a4e667de10
Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.
3.4 KiB
SECURITY — SSH Hardening (sshd_config.d/99-kei.conf)
Rule: hardening goes into a drop-in under /etc/ssh/sshd_config.d/, NEVER by editing /etc/ssh/sshd_config directly. The main file ships with distro-owned defaults; drop-ins win on later-read order and survive package upgrades cleanly.
Reference file /etc/ssh/sshd_config.d/99-kei.conf:
# KeiSeiKit hardened SSH — pinned 2026-04-21, auditable via ssh-check.
Protocol 2
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
PermitRootLogin prohibit-password
PermitEmptyPasswords no
UsePAM yes
MaxAuthTries 3
MaxSessions 4
LoginGraceTime 20
AllowUsers keiadmin
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
ClientAliveInterval 120
ClientAliveCountMax 2
LogLevel VERBOSE
# Modern crypto only (OpenSSH ≥ 8.9, default Debian 12 / Ubuntu 22.04+):
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,sntrup761x25519-sha512@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
Apply with sshd -t (config test) before systemctl reload ssh. reload NOT restart — restart kills existing sessions; reload re-reads config while keeping them.
Field-by-field rationale:
PasswordAuthentication no— passwords are the #1 SSH brute-force vector. Keys only.PermitRootLogin prohibit-password— root only via key, never password.noblocks even emergency cloud-console rescue paths on some providers;prohibit-passwordis the pragmatic middle.MaxAuthTries 3— reduces per-connection key/password attempts; combine with fail2ban for per-IP bans (separate concern).AllowUsers keiadmin— whitelist is simpler than group-based DENY and audits trivially. Adding users = explicit edit.LogLevel VERBOSE— logs the key fingerprint used; without it you can't tell which admin logged in after compromise.ClientAliveInterval 120+ClientAliveCountMax 2— idle sessions die in 4 minutes. Lost laptops don't leave open shells.AllowTcpForwarding no/PermitTunnel no— disables SSH-as-VPN. Enable per-use-case viaMatch User tunneluseronly.
Modern KEX/Cipher/MAC lists (2026-04-21):
- KEX:
sntrup761x25519-sha512@openssh.comis post-quantum hybrid (default since OpenSSH 9.9) [VERIFIED https://www.openssh.com/releasenotes.html];curve25519-sha256is the classic ECDH. - Ciphers: AEAD only (
chacha20-poly1305,aes*-gcm). Dropped CBC-mode — vulnerable to Terrapin CVE-2023-48795 without strict-KEX. - MACs: ETM (Encrypt-Then-MAC) only. Legacy MAC-Then-Encrypt is dropped.
- HostKey: prefer
ssh-ed25519; keeprsa-sha2-*for older client compatibility. Dropssh-rsa(SHA-1, broken).
Verification (KeiSeiKit primitive):
_primitives/_rust/ssh-check/ parses BOTH sshd_config AND every sshd_config.d/*.conf (in filename sort order, last wins per directive), reports violations of the matrix above with file:line precision. Run BEFORE every systemctl reload ssh and BEFORE the skill phase-5 verify gate.
Forbidden: editing /etc/ssh/sshd_config in-place when a drop-in directory exists; PermitRootLogin yes; PasswordAuthentication yes; accepting any diffie-hellman-group1-* / ssh-rsa / CBC ciphers; restarting sshd before sshd -t passes; relying on fail2ban alone without key-only auth.