Skip to content

feat: Add a section to enforce stronger ciphers for SSH as -b param #821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
antobinary wants to merge 4 commits into
base: v4.0.x-release
Choose a base branch
from
Open

feat: Add a section to enforce stronger ciphers for SSH as -b param #821

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0da94e8
feat: Add a section to enforce stronger ciphers for SSH
antobinary Feb 17, 2026
81f06ee
harden_ssh to be opt-in
antobinary Feb 17, 2026
9637ffd
Update bbb-install.sh
antobinary Feb 17, 2026
9b3bb66
Update bbb-install.sh
antobinary Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 40 additions & 1 deletion bbb-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ OPTIONS (install BigBlueButton):

-d Skip SSL certificates request (use provided certificates from mounted volume) in /local/certs/
-w Install UFW firewall (recommended)
-b Harden SSH access by specifying which ciphers to be used (recommended)

-j Allows the installation of BigBlueButton to proceed even if not all requirements [for production use] are met.
Note that not all requirements can be ignored. This is useful in development / testing / ci scenarios.
Expand Down Expand Up @@ -133,7 +134,7 @@ main() {

need_x64

while builtin getopts "hs:r:c:v:e:p:m:t:xgadwjik" opt "${@}"; do
while builtin getopts "hs:r:c:v:e:p:m:t:xgadwjikb" opt "${@}"; do

case $opt in
h)
Expand Down Expand Up @@ -227,6 +228,9 @@ main() {
i)
SKIP_APACHE_INSTALLED_CHECK=true
;;
b)
HARDEN_SSH=true
;;
:)
err "Missing option argument for -$OPTARG"
;;
Expand Down Expand Up @@ -374,6 +378,10 @@ main() {
setup_ufw
fi

if [ "$HARDEN_SSH" = true ]; then
harden_ssh
fi

if [ -n "$HOST" ]; then
bbb-conf --setip "$HOST"
else
Expand Down Expand Up @@ -1974,4 +1982,35 @@ HERE
fi
}

harden_ssh() {
say "Hardening SSH configuration..."

local SSH_HARDENING_FILE="/etc/ssh/sshd_config.d/99-hardened-ciphers.conf"

# Check if sshd_config includes the .d directory (Ubuntu 22.04 does by default)
if ! grep -q "^Include.*/etc/ssh/sshd_config.d/" /etc/ssh/sshd_config; then
say "Warning: /etc/ssh/sshd_config doesn't include sshd_config.d - adding include directive"
echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
fi

cat > "$SSH_HARDENING_FILE" <<HERE
# SSH Hardening - Applied by bbb-install.sh
# Modern ciphers, key exchange, and MACs only

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
HERE

# Validate before applying
if sshd -t; then
systemctl restart sshd
say "SSH hardening applied successfully"
else
say "SSH config validation failed - removing hardening file"
rm -f "$SSH_HARDENING_FILE"
err "SSH hardening failed - sshd config invalid"
fi
}

main "$@" || exit 1