-
Notifications
You must be signed in to change notification settings - Fork 1
/
deploy.sh
executable file
·143 lines (127 loc) · 4.45 KB
/
deploy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/bin/bash
# Usage and argument parsing {{{
usage() {
echo "usage: $0 [options]";
echo;
echo "OPTIONS";
echo " -h Show this help message";
echo " -d Dry run - echo what we want to do, but don't do it";
echo;
}
DRY_RUN=0;
while getopts 'hd' option; do
case "$option" in
'h')
usage;
exit 1;
;;
'd')
DRY_RUN=1;
;;
?)
usage;
exit 1;
;;
esac;
done;
# }}}
runcmd() { # {{{
echo "+++ $@";
if [ "$DRY_RUN" -eq 0 ]; then
cmd="$1";
shift;
$cmd "$@";
fi;
} # }}}
# Try to find config files {{{
SSHD_CONFIG_POSSIBILITIES=(
'/etc/ssh/sshd_config'
'/etc/sshd_config'
);
SSH_CONFIG_POSSIBILITIES=(
'/etc/ssh/ssh_config'
'/etc/ssh_config'
);
SSHD_CONFIG='';
SSH_CONFIG='';
for file in ${SSHD_CONFIG_POSSIBILITIES[*]}; do
if [ -f "$file" ]; then
echo "--- Found SSHD_CONFIG at ${file}";
SSHD_CONFIG="${file}";
break;
fi;
done
for file in ${SSH_CONFIG_POSSIBILITIES[*]}; do
if [ -f "$file" ]; then
echo "--- Found SSH_CONFIG at ${file}";
SSH_CONFIG="${file}";
break;
fi;
done;
# }}}
# Fix sshd config if we found it {{{
if [ "$SSHD_CONFIG" != '' ]; then
SSHD_CONFIG_DIR="$(dirname "$SSHD_CONFIG")";
lines_inserted=0;
# Fix key exchange algorithm settings if needed
grep '^\s*KexAlgorithms\s\+' "$SSHD_CONFIG" &>/dev/null;
if [ "$?" -eq 0 ]; then
runcmd sed -i 's/^\(\s*\)KexAlgorithms\s\+.*$/\1KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256/' "$SSHD_CONFIG";
else
lines_inserted=$((${lines_inserted} + 1));
runcmd sed -i "${lines_inserted}i\\KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" "$SSHD_CONFIG";
fi;
# If the moduli file exists, get rid of any primes less than 2000 bits
MODULI="${SSHD_CONFIG_DIR}/moduli";
if [ -f "$MODULI" ]; then
# Ugly hack for portable in-place awk
runcmd awk '$5 > 2000' "$MODULI" > >(cat <(sleep 1) - > "$MODULI");
else
runcmd touch "$MODULI";
fi;
# If there's nothing left in the moduli file (or it didn't exist at all), we should populate it
if [ "$(stat --printf=%s "$MODULI")" -lt 10 ]; then
runcmd rm "$MODULI";
runcmd ssh-keygen -T "$MODULI" -f <(ssh-keygen -q -G /dev/stdout -b 4096 2> >(while read line; do echo ">>> ${line}" > /dev/stderr; done));
fi;
# Force v2 protocol
grep '^\s*Protocol\s\+' "$SSHD_CONFIG" &>/dev/null;
if [ "$?" -eq 0 ]; then
runcmd sed -i 's/^\(\s*\)Protocol\s\+.*$/\1Protocol 2/' "$SSHD_CONFIG";
else
lines_inserted=$((${lines_inserted} + 1));
runcmd sed -i "${lines_inserted}iProtocol 2" "$SSHD_CONFIG";
fi;
# Get rid of DSA and ECDSA keys; create RSA and Ed25519 if they don't exist
runcmd sed -i '/^\s*HostKey/d' "$SSHD_CONFIG";
lines_inserted=$((${lines_inserted} + 1));
runcmd sed -i "${lines_inserted}iHostKey ${SSHD_CONFIG_DIR}/ssh_host_ed25519_key" "$SSHD_CONFIG";
lines_inserted=$((${lines_inserted} + 1));
runcmd sed -i "${lines_inserted}iHostKey ${SSHD_CONFIG_DIR}/ssh_host_rsa_key" "$SSHD_CONFIG";
runcmd rm -f "${SSHD_CONFIG_DIR}/ssh_host_key{,.pub}";
runcmd rm -f "${SSHD_CONFIG_DIR}/ssh_host_dsa_key{,.pub}";
runcmd rm -f "${SSHD_CONFIG_DIR}/ssh_host_ecdsa_key{,.pub}";
if [ ! -f "${SSHD_CONFIG_DIR}/ssh_host_ed25519_key" ] || [ ! -f "${SSHD_CONFIG_DIR}/ssh_host_ed25519_key.pub" ]; then
runcmd ssh-keygen -t ed25519 -f "${SSHD_CONFIG_DIR}/ssh_host_ed25519_key" < /dev/null;
fi;
if [ ! -f "${SSHD_CONFIG_DIR}/ssh_host_rsa_key" ] || [ ! -f "${SSHD_CONFIG_DIR}/ssh_host_rsa_key.pub" ]; then
runcmd ssh-keygen -t rsa -b 4096 -f "${SSHD_CONFIG_DIR}/ssh_host_rsa_key" < /dev/null;
fi;
# Limit symmetric ciphers to good modern ones
grep '^\s*Ciphers\s\+' "$SSHD_CONFIG" &>/dev/null;
if [ "$?" -eq 0 ]; then
runcmd sed -i 's/^\(\s*\)Ciphers\s\+.*$/\1Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr/' "$SSHD_CONFIG";
else
lines_inserted=$((${lines_inserted} + 1));
runcmd sed -i "${lines_inserted}iCiphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" "$SSHD_CONFIG";
fi;
# Limit MAC algos to good modern ones with long keys, ETM only
grep '^\s*MACs\s\+' "$SSHD_CONFIG" &>/dev/null;
if [ "$?" -eq 0 ]; then
runcmd sed -i 's/^\(\s*\)MACs\s\+.*$/\1MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com/' "$SSHD_CONFIG";
else
lines_inserted=$((${lines_inserted} + 1));
runcmd sed -i "${lines_inserted}iMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com" "$SSHD_CONFIG";
fi;
fi;
# }}}