Skip to content
Snippets Groups Projects
Commit 3cf283db authored by Bob Mottram's avatar Bob Mottram
Browse files

Key lengths same as letsencrypt

parent 99bb2ced
No related branches found
No related tags found
No related merge requests found
......@@ -311,7 +311,7 @@ function add_cert_selfsigned {
openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
-newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
-newkey rsa:2048 -keyout /etc/ssl/private/${CERTFILE}.key \
-out /etc/ssl/certs/${CERTFILE}.crt
chmod 400 /etc/ssl/private/${CERTFILE}.key
chmod 640 /etc/ssl/certs/${CERTFILE}.crt
......
......@@ -519,7 +519,7 @@ function install_ipfs_go {
fi
# initialise
su -c "$IPFS_PATH/ipfs init -b 4096" - $MY_USERNAME
su -c "$IPFS_PATH/ipfs init -b 2048" - $MY_USERNAME
if [ ! -d /home/$MY_USERNAME/.ipfs ]; then
echo "IPFS could not be initialised for user $MY_USERNAME"
exit 7358
......
......@@ -1454,7 +1454,7 @@ function configure_imap_client_certs {
echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf
echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf
echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf
echo 'default_bits = 4096' >> /etc/ssl/dovecot-ca.cnf
echo 'default_bits = 2048' >> /etc/ssl/dovecot-ca.cnf
echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf
echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf
echo '' >> /etc/ssl/dovecot-ca.cnf
......
......@@ -154,7 +154,7 @@ function configure_ssh_client {
ssh-keygen -t ed25519 -o -a 100
fi
if [ ! -f /home/$CURR_USER/.ssh/id_rsa ]; then
ssh-keygen -t rsa -b 4096 -o -a 100
ssh-keygen -t rsa -b 2048 -o -a 100
fi
ssh_remove_small_moduli
......
......@@ -46,12 +46,13 @@ function configure_ssh {
sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
sed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_config
sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config
sed -i 's/#ServerKeyBits 4096/ServerKeyBits 4096/g' /etc/ssh/sshd_config
sed -i 's/ServerKeyBits.*/ServerKeyBits 2048/g' /etc/ssh/sshd_config
sed -i 's/#ServerKeyBits 2048/ServerKeyBits 2048/g' /etc/ssh/sshd_config
sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config
sed -i 's/#TCPKeepAlive no/TCPKeepAlive no/g' /etc/ssh/sshd_config
sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
sed -i 's|#HostKey /etc/ssh/ssh_host_ed25519_key|HostKey /etc/ssh/ssh_host_ed25519_key|g' /etc/ssh/sshd_config
if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then
echo 'DebianBanner no' >> /etc/ssh/sshd_config
else
......@@ -126,9 +127,9 @@ function configure_ssh_client {
if [ ! -f ~/.ssh/id_ed25519 ]; then
ssh-keygen -t ed25519 -o -a 100
fi
if [ ! -f ~/.ssh/id_rsa ]; then
ssh-keygen -t rsa -b 4096 -o -a 100
fi
#if [ ! -f ~/.ssh/id_rsa ]; then
# ssh-keygen -t rsa -b 2048 -o -a 100
#fi
function_check ssh_remove_small_moduli
ssh_remove_small_moduli
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment