diff options
| author | nachoparker <nacho@ownyourbits.com> | 2018-06-18 17:43:50 +0300 |
|---|---|---|
| committer | nachoparker <nacho@ownyourbits.com> | 2018-06-18 17:43:50 +0300 |
| commit | 5aa071e0699e7723231917e06a9a302cbb65affc (patch) | |
| tree | c40a3ddf4ca4d96d5c0f35a93a3058287a800846 | |
| parent | 7b2737bf5fbb1c5fa597f60d4adbe80521e56717 (diff) | |
armbian: default to SSH disabledv0.57.3
| -rw-r--r-- | armbian.sh | 3 | ||||
| -rwxr-xr-x | build-SD-rpi.sh | 5 | ||||
| -rw-r--r-- | etc/ncp-config.d/SSH.sh | 32 |
3 files changed, 34 insertions, 6 deletions
@@ -30,6 +30,9 @@ curl -sSL https://raw.githubusercontent.com/nextcloud/nextcloudpi/master/install # force change root password at first login (again) chage -d 0 root +# disable SSH by default, it can be enabled through ncp-web +systemctl disable sshd + # License # diff --git a/build-SD-rpi.sh b/build-SD-rpi.sh index b238358d..6dc52605 100755 --- a/build-SD-rpi.sh +++ b/build-SD-rpi.sh @@ -63,6 +63,11 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ # harden SSH further for Raspbian sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config + # default user 'pi' for SSH + sed -i 's|^USER_=.*|USER_=pi|' /usr/local/etc/ncp-config.d/SSH.sh + sed -i 's|^PASS_=.*|PASS_=raspberry|' /usr/local/etc/ncp-config.d/SSH.sh + sed -i 's|^CONFIRM_=.*|CONFIRM_=raspberry|' /usr/local/etc/ncp-config.d/SSH.sh + rm -rf /tmp/ncp-build EOFCHROOT diff --git a/etc/ncp-config.d/SSH.sh b/etc/ncp-config.d/SSH.sh index 5d4d1654..cbf72263 100644 --- a/etc/ncp-config.d/SSH.sh +++ b/etc/ncp-config.d/SSH.sh @@ -8,21 +8,22 @@ # ACTIVE_=no -USER_=pi -PASS_=raspberry -CONFIRM_=raspberry +USER_=root +PASS_=1234 +CONFIRM_=1234 DESCRIPTION="Activate or deactivate SSH" INFOTITLE="SSH notes" -INFO="In order to enable SSH, the password for user pi can NOT remain set to the default raspberry. -You HAVE to create a NEW password for pi if you want this program to enable SSH, it will fail if you dont! +INFO="In order to enable SSH, the password for user 'pi' can NOT remain set to the default raspberry. +You HAVE to create a NEW password for 'pi' if you want this program to enable SSH, it will fail if you dont! +The same will happen with user 'root' and password '1234' Note: Use normal AlphaNumeric, the only special characters allowed are .,@-_/" install() { :; } is_active() { - systemctl status ssh &>/dev/null + systemctl -q is-enabled ssh &>/dev/null } configure() @@ -39,6 +40,10 @@ configure() echo "Refusing to use the default Raspbian user and password. It's insecure" return 1 } + [[ "$USER_" == "root" ]] && [[ "$PASS_" == "1234" ]] && { + echo "Refusing to use the default Armbian user and password. It's insecure" + return 1 + } # Change credentials id "$USER_" &>/dev/null || { echo "$USER_ doesn't exist"; return 1; } @@ -59,6 +64,21 @@ configure() } } + # Check for insecure default root password ( taken from old jessie method ) + local SHADOW="$( grep -E '^root:' /etc/shadow )" + test -n "${SHADOW}" && { + local SALT=$(echo "${SHADOW}" | sed -n 's/root:\$6\$//;s/\$.*//p') + local HASH=$(mkpasswd -msha-512 1234 "$SALT") + + grep -q "${HASH}" <<< "${SHADOW}" && { + systemctl stop ssh + systemctl disable ssh + echo "The user root is using the default password. Refusing to activate SSH" + echo "SSH disabled" + return 1 + } + } + # Enable chage -d 0 "$USER_" systemctl enable ssh |