From 0da94e88dafae5da368332963d1626937108a568 Mon Sep 17 00:00:00 2001 From: Anton Georgiev Date: Tue, 17 Feb 2026 14:29:55 -0500 Subject: [PATCH 1/4] feat: Add a section to enforce stronger ciphers for SSH --- bbb-install.sh | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/bbb-install.sh b/bbb-install.sh index d5f7444..85e4423 100644 --- a/bbb-install.sh +++ b/bbb-install.sh @@ -128,6 +128,7 @@ main() { NGINX_FILES_DEST=/usr/share/bigbluebutton/nginx IMAGE_MAGICK_DIR=/etc/ImageMagick-6 OVERWRITE_IMAGE_MAGICK_POLICY=true + HARDEN_SSH=true CR_TMPFILE=$(mktemp /tmp/carriage-return.XXXXXX) printf '\n' > "$CR_TMPFILE" @@ -374,6 +375,10 @@ main() { setup_ufw fi + if [ "$HARDEN_SSH" = true ]; then + harden_ssh + fi + if [ -n "$HOST" ]; then bbb-conf --setip "$HOST" else @@ -1974,4 +1979,35 @@ HERE fi } +harden_ssh() { + say "Hardening SSH configuration..." + + local SSH_HARDENING_FILE="/etc/ssh/sshd_config.d/99-hardened-ciphers.conf" + + # Check if sshd_config includes the .d directory (Ubuntu 22.04 does by default) + if ! grep -q "^Include.*/etc/ssh/sshd_config.d/" /etc/ssh/sshd_config; then + say "Warning: /etc/ssh/sshd_config doesn't include sshd_config.d - adding include directive" + echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config + fi + + cat > "$SSH_HARDENING_FILE" < Date: Tue, 17 Feb 2026 15:52:32 -0500 Subject: [PATCH 2/4] harden_ssh to be opt-in --- bbb-install.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bbb-install.sh b/bbb-install.sh index 85e4423..7a23b65 100644 --- a/bbb-install.sh +++ b/bbb-install.sh @@ -67,6 +67,7 @@ OPTIONS (install BigBlueButton): -d Skip SSL certificates request (use provided certificates from mounted volume) in /local/certs/ -w Install UFW firewall (recommended) + -b Harden SSH access by specifying which ciphers to be used -j Allows the installation of BigBlueButton to proceed even if not all requirements [for production use] are met. Note that not all requirements can be ignored. This is useful in development / testing / ci scenarios. @@ -128,7 +129,6 @@ main() { NGINX_FILES_DEST=/usr/share/bigbluebutton/nginx IMAGE_MAGICK_DIR=/etc/ImageMagick-6 OVERWRITE_IMAGE_MAGICK_POLICY=true - HARDEN_SSH=true CR_TMPFILE=$(mktemp /tmp/carriage-return.XXXXXX) printf '\n' > "$CR_TMPFILE" @@ -228,6 +228,9 @@ main() { i) SKIP_APACHE_INSTALLED_CHECK=true ;; + b) + HARDEN_SSH=true + ;; :) err "Missing option argument for -$OPTARG" ;; From 9637ffd842f719d252794b005611ead1e4c72c5a Mon Sep 17 00:00:00 2001 From: Anton Georgiev Date: Tue, 17 Feb 2026 15:54:17 -0500 Subject: [PATCH 3/4] Update bbb-install.sh --- bbb-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bbb-install.sh b/bbb-install.sh index 7a23b65..35e8909 100644 --- a/bbb-install.sh +++ b/bbb-install.sh @@ -67,7 +67,7 @@ OPTIONS (install BigBlueButton): -d Skip SSL certificates request (use provided certificates from mounted volume) in /local/certs/ -w Install UFW firewall (recommended) - -b Harden SSH access by specifying which ciphers to be used + -b Harden SSH access by specifying which ciphers to be used (recommended) -j Allows the installation of BigBlueButton to proceed even if not all requirements [for production use] are met. Note that not all requirements can be ignored. This is useful in development / testing / ci scenarios. From 9b3bb66dc1b308357275c59ce07bebecb07e9db9 Mon Sep 17 00:00:00 2001 From: Anton Georgiev Date: Tue, 17 Feb 2026 15:55:06 -0500 Subject: [PATCH 4/4] Update bbb-install.sh --- bbb-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bbb-install.sh b/bbb-install.sh index 35e8909..1ed95aa 100644 --- a/bbb-install.sh +++ b/bbb-install.sh @@ -134,7 +134,7 @@ main() { need_x64 - while builtin getopts "hs:r:c:v:e:p:m:t:xgadwjik" opt "${@}"; do + while builtin getopts "hs:r:c:v:e:p:m:t:xgadwjikb" opt "${@}"; do case $opt in h)