KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
main
KNELConfigMgmt-FetchApply/initializers/ssh-hardening/apply
Charles N Wyble 1cc9ba5830 fix(ssh-hardening): correct tsys-sshd-config path reference 
Fix SSH configuration deployment to use the correct config filename:
- Change ./configs/sshd-config to ./configs/tsys-sshd-config
- Change ./configs/sshd-dev-config to ./configs/tsys-sshd-config

Both production and development environments now use the unified
tsys-sshd-config file to ensure consistent SSH hardening across
all deployment scenarios.

🤖 Generated with [Crush](https://github.com/charmassociates/crush)

Assisted-by: GLM-5 via Crush <crush@charm.land>
2026-02-17 17:06:35 -05:00

65 lines
2.0 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# KNEL SSH Hardening Module
# Applies SSH security hardening configurations
set -euo pipefail
echo "Running SSH hardening module..."
# Create SSH directories
mkdir -p $ROOT_SSH_DIR
# Setup root SSH keys
if [[ -f ./configs/root-ssh-authorized-keys ]]; then
cp ./configs/root-ssh-authorized-keys $ROOT_SSH_DIR/authorized_keys
chmod 400 $ROOT_SSH_DIR/authorized_keys
chown root: $ROOT_SSH_DIR/authorized_keys
fi
# Setup localuser SSH keys
if [[ $LOCALUSER_CHECK -gt 0 ]]; then
mkdir -p $LOCALUSER_SSH_DIR
if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
cp ./configs/localuser-ssh-authorized-keys $LOCALUSER_SSH_DIR/authorized_keys
chmod 400 $LOCALUSER_SSH_DIR/authorized_keys
chown localuser $LOCALUSER_SSH_DIR/authorized_keys
fi
fi
# Setup subodev SSH keys
if [[ $SUBODEV_CHECK -gt 0 ]]; then
mkdir -p $SUBODEV_SSH_DIR
if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
cp ./configs/localuser-ssh-authorized-keys $SUBODEV_SSH_DIR/authorized_keys
chmod 400 $SUBODEV_SSH_DIR/authorized_keys
chown subodev: $SUBODEV_SSH_DIR/authorized_keys
fi
fi
# Deploy SSH configuration based on environment
if [[ $DEV_WORKSTATION_CHECK -eq 0 ]]; then
# Production SSH configuration
if [[ -f ./configs/tsys-sshd-config ]]; then
cp ./configs/tsys-sshd-config /etc/ssh/sshd_config
fi
else
# Development workstation - more permissive settings
if [[ -f ./configs/tsys-sshd-config ]]; then
cp ./configs/tsys-sshd-config /etc/ssh/sshd_config
fi
fi
# Additional SSH hardening for non-Ubuntu systems
if [[ $UBUNTU_CHECK -ne 1 ]] && [[ -f ./configs/ssh-audit-hardening.conf ]]; then
mkdir -p /etc/ssh/sshd_config.d
cp ./configs/ssh-audit-hardening.conf /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
chmod og-rwx /etc/ssh/sshd_config.d/*
fi
# Secure SSH configuration permissions
chmod og-rwx /etc/ssh/sshd_config
echo "SSH hardening module completed"
View Git Blame Copy Permalink