r00t2
/
optools
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

fix for sshsecure on ssh versions 8.1+

This commit is contained in:
brent s. 2020-03-13 02:34:49 -04:00
parent fcc2cb674f
commit 31eec2d3f3
Signed by: bts
GPG Key ID: 8C004C2F93481F6B
1 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
aif/scripts/post/sshsecure.py
View File

@ -119,9 +119,14 @@ ssh_ver = float(re.sub('^(Open|Sun_)SSH_([0-9\.]+)(p[0-9]+)?,.*$', '\g<2>', ssh_
if ssh_ver >= magic_ver: if ssh_ver >= magic_ver:
has_ed25519 = True has_ed25519 = True
supported_keys = ('ed25519', 'rsa') supported_keys = ('ed25519', 'rsa')
new_moduli = False
else: else:
has_ed25519 = False has_ed25519 = False
supported_keys = ('rsa', ) supported_keys = ('rsa', )
new_moduli = False
# https://github.com/openssh/openssh-portable/commit/3e60d18fba1b502c21d64fc7e81d80bcd08a2092
if ssh_ver >= 8.1:
new_moduli = True




conf_options = {} conf_options = {}
@ -175,14 +180,26 @@ def hostKeys(buildmoduli):
subprocess.run(['haveged'], stdout = devnull) subprocess.run(['haveged'], stdout = devnull)
#Warning: The moduli stuff takes a LONG time to run. Hours. #Warning: The moduli stuff takes a LONG time to run. Hours.
if buildmoduli: if buildmoduli:
subprocess.run(['ssh-keygen', if not new_moduli:
'-G', '/etc/ssh/moduli.all', subprocess.run(['ssh-keygen',
'-b', '4096', '-G', '/etc/ssh/moduli.all',
'-q']) '-b', '4096',
subprocess.run(['ssh-keygen', '-q'])
'-T', '/etc/ssh/moduli.safe', subprocess.run(['ssh-keygen',
'-f', '/etc/ssh/moduli.all', '-T', '/etc/ssh/moduli.safe',
'-q']) '-f', '/etc/ssh/moduli.all',
'-q'])
else:
subprocess.run(['ssh-keygen',
'-q',
'-M', 'generate',
'-O', 'bits=4096',
'/etc/ssh/moduli.all'])
subprocess.run(['ssh-keygen',
'-q',
'-M', 'screen',
'-f', '/etc/ssh/moduli.all',
'/etc/ssh/moduli.safe'])
if os.path.lexists('/etc/ssh/moduli'): if os.path.lexists('/etc/ssh/moduli'):
os.rename('/etc/ssh/moduli', '/etc/ssh/moduli.old') os.rename('/etc/ssh/moduli', '/etc/ssh/moduli.old')
os.rename('/etc/ssh/moduli.safe', '/etc/ssh/moduli') os.rename('/etc/ssh/moduli.safe', '/etc/ssh/moduli')