(string $file, string $pwd = "", string $comment = "") { |
||||||
|
exec(\neato::get_user_bin . 'ssh-keygen -t ed25519 -f ' . safe_cmd($file) . ' -N \'' . safe_cmd($pwd) . '\' -C \'' . safe_cmd($comment) . '\'', $output, $exit_code); |
||||||
|
display($output); |
||||||
|
check_for_error($exit_code, "Unable to run ssh-keygen command: {$file}"); |
||||||
|
return $exit_code; |
||||||
|
} |
||||||
|
|
||||||
|
public static function rsa($file, int $size = 4096, string $pwd = "", string $comment = "") { |
||||||
|
exec(\neato::get_user_bin . 'ssh-keygen -t rsa -b '. safe_cmd($size) .' -f ' . safe_cmd($file) . ' -N \'' . safe_cmd($pwd) . '\' -C \'' . safe_cmd($comment) . '\'', $output, $exit_code); |
||||||
|
display($output); |
||||||
|
check_for_error($exit_code, "Unable to run ssh-keygen command: {$file}"); |
||||||
|
return $exit_code; |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
@ -0,0 +1,37 @@ |
|||||||
|
<?php |
||||||
|
|
||||||
|
force_normal(); |
||||||
|
|
||||||
|
$host = "Host * |
||||||
|
Protocol 2 |
||||||
|
HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
||||||
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 |
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 |
||||||
|
StrictHostKeyChecking ask |
||||||
|
VerifyHostKeyDNS ask |
||||||
|
User root |
||||||
|
Port 22 |
||||||
|
ServerAliveInterval 300 |
||||||
|
ServerAliveCountMax 3 |
||||||
|
ForwardAgent no |
||||||
|
ForwardX11 no |
||||||
|
ForwardX11Trusted no |
||||||
|
PermitLocalCommand no |
||||||
|
HashKnownHosts yes |
||||||
|
TCPKeepAlive yes |
||||||
|
SendEnv LANG LC_*"; |
||||||
|
|
||||||
|
$home = ($_SERVER['HOME']) ?? false; |
||||||
|
if ($home === false) { |
||||||
|
echo "Unknown home path!"; |
||||||
|
exit(1); |
||||||
|
} |
||||||
|
|
||||||
|
if (! file_exists("$home/.ssh/config")) { |
||||||
|
append_to_file("$home/.ssh/config", $host); |
||||||
|
chmod_file_or_dir("$home/.ssh/config", "config"); |
||||||
|
} else { |
||||||
|
echo "$home/.ssh/config exists! \r\n"; |
||||||
|
echo $host; |
||||||
|
} |
||||||
@ -0,0 +1,173 @@ |
|||||||
|
<?php |
||||||
|
|
||||||
|
$AllowUsers = "bobs"; |
||||||
|
$PortNumber = "2299"; |
||||||
|
$usePAM = "no"; |
||||||
|
|
||||||
|
force_root(); |
||||||
|
run_once(); |
||||||
|
|
||||||
|
if (file_exists("/etc/ssh/ssh_host_rsa_key")) { |
||||||
|
cp("/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_rsa_key_backup"); |
||||||
|
rm("/etc/ssh/ssh_host_rsa_key"); |
||||||
|
} |
||||||
|
if (file_exists("/etc/ssh/ssh_host_ed25519_key")) { |
||||||
|
cp("/etc/ssh/ssh_host_ed25519_key", "/etc/ssh/ssh_host_ed25519_key_backup"); |
||||||
|
rm("/etc/ssh/ssh_host_ed25519_key"); |
||||||
|
} |
||||||
|
|
||||||
|
do_command('keygen::rsa', "/etc/ssh/ssh_host_rsa_key"); |
||||||
|
do_command('keygen::ed25519', "/etc/ssh/ssh_host_ed25519_key"); |
||||||
|
|
||||||
|
$sshd = "Protocol 2 |
||||||
|
Port $PortNumber |
||||||
|
#AddressFamily inet |
||||||
|
#ListenAddress :: |
||||||
|
#ListenAddress 0.0.0.0 |
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key |
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key |
||||||
|
#TrustedUserCAKeys |
||||||
|
#HostCertificate |
||||||
|
|
||||||
|
# Ciphers and keying |
||||||
|
HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
||||||
|
PubkeyAcceptedKeyTypes sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
||||||
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 |
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 |
||||||
|
RekeyLimit default none |
||||||
|
|
||||||
|
# Logging |
||||||
|
SyslogFacility AUTH |
||||||
|
LogLevel INFO |
||||||
|
|
||||||
|
# Authentication: |
||||||
|
LoginGraceTime 2m |
||||||
|
PermitRootLogin no |
||||||
|
AllowUsers $AllowUsers |
||||||
|
StrictModes yes |
||||||
|
MaxAuthTries 6 |
||||||
|
MaxSessions 10 |
||||||
|
|
||||||
|
PubkeyAuthentication yes |
||||||
|
AuthorizedKeysFile %h/.ssh/authorized_keys |
||||||
|
|
||||||
|
AuthorizedPrincipalsFile none |
||||||
|
|
||||||
|
#AuthorizedKeysCommand none |
||||||
|
#AuthorizedKeysCommandUser nobody |
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
||||||
|
HostbasedAuthentication no |
||||||
|
IgnoreUserKnownHosts no |
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files |
||||||
|
IgnoreRhosts yes |
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here! |
||||||
|
PasswordAuthentication no |
||||||
|
PermitEmptyPasswords no |
||||||
|
|
||||||
|
