mirror of
https://github.com/webinstall/webi-installers.git
synced 2026-02-14 17:49:53 +00:00
98 lines
2.1 KiB
Markdown
98 lines
2.1 KiB
Markdown
---
|
|
title: SSH Prohibit Password
|
|
homepage: https://webinstall.dev/ssh-prohibit-password
|
|
tagline: |
|
|
SSH Prohibit Password: Because friends don't let friends ssh with passwords
|
|
linux: true
|
|
---
|
|
|
|
## Cheat Sheet
|
|
|
|
> Will check if your system This will check if your Modern SSH deployments are
|
|
> key-only and don't allow root login. However, there's a lot of legacy systems
|
|
> out there.
|
|
|
|
`ssh-harden` will
|
|
|
|
1. Check that some `/home/*/.ssh/authorized_keys` is non-empty
|
|
2. Check that `/etc/sudoers.d` is not empty
|
|
3. Optionally create a `sudoer` for a given user and group
|
|
4. Disable `root` login
|
|
5. Disable Password and Challenge login
|
|
|
|
```sh
|
|
USAGE
|
|
ssh-harden [username] [sudo-group]
|
|
|
|
EXAMPLES
|
|
|
|
sudo ssh-harden
|
|
sudo ssh-harden app
|
|
sudo ssh-harden "$(id -n -u)" wheel
|
|
```
|
|
|
|
### How to check for sudoers
|
|
|
|
```sh
|
|
sudo sh -c 'grep "^\w\+ ALL=" /etc/sudoers.d/*'
|
|
```
|
|
|
|
### How to check for authorized ssh users
|
|
|
|
**Quick 'n' Easy**
|
|
|
|
```sh
|
|
sudo sh -c "grep -E '^(ssh|ec)' /home/*/.ssh/authorized_keys" |
|
|
cut -d' ' -f3 |
|
|
sort -u
|
|
```
|
|
|
|
**Detailed**
|
|
|
|
```sh
|
|
my_authorized=''
|
|
for my_file in /home/*/.ssh/authorized_keys; do
|
|
# if no files match the glob becomes a literal string
|
|
if test "${my_file}" = '/home/*/.ssh/authorized_keys'; then
|
|
break
|
|
fi
|
|
|
|
echo "${my_file} authorizes:"
|
|
if ! grep -q -E '^(ssh|ec)' "${my_file}"; then
|
|
echo " (none, empty file)"
|
|
continue
|
|
fi
|
|
|
|
grep '^(ssh|ec)' "${my_file}" | cut -d' ' -f3 | while read -r my_comment; do
|
|
echo " ${my_comment}"
|
|
done
|
|
my_authorized='true'
|
|
done
|
|
|
|
if test -z "${my_authorized}"; then
|
|
echo >&2 ""
|
|
echo >&2 "ERROR"
|
|
echo >&2 " No authorized remote users found."
|
|
echo >&2 ""
|
|
exit 1
|
|
fi
|
|
```
|
|
|
|
### How to add passwordless sudoer
|
|
|
|
```sh
|
|
echo "app ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/app
|
|
```
|
|
|
|
How to copy allowed keys from root to the new user:
|
|
|
|
```sh
|
|
mkdir -p /home/app/.ssh/
|
|
chmod 0700 /home/app/.ssh/
|
|
|
|
cat "$HOME/.ssh/authorized_keys" >> /home/app/.ssh/authorized_keys
|
|
chmod 0600 /home/app/.ssh/authorized_keys
|
|
|
|
chown -R app:app /home/app/.ssh/
|
|
```
|