#!/bin/bash
#
# see https://stribika.github.io/2015/01/04/secure-secure-shell.html
SSHD_VERSION=`/usr/sbin/sshd -v 2>&1 | grep OpenSSH | cut -d " " -f1 | cut -d "_" -f2 | cut -d"." -f2 | cut -d"p" -f1`
cat /etc/ssh/sshd_config | grep -v "KexAlgorithms" | grep -v "Ciphers" | grep -v "MACs" | grep -v "github.com" > /etc/ssh/sshd_config.new
cat /etc/ssh/ssh_config | grep -v "KexAlgorithms" | grep -v "Ciphers" | grep -v "MACs" | grep -v "github.com" > /etc/ssh/ssh_config.new
if [ "${SSHD_VERSION}" != "0" ]; then
# better algorithms only available on newer OpenSSH versions
echo "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config.new
echo " KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> /etc/ssh/ssh_config.new
echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config.new
echo " Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/ssh_config.new
echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com" >> /etc/ssh/sshd_config.new
echo " MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com" >> /etc/ssh/ssh_config.new
echo "Host github.com" >> /etc/ssh/ssh_config.new
echo " MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512" >> /etc/ssh/ssh_config.new
else
echo "KexAlgorithms diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config.new
echo " KexAlgorithms diffie-hellman-group-exchange-sha256" >> /etc/ssh/ssh_config.new
echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config.new
echo " Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/ssh_config.new
echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config.new
echo " MACs hmac-sha2-512" >> /etc/ssh/ssh_config.new
fi
mv -f /etc/ssh/sshd_config.new /etc/ssh/sshd_config
mv -f /etc/ssh/ssh_config.new /etc/ssh/ssh_config
if [ -f /etc/ssh/moduli ]; then
while read line; do
KLENGTH=`echo ${line} | grep -v "#" | cut -d " " -f5`
if [[ ${KLENGTH} -ge 2048 ]]; then
echo $line >> /etc/ssh/moduli.new
fi
done </etc/ssh/moduli
mv -f /etc/ssh/moduli.new /etc/ssh/moduli
fi
# disable insecure authentication keys
rm -f /etc/ssh/ssh_host_ecdsa_key*
rm -f /etc/ssh/ssh_host_key*
rm -f /etc/ssh/ssh_host_dsa_key*
ln -s ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key
ln -s ssh_host_key /etc/ssh/ssh_host_key
ln -s ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key
# re-generate SSH key if necessary
if [ -f /etc/ssh/ssh_host_rsa_key ]; then
KLENGTH=`/usr/bin/ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | cut -d " " -f1`
if [[ ${KLENGTH} -lt 4096 ]]; then
rm /etc/ssh/ssh_host_rsa_key*
/usr/bin/ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
fi
fi