0f5bbf004a
Server-only canonical production Debian build. Drops laptop/vanilla variants. Interactive LUKS + hostname at install. user/123 forced rotate. DVD-1 offline base. S8N_LOGS log-capture partition. Lineage: forked from s8n/debian-s8ns-prefs-iso commit d4be55f.
28 lines
739 B
Bash
Executable file
28 lines
739 B
Bash
Executable file
#!/bin/sh
|
|
# 20-ssh.sh — harden sshd: pubkey only, no root login, no password auth.
|
|
# authorized_keys was already placed by preseed late_command.
|
|
set -eu
|
|
|
|
if [ ! -f /etc/ssh/sshd_config ]; then
|
|
echo "[20] sshd not installed, skipping"
|
|
exit 0
|
|
fi
|
|
|
|
cat > /etc/ssh/sshd_config.d/00-s8n.conf <<'SSHD'
|
|
PermitRootLogin no
|
|
PasswordAuthentication no
|
|
PubkeyAuthentication yes
|
|
ChallengeResponseAuthentication no
|
|
KbdInteractiveAuthentication no
|
|
UsePAM yes
|
|
X11Forwarding no
|
|
PermitEmptyPasswords no
|
|
LoginGraceTime 30
|
|
MaxAuthTries 3
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 2
|
|
SSHD
|
|
|
|
# Fail2ban gets enabled by 00-base.sh, but the default jail covers sshd.
|
|
echo "[20] sshd hardened. authorized_keys placed by preseed."
|
|
systemctl enable ssh || true
|