summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorElizabeth Alexander Hunt <me@liz.coffee>2026-07-11 12:59:53 -0700
committerElizabeth Alexander Hunt <me@liz.coffee>2026-07-11 12:59:53 -0700
commit65f13215165cdc7768046235983cdb812bb00a33 (patch)
treee88962b266d3b94564cb497ec7b6aa798c262bdf
downloadkeys-65f13215165cdc7768046235983cdb812bb00a33.tar.gz
keys-65f13215165cdc7768046235983cdb812bb00a33.zip
Initial commit
-rw-r--r--.gitignore1
-rw-r--r--authorized_keys.sigbin0 -> 1921 bytes
-rwxr-xr-xinstall.sh13
-rwxr-xr-xrefresh_keys.sh26
-rwxr-xr-xsign.sh3
-rw-r--r--sshd_config114
6 files changed, 157 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..05b023b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+authorized_keys
diff --git a/authorized_keys.sig b/authorized_keys.sig
new file mode 100644
index 0000000..118c2c4
--- /dev/null
+++ b/authorized_keys.sig
Binary files differ
diff --git a/install.sh b/install.sh
new file mode 100755
index 0000000..ca4f86f
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -eo pipefail
+
+sudo cp sshd_config /etc/sshd_config
+
+HOME=$(getent passwd "$USER" | cut -d: -f6)
+mkdir -p "$HOME/.local/bin/"
+cp refresh_keys.sh "$HOME/.local/bin"
+
+JOB="17 * * * * $HOME/.local/bin/refresh_keys.sh"
+( crontab -l 2>/dev/null | grep -vF 'replace.sh'; echo "$JOB" ) | crontab -
+
diff --git a/refresh_keys.sh b/refresh_keys.sh
new file mode 100755
index 0000000..5beea89
--- /dev/null
+++ b/refresh_keys.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+function main() {
+ echo "DC4323D1738F27358793D6E87BB52F7036FA7C18:6:" | gpg --import-ownertrust && gpg --update-trustdb
+
+ cd /tmp
+ rm -rf /tmp/keys || true
+ git clone https://code.liz.coffee/keys
+ cd keys
+ gpg --status-fd 1 --verify authorized_keys.sig | grep -q "VALIDSIG DC4323D1738F27358793D6E87BB52F7036FA7C18" || exit 1
+ gpg --decrypt authorized_keys.sig
+
+ sed '/emprespresso/d' ~/.ssh/authorized_keys
+ cat authorized_keys >> ~/.ssh/authorized_keys
+ cd /tmp
+ rm -rf keys
+}
+
+function handle_error() {
+ curl -d "ERROR IN UPDATING KEYS: $(cat /etc/hostname)" ntfy.sh/emprespresso-liz-dot-coffee
+}
+
+main || handle_error
+
diff --git a/sign.sh b/sign.sh
new file mode 100755
index 0000000..27a8cce
--- /dev/null
+++ b/sign.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+gpg --local-user DC4323D1738F27358793D6E87BB52F7036FA7C18 --output authorized_keys.sig --sign authorized_keys
diff --git a/sshd_config b/sshd_config
new file mode 100644
index 0000000..4007640
--- /dev/null
+++ b/sshd_config
@@ -0,0 +1,114 @@
+# Modified from K4YT3X Hardened OpenSSH Configuration
+
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# disallow automatically setting environment variables through ~/.ssh/environment
+PermitUserEnvironment no
+# disallow ssh-agent forwarding to prevent lateral movement
+AllowAgentForwarding no
+
+AllowTcpForwarding yes
+AllowStreamLocalForwarding yes
+# overrides all other forwarding switches
+DisableForwarding yes
+
+# disallow remote hosts from connecting to forwarded ports
+# i.e. forwarded ports are forced to bind to 127.0.0.1 instead of 0.0.0.0
+GatewayPorts no
+
+# prevent tun device forwarding
+PermitTunnel no
+
+# suppress MOTD
+PrintMotd no
+
+# disable X11 forwarding since it is not necessary
+X11Forwarding no
+
+########## Authentication ##########
+
+AuthenticationMethods publickey
+PasswordAuthentication no
+UsePAM no
+
+# challenge-response authentication backend it not configured by default
+# therefore, it is set to "no" by default to avoid the use of an unconfigured backend
+ChallengeResponseAuthentication no
+
+# set maximum authentication retries to prevent brute force attacks
+MaxAuthTries 3
+
+# disallow connecting using empty passwords
+PermitEmptyPasswords no
+PermitRootLogin no
+PubkeyAuthentication yes
+
+########## Cryptography ##########
+
+# explicitly define cryptography algorithms to avoid the use of weak algorithms
+# AES-CTR and Chacha20-Poly1305 modes have been removed to mitigate the Terrapin attack
+# https://terrapin-attack.com/
+Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com
+HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+
+# only use host keys with secure HostKeyAlgorithms
+# omit the ECDSA key since it is only used in conjunction with the NIST P-curves
+HostKey /etc/ssh/ssh_host_ed25519_key
+#HostKey /etc/ssh/ssh_host_rsa_key
+
+# short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256
+# see this link for more details: https://github.com/k4yt3x/sshd_config#deactivating-short-diffie-hellman-moduli
+# AES-CTR and Chacha20-Poly1305 modes have been removed to mitigate the Terrapin attack
+# https://terrapin-attack.com/
+# ecdh-sha2-nistp* algorithms have been removed due to concerns around NIST P-curves' design
+# https://github.com/jtesta/ssh-audit/issues/213#issuecomment-1774204745
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
+
+########## Connection Preferences ##########
+
+# Debian-based distributions only
+# hide the Debian banner to prevent information disclosure
+# (e.g., `SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3`)
+#DebianBanner no
+
+# number of client alive messages sent without client responding
+ClientAliveCountMax 2
+
+# send a keepalive message to the client when the session has been idle for 300 seconds
+# this prevents/detects connection timeouts
+ClientAliveInterval 300
+
+# compression before encryption might cause security issues
+Compression no
+
+# prevent SSH trust relationships from allowing lateral movements
+IgnoreRhosts yes
+
+# log verbosely for additional information
+#LogLevel VERBOSE
+
+# allow a maximum of two multiplexed sessions over a single TCP connection
+MaxSessions 2
+
+# enforce SSH server to only use SSH protocol version 2
+# SSHv1 contains security issues and should be avoided at all costs
+# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
+# specified anyways to ensure this configuration file's compatibility
+# with older versions of OpenSSH server
+Protocol 2
+
+# override default of no subsystems
+# path to the sftp-server binary depends on your distribution
+#Subsystem sftp /usr/lib/openssh/sftp-server
+#Subsystem sftp /usr/libexec/openssh/sftp-server
+Subsystem sftp internal-sftp
+
+# let ClientAliveInterval handle keepalive
+TCPKeepAlive no
+
+# disable reverse DNS lookups
+UseDNS no