diff --git a/generate_secure_hostkeys.sh b/generate_secure_hostkeys.sh new file mode 100644 index 0000000..566da35 --- /dev/null +++ b/generate_secure_hostkeys.sh @@ -0,0 +1,33 @@ +#!/bin/sh +# Generate secure SSH host keys with proper permissions + +set -e + +SSH_DIR="/etc/ssh" +KEY_PERMS="600" +DIR_PERMS="700" + +echo "[*] Removing old host keys..." +rm -f $SSH_DIR/ssh_host_* + +echo "[*] Generating new secure host keys..." + +# Generate Ed25519 key (preferred) +ssh-keygen -t ed25519 -f $SSH_DIR/ssh_host_ed25519_key -N "" -C "" + +# Generate RSA key with 4096 bits +ssh-keygen -t rsa -b 4096 -f $SSH_DIR/ssh_host_rsa_key -N "" -C "" + +echo "[*] Setting secure permissions..." +chmod $KEY_PERMS $SSH_DIR/ssh_host_* +chmod $DIR_PERMS $SSH_DIR + +echo "[*] Filtering moduli for safe DH groups..." +if [ -f $SSH_DIR/moduli ]; then + awk '$5 >= 3071' $SSH_DIR/moduli > $SSH_DIR/moduli.safe + mv $SSH_DIR/moduli.safe $SSH_DIR/moduli + chmod 644 $SSH_DIR/moduli +fi + +echo "[+] Secure host keys generated successfully" +echo "[+] Keys are configured with hardened algorithms by default" \ No newline at end of file diff --git a/servconf.c b/servconf.c index f7bc923..55fb539 100644 --- a/servconf.c +++ b/servconf.c @@ -495,6 +495,37 @@ fill_default_server_options(ServerOptions *options) options->unused_connection_timeout = 0; if (options->sshd_session_path == NULL) options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION); + + /* Security hardening defaults */ + if (options->max_authtries == -1) + options->max_authtries = 3; + if (options->max_sessions == -1) + options->max_sessions = 4; + if (options->login_grace_time == -1) + options->login_grace_time = 60; + if (options->permit_root_login == PERMIT_NOT_SET) + options->permit_root_login = PERMIT_NO_PASSWD; + if (options->password_authentication == -1) + options->password_authentication = 0; + if (options->kbd_interactive_authentication == -1) + options->kbd_interactive_authentication = 0; + if (options->permit_empty_passwd == -1) + options->permit_empty_passwd = 0; + if (options->x11_forwarding == -1) + options->x11_forwarding = 0; + if (options->allow_tcp_forwarding == -1) + options->allow_tcp_forwarding = FORWARD_DENY; + if (options->allow_agent_forwarding == -1) + options->allow_agent_forwarding = 0; + if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; + if (options->use_dns == -1) + options->use_dns = 0; + if (options->client_alive_interval == -1) + options->client_alive_interval = 300; + if (options->client_alive_count_max == -1) + options->client_alive_count_max = 2; + if (options->sshd_auth_path == NULL) options->sshd_auth_path = xstrdup(_PATH_SSHD_AUTH); if (options->refuse_connection == -1)