mrbluecoat
commented
1 month ago P.S. If you're going to enforce encryption keys for SSH, perhaps consider replacing Dropbear with TinySSH
Open mrbluecoat opened 1 month ago
mrbluecoat
commented
1 month ago P.S. If you're going to enforce encryption keys for SSH, perhaps consider replacing Dropbear with TinySSH
Trimble-tech
commented
1 month ago These seem like good ideas; the guide in particular does point out some of the more obtainable protocols recommended in CIS. Modifying /tmp and fstab probably won't be considered as these could break DietPi, but other ideas like networking and kernel setup I'll test manually and then look to add in.
Regarding SSH, I'd like to stick with options the Dietpi project support for compatibility but may test TinySSH and see if it is stable for enough use cases. If so, I might ask for it to be added to Dietpi first. This way, there is less need to convert user keys or reconfigure clients, as it is more likely to be the server installed at system creation.
As the options grow, I think this project will use less yes/no prompts and more flags like --filesystem or --network. Alternatively, a config file in yaml or text even may be good, in a similar way to the Dietpi installer files in /boot/. Either way, thanks for the feedback and I look to further develop this project soon.
Thanks for putting this together. Thoughts about including some of the advice at https://www.reddit.com/r/dietpi/comments/ap658g/guide_security_hardened_dietpi_system/