Update 8 files

- /home/.chezmoiscripts/darwin/run_onchange_after_10-configure-macos.tmpl
- /home/.chezmoidata.yaml
- /home/dot_ssh/system/sshd_config.tmpl
- /home/dot_ssh/system/banner
- /home/dot_ssh/system/run_onchanges_after_sshd.tmpl
- /home/dot_ssh/fail2ban/jail.local.tmpl
- /home/.chezmoi.yaml.tmpl
- /software.yml

home/.chezmoi.yaml.tmpl

@@ -137,6 +137,10 @@ data:
     dns:
       primary: 10.0.0.1#dns.megabyte.space
       secondary: 1.1.1.1#cloudflare-dns.com
+    ssh:
+      allowTCPForwarding: no
+      allowUsers: {{ output "echo" "$USER" }}
+      port: 2214
     vpn:
       excludedSubnets:
         - 10.0.0.0/24

home/.chezmoidata.yaml

@@ -19,6 +19,7 @@ colors:
   color14: '#EB71AD'
   color15: '#24E5FF'
   color16: '#FFFFFF'
+macosRemoteLogin: 'on'
 themeparkTheme: aquamarine
 config:
   gpg: https://raw.githubusercontent.com/drduh/config/master/gpg.conf
@@ -638,6 +639,8 @@ softwareGroups:
     - ruby
   SSH: &SSH
     - assh
+    - fail2ban
+    - openssh-server
     - skm
     - ssh-vault
     - sshpass

home/.chezmoiscripts/darwin/run_onchange_after_10-configure-macos.tmpl

@@ -12,6 +12,9 @@ sudo echo "Sudo access granted."
 # Log commands
 set +x
 
+# Enable SSH access
+sudo systemsetup -setremotelogin {{ .macosRemoteLogin }}
+
 # Close any open System Preferences panes, to prevent them from overriding
 # settings we’re about to change
 osascript -e 'tell application "System Preferences" to quit'

home/dot_ssh/fail2ban/jail.local.tmpl

@@ -0,0 +1,4 @@
+[sshd]
+enabled = true
+port    = {{ .host.ssh.port }}
+filter  = sshd

home/dot_ssh/system/banner

@@ -0,0 +1,5 @@
+WARNING! Authorized use only. Your IP address has been logged.
+
+If you choose to ignore this warning and discover a vulnerability
+that you can explain how to remediate, then please contact brian@megabyte.space
+for a bounty.

home/dot_ssh/system/run_onchanges_after_sshd.tmpl

@@ -0,0 +1,35 @@
+{{- if ne .host.distro.family "windows" }}
+#!/usr/bin/env bash
+
+### Update /etc/ssh/sshd_config if environment is not WSL
+if [[ ! "$(grep Microsoft /proc/version)" ]]; then
+    if [ -d /etc/ssh ]; then
+        logg info 'Copying ~/.ssh/system/banner to /etc/ssh/banner'
+        sudo cp -f "$HOME/.ssh/system/banner" /etc/ssh/banner
+
+        logg info 'Copying ~/.ssh/system/sshd_config to /etc/ssh/sshd_config'
+        sudo cp -f "$HOME/.ssh/system/sshd_config" /etc/ssh/sshd_config
+
+        ### Restart SSH server
+        if [ -d /Applications ] && [ -d /System ]; then
+            # macOS
+            logg info 'Running `sudo launchctl stop com.openssh.sshd`'
+            sudo launchctl stop com.openssh.sshd
+            logg info 'Running `sudo launchctl start com.openssh.sshd`'
+            sudo launchctl start com.openssh.sshd
+        else
+            # Linux
+            logg info 'Enabling the `sshd` service'
+            sudo systemctl enable sshd
+            logg info 'Restarting the `sshd` service'
+            
+            sudo service sshd restart
+        fi
+    else
+        logg warn 'The /etc/ssh folder does not exist'
+    fi
+else
+    logg info 'Skipping sshd_config application since environment is WSL'
+fi
+
+{{ end -}}

home/dot_ssh/system/sshd_config.tmpl

@@ -0,0 +1,131 @@
+# TODO - Figure out difference between /private/etc/ssh and /etc/ssh on macOS
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port {{ .host.ssh.port }}
+AddressFamily inet
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+### Host keys
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+### Ciphers and keyring
+#RekeyLimit default none
+
+### Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+### Authentication
+LoginGraceTime 60
+{{ if ne .host.distro.family "windows" }}
+PermitRootLogin no
+{{ else }}
+DenyGroups Administrators
+{{ end }}
+AllowUsers {{ .host.ssh.allowUsers }}
+#StrictModes yes
+MaxAuthTries 3
+#MaxSessions 10
+
+AuthenticationMethods publickey
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+
+{{ if ne .host.distro.family "windows" }}
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+{{ end }}
+
+# GSSAPI options
+GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+{{ if ne .host.distro.family "windows" }}
+#AllowAgentForwarding yes
+AllowTcpForwarding {{ .host.ssh.allowTCPForwarding }}
+
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+ClientAliveInterval 60
+ClientAliveCountMax 3
+UseDNS no
+# Experiment with this
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# pass locale information
+AcceptEnv LANG LC_*
+
+# no default banner path
+Banner /etc/ssh/banner
+
+# override default of no subsystems
+# TODO - Figure out how to detect the sftp path to place here. i.e. replicate the following Ansible logic
+# using Go templating:
+# - name: Find the path of the sftp-server executable
+#  find:
+#    paths: /usr
+#    file_type: file
+#    patterns: '*sftp-server'
+#    recurse: true
+#  register: sftp_executable
+#Subsystem sftp {/{ sftp_executable.files[0].path | default('internal-sftp') }/}
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
+{{ end }}

software.yml

@@ -8275,6 +8275,21 @@ softwarePackages:
       - docker-ce
       - docker-ce-cli
       - docker-compose-plugin
+  openssh-server:
+    _service: sshd
+    _when: '! "$(grep Microsoft /proc/version)"'
+    apt: openssh-server
+    dnf: openssh-server
+    pacman: openssh
+  fail2ban:
+    _service: fail2ban
+    # fail2ban cannot be installed on Qubes Fedora 36 without messing with the qubes-firewall since firewalld is required
+    _when: '! command -v qubes-firewall > /dev/null && ! "$(grep Microsoft /proc/version)"'
+    apt: fail2ban
+    brew: fail2ban
+    dnf: fail2ban
+    pacman: fail2ban
+    port: fail2ban
   boringtun:
     _bin: boringtun-cli
     _desc: BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.