twb
/
neatoDeploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
PHP Deployment Scripts
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
1 Branch
0 Tags
1.2 MiB
 
 
Tag: Branch: Tree: 0acb2c038c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0acb2c038c'
${ noResults }
neatoDeploy/deploy_files/deploy_sshd.php

207 lines
6.2 KiB
Raw Blame History

<?php
$options = cGetOpt(["port","users","pam","inet","rekey"]);
//var_dump($options); exit(0);
$port = $options['port'] ?? null;
$users = $options['users'] ?? null;
$pam = $options['pam'] ?? null;
$inet = $options['inet'] ?? null;
$rekey = $options['rekey'] ?? "no";
$AllowUsers = $users ?? "bobs";
$PortNumber = $port ?? "2299";
enum PAM: string {
case yes = "yes";
case no = "no";
public function getValue(): string {
return $this->value;
}
}
$usePAM = $pam ?? PAM::no->getValue(); // yes or no
enum INet: string {
case IPv4 = "inet";
case IPv6 = "inet6";
case any = "any";
public function getValue(): string {
return $this->value;
}
}
$allowedInet = $inet ?? INet::any->getValue(); // any, IPv4, or IPv6
force_root();
runOnce();
if ($rekey == "yes") {
if (file_exists("/etc/ssh/ssh_host_rsa_key")) {
cp("/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_rsa_key_backup");
rm("/etc/ssh/ssh_host_rsa_key");
}
if (file_exists("/etc/ssh/ssh_host_ed25519_key")) {
cp("/etc/ssh/ssh_host_ed25519_key", "/etc/ssh/ssh_host_ed25519_key_backup");
rm("/etc/ssh/ssh_host_ed25519_key");
}
doCommand('keygen::rsa', "/etc/ssh/ssh_host_rsa_key");
doCommand('keygen::ed25519', "/etc/ssh/ssh_host_ed25519_key");
}
$sshd = "Protocol 2
Port $PortNumber
AddressFamily $allowedInet
#ListenAddress ::
#ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#TrustedUserCAKeys
#HostCertificate
# Ciphers and keying
HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
PubkeyAcceptedKeyTypes sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
RekeyLimit default none
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 2m
PermitRootLogin no
AllowUsers $AllowUsers
#AllowGroups ssh_users
#DenyGroups
StrictModes yes
MaxAuthTries 6
MaxSessions 10
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam
# Kerberos options
KerberosAuthentication no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken no
# GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of \"PermitRootLogin without-password\".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM $usePAM
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
PermitTTY yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
PermitUserEnvironment no
Compression yes
ClientAliveInterval 0
ClientAliveCountMax 3
UseDNS no
PidFile /var/run/sshd.pid
MaxStartups 10:30:100
PermitTunnel no
ChrootDirectory none
VersionAddendum none
DebianBanner no
Banner /etc/notice.txt
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server'
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# Include /etc/ssh/sshd_config_cvs.d/*.conf";
if (file_exists("/etc/ssh/sshd_config")) {
mv("/etc/ssh/sshd_config", "/etc/ssh/sshd_config.old");
}
append_to_file("/etc/ssh/sshd_config", $sshd);
chmod_file_or_dir("/etc/ssh/sshd_config", "config");
$banner = "***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************";
if (! file_exists("/etc/notice.txt")) {
append_to_file("/etc/notice.txt", $banner);
chmod_file_or_dir("/etc/notice.txt", "normal");
}