mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-30 14:09:42 -05:00
c533991519
German Federal Office for Information Security requests in its technical guideline BSI TR-02102-1 RSA Keylength not shorter than 3000bits starting 2024, in the year 2023 3000bits as a recommendation. Gitea should request longer RSA Keys by default in favor of security and drop old clients which do not support longer keys. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=9 - Page 19, Table 1.2 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
51 lines
1.7 KiB
Bash
Executable file
51 lines
1.7 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
if [ ! -d /data/ssh ]; then
|
|
mkdir -p /data/ssh
|
|
fi
|
|
|
|
if [ ! -f /data/ssh/ssh_host_ed25519_key ]; then
|
|
echo "Generating /data/ssh/ssh_host_ed25519_key..."
|
|
ssh-keygen -t ed25519 -f /data/ssh/ssh_host_ed25519_key -N "" > /dev/null
|
|
fi
|
|
|
|
if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
|
|
echo "Generating /data/ssh/ssh_host_rsa_key..."
|
|
ssh-keygen -t rsa -b 3072 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
|
|
fi
|
|
|
|
if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
|
|
echo "Generating /data/ssh/ssh_host_ecdsa_key..."
|
|
ssh-keygen -t ecdsa -b 256 -f /data/ssh/ssh_host_ecdsa_key -N "" > /dev/null
|
|
fi
|
|
|
|
if [ -e /data/ssh/ssh_host_ed25519_cert ]; then
|
|
SSH_ED25519_CERT=${SSH_ED25519_CERT:-"/data/ssh/ssh_host_ed25519_cert"}
|
|
fi
|
|
|
|
if [ -e /data/ssh/ssh_host_rsa_cert ]; then
|
|
SSH_RSA_CERT=${SSH_RSA_CERT:-"/data/ssh/ssh_host_rsa_cert"}
|
|
fi
|
|
|
|
if [ -e /data/ssh/ssh_host_ecdsa_cert ]; then
|
|
SSH_ECDSA_CERT=${SSH_ECDSA_CERT:-"/data/ssh/ssh_host_ecdsa_cert"}
|
|
fi
|
|
|
|
if [ -d /etc/ssh ]; then
|
|
SSH_PORT=${SSH_PORT:-"22"} \
|
|
SSH_LISTEN_PORT=${SSH_LISTEN_PORT:-"${SSH_PORT}"} \
|
|
SSH_ED25519_CERT="${SSH_ED25519_CERT:+"HostCertificate "}${SSH_ED25519_CERT}" \
|
|
SSH_RSA_CERT="${SSH_RSA_CERT:+"HostCertificate "}${SSH_RSA_CERT}" \
|
|
SSH_ECDSA_CERT="${SSH_ECDSA_CERT:+"HostCertificate "}${SSH_ECDSA_CERT}" \
|
|
SSH_MAX_STARTUPS="${SSH_MAX_STARTUPS:+"MaxStartups "}${SSH_MAX_STARTUPS}" \
|
|
SSH_MAX_SESSIONS="${SSH_MAX_SESSIONS:+"MaxSessions "}${SSH_MAX_SESSIONS}" \
|
|
SSH_INCLUDE_FILE="${SSH_INCLUDE_FILE:+"Include "}${SSH_INCLUDE_FILE}" \
|
|
SSH_LOG_LEVEL=${SSH_LOG_LEVEL:-"INFO"} \
|
|
envsubst < /etc/templates/sshd_config > /etc/ssh/sshd_config
|
|
|
|
chmod 0644 /etc/ssh/sshd_config
|
|
fi
|
|
|
|
chown root:root /data/ssh/*
|
|
chmod 0700 /data/ssh
|
|
chmod 0600 /data/ssh/*
|