# Change to yes to enable challenge-response passwords (beware issues with |
||||||
|
# some PAM modules and threads) |
||||||
|
ChallengeResponseAuthentication no |
||||||
|
AuthenticationMethods publickey,keyboard-interactive:pam |
||||||
|
|
||||||
|
# Kerberos options |
||||||
|
KerberosAuthentication no |
||||||
|
KerberosOrLocalPasswd yes |
||||||
|
KerberosTicketCleanup yes |
||||||
|
KerberosGetAFSToken no |
||||||
|
|
||||||
|
# GSSAPI options |
||||||
|
GSSAPIAuthentication no |
||||||
|
GSSAPICleanupCredentials yes |
||||||
|
GSSAPIStrictAcceptorCheck yes |
||||||
|
GSSAPIKeyExchange no |
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing, |
||||||
|
# and session processing. If this is enabled, PAM authentication will |
||||||
|
# be allowed through the ChallengeResponseAuthentication and |
||||||
|
# PasswordAuthentication. Depending on your PAM configuration, |
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass |
||||||
|
# the setting of \"PermitRootLogin without-password\". |
||||||
|
# If you just want the PAM account and session checks to run without |
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication |
||||||
|
# and ChallengeResponseAuthentication to 'no'. |
||||||
|
UsePAM $usePAM |
||||||
|
|
||||||
|
AllowAgentForwarding no |
||||||
|
AllowTcpForwarding no |
||||||
|
GatewayPorts no |
||||||
|
X11Forwarding no |
||||||
|
X11DisplayOffset 10 |
||||||
|
X11UseLocalhost no |
||||||
|
PermitTTY yes |
||||||
|
PrintMotd no |
||||||
|
PrintLastLog yes |
||||||
|
TCPKeepAlive yes |
||||||
|
PermitUserEnvironment no |
||||||
|
Compression yes |
||||||
|
ClientAliveInterval 0 |
||||||
|
ClientAliveCountMax 3 |
||||||
|
UseDNS no |
||||||
|
PidFile /var/run/sshd.pid |
||||||
|
MaxStartups 10:30:100 |
||||||
|
PermitTunnel no |
||||||
|
ChrootDirectory none |
||||||
|
VersionAddendum none |
||||||
|
|
||||||
|
DebianBanner no |
||||||
|
Banner /etc/notice.txt |
||||||
|
|
||||||
|
# Allow client to pass locale environment variables |
||||||
|
AcceptEnv LANG LC_* |
||||||
|
|
||||||
|
# override default of no subsystems |
||||||
|
Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server' |
||||||
|
|
||||||
|
# Example of overriding settings on a per-user basis |
||||||
|
#Match User anoncvs |
||||||
|
# X11Forwarding no |
||||||
|
# AllowTcpForwarding no |
||||||
|
# PermitTTY no |
||||||
|
# ForceCommand cvs server |
||||||
|
# Include /etc/ssh/sshd_config_cvs.d/*.conf"; |
||||||
|
|
||||||
|
if (file_exists("/etc/ssh/sshd_config")) { |
||||||
|
mv("/etc/ssh/sshd_config", "/etc/ssh/sshd_config.old"); |
||||||
|
} |
||||||
|
|
||||||
|
append_to_file("/etc/ssh/sshd_config", $sshd); |
||||||
|
chmod_file_or_dir("/etc/ssh/sshd_config", "config"); |
||||||
|
|
||||||
|
$banner = "*************************************************************************** |
||||||
|
NOTICE TO USERS |
||||||
|
|
||||||
|
|
||||||
|
This computer system is the private property of its owner, whether |
||||||
|
individual, corporate or government. It is for authorized use only. |
||||||
|
Users (authorized or unauthorized) have no explicit or implicit |
||||||
|
expectation of privacy. |
||||||
|
|
||||||
|
Any or all uses of this system and all files on this system may be |
||||||
|
intercepted, monitored, recorded, copied, audited, inspected, and |
||||||
|
disclosed to your employer, to authorized site, government, and law |
||||||
|
enforcement personnel, as well as authorized officials of government |
||||||
|
agencies, both domestic and foreign. |
||||||
|
|
||||||
|
By using this system, the user consents to such interception, monitoring, |
||||||
|
recording, copying, auditing, inspection, and disclosure at the |
||||||
|
discretion of such personnel or officials. Unauthorized or improper use |
||||||
|
of this system may result in civil and criminal penalties and |
||||||
|
administrative or disciplinary action, as appropriate. By continuing to |
||||||
|
use this system you indicate your awareness of and consent to these terms |
||||||
|
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the |
||||||
|
conditions stated in this warning. |
||||||
|
|
||||||
|
****************************************************************************"; |
||||||
|
|
||||||
|
if (! file_exists("/etc/notice.txt")) { |
||||||
|
append_to_file("/etc/notice.txt", $banner); |
||||||
|
chmod_file_or_dir("/etc/notice.txt", "normal"); |
||||||
|
} |
||||||
Loading…
Reference in new issue