github/vim-ale
1
0
Fork 0
mirror of https://github.com/webinstall/webi-installers.git synced 2026-02-14 17:49:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
vim-ale/ssh-harden/ssh-harden.complex
AJ ONeal 3a574392f0 feat: add sshd-prohibit-password
2023-06-09 23:38:50 +00:00

183 lines
6.4 KiB
Bash
Raw Permalink Blame History

#!/bin/sh
set -e
set -u
# There are two important use cases:
# 1. Run as 'root', for the 'app' (or specified) user
# 2. Run as a sudoer, for self
fn_check_as_root() { (
my_admin="${1:-}"
if ! command -v sudo > /dev/null; then
echo ""
echo "WARNING"
echo " 'sudo' is not installed."
echo " '${my_admin}' MUST be able to login via the 'root' password."
echo ""
else
my_admin_is_sudoer=''
if grep -q "^${my_admin} ALL=" /etc/sudoers; then
my_admin_is_sudoer='true'
elif test -e /etc/sudoers.d; then
if grep -q "^${my_admin} ALL=" /etc/sudoers.d/*; then
my_admin_is_sudoer='true'
fi
fi
echo ""
echo "ERROR"
echo " '${my_admin}' is NOT a sudoer"
echo ""
echo "SOLUTION"
echo " mkdir -p /etc/sudoers.d"
echo " chmod 0700 /etc/sudoers.d"
echo " echo '${my_admin} ALL=(ALL:ALL) NOPASSWD: ALL' | "
echo " tee '/etc/sudoers.d/${my_admin}'"
echo ""
fi
); }
fn_check_as_sudoer() { (
echo
); }