From 65f13215165cdc7768046235983cdb812bb00a33 Mon Sep 17 00:00:00 2001 From: Elizabeth Alexander Hunt Date: Sat, 11 Jul 2026 12:59:53 -0700 Subject: Initial commit --- .gitignore | 1 + authorized_keys.sig | Bin 0 -> 1921 bytes install.sh | 13 ++++++ refresh_keys.sh | 26 ++++++++++++ sign.sh | 3 ++ sshd_config | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 157 insertions(+) create mode 100644 .gitignore create mode 100644 authorized_keys.sig create mode 100755 install.sh create mode 100755 refresh_keys.sh create mode 100755 sign.sh create mode 100644 sshd_config diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..05b023b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +authorized_keys diff --git a/authorized_keys.sig b/authorized_keys.sig new file mode 100644 index 0000000..118c2c4 Binary files /dev/null and b/authorized_keys.sig differ diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..ca4f86f --- /dev/null +++ b/install.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -eo pipefail + +sudo cp sshd_config /etc/sshd_config + +HOME=$(getent passwd "$USER" | cut -d: -f6) +mkdir -p "$HOME/.local/bin/" +cp refresh_keys.sh "$HOME/.local/bin" + +JOB="17 * * * * $HOME/.local/bin/refresh_keys.sh" +( crontab -l 2>/dev/null | grep -vF 'replace.sh'; echo "$JOB" ) | crontab - + diff --git a/refresh_keys.sh b/refresh_keys.sh new file mode 100755 index 0000000..5beea89 --- /dev/null +++ b/refresh_keys.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +set -e + +function main() { + echo "DC4323D1738F27358793D6E87BB52F7036FA7C18:6:" | gpg --import-ownertrust && gpg --update-trustdb + + cd /tmp + rm -rf /tmp/keys || true + git clone https://code.liz.coffee/keys + cd keys + gpg --status-fd 1 --verify authorized_keys.sig | grep -q "VALIDSIG DC4323D1738F27358793D6E87BB52F7036FA7C18" || exit 1 + gpg --decrypt authorized_keys.sig + + sed '/emprespresso/d' ~/.ssh/authorized_keys + cat authorized_keys >> ~/.ssh/authorized_keys + cd /tmp + rm -rf keys +} + +function handle_error() { + curl -d "ERROR IN UPDATING KEYS: $(cat /etc/hostname)" ntfy.sh/emprespresso-liz-dot-coffee +} + +main || handle_error + diff --git a/sign.sh b/sign.sh new file mode 100755 index 0000000..27a8cce --- /dev/null +++ b/sign.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +gpg --local-user DC4323D1738F27358793D6E87BB52F7036FA7C18 --output authorized_keys.sig --sign authorized_keys diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..4007640 --- /dev/null +++ b/sshd_config @@ -0,0 +1,114 @@ +# Modified from K4YT3X Hardened OpenSSH Configuration + +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +# disallow automatically setting environment variables through ~/.ssh/environment +PermitUserEnvironment no +# disallow ssh-agent forwarding to prevent lateral movement +AllowAgentForwarding no + +AllowTcpForwarding yes +AllowStreamLocalForwarding yes +# overrides all other forwarding switches +DisableForwarding yes + +# disallow remote hosts from connecting to forwarded ports +# i.e. forwarded ports are forced to bind to 127.0.0.1 instead of 0.0.0.0 +GatewayPorts no + +# prevent tun device forwarding +PermitTunnel no + +# suppress MOTD +PrintMotd no + +# disable X11 forwarding since it is not necessary +X11Forwarding no + +########## Authentication ########## + +AuthenticationMethods publickey +PasswordAuthentication no +UsePAM no + +# challenge-response authentication backend it not configured by default +# therefore, it is set to "no" by default to avoid the use of an unconfigured backend +ChallengeResponseAuthentication no + +# set maximum authentication retries to prevent brute force attacks +MaxAuthTries 3 + +# disallow connecting using empty passwords +PermitEmptyPasswords no +PermitRootLogin no +PubkeyAuthentication yes + +########## Cryptography ########## + +# explicitly define cryptography algorithms to avoid the use of weak algorithms +# AES-CTR and Chacha20-Poly1305 modes have been removed to mitigate the Terrapin attack +# https://terrapin-attack.com/ +Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com +HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com + +# only use host keys with secure HostKeyAlgorithms +# omit the ECDSA key since it is only used in conjunction with the NIST P-curves +HostKey /etc/ssh/ssh_host_ed25519_key +#HostKey /etc/ssh/ssh_host_rsa_key + +# short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256 +# see this link for more details: https://github.com/k4yt3x/sshd_config#deactivating-short-diffie-hellman-moduli +# AES-CTR and Chacha20-Poly1305 modes have been removed to mitigate the Terrapin attack +# https://terrapin-attack.com/ +# ecdh-sha2-nistp* algorithms have been removed due to concerns around NIST P-curves' design +# https://github.com/jtesta/ssh-audit/issues/213#issuecomment-1774204745 +KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 + +########## Connection Preferences ########## + +# Debian-based distributions only +# hide the Debian banner to prevent information disclosure +# (e.g., `SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3`) +#DebianBanner no + +# number of client alive messages sent without client responding +ClientAliveCountMax 2 + +# send a keepalive message to the client when the session has been idle for 300 seconds +# this prevents/detects connection timeouts +ClientAliveInterval 300 + +# compression before encryption might cause security issues +Compression no + +# prevent SSH trust relationships from allowing lateral movements +IgnoreRhosts yes + +# log verbosely for additional information +#LogLevel VERBOSE + +# allow a maximum of two multiplexed sessions over a single TCP connection +MaxSessions 2 + +# enforce SSH server to only use SSH protocol version 2 +# SSHv1 contains security issues and should be avoided at all costs +# SSHv1 is disabled by default after OpenSSH 7.0, but this option is +# specified anyways to ensure this configuration file's compatibility +# with older versions of OpenSSH server +Protocol 2 + +# override default of no subsystems +# path to the sftp-server binary depends on your distribution +#Subsystem sftp /usr/lib/openssh/sftp-server +#Subsystem sftp /usr/libexec/openssh/sftp-server +Subsystem sftp internal-sftp + +# let ClientAliveInterval handle keepalive +TCPKeepAlive no + +# disable reverse DNS lookups +UseDNS no -- cgit v1.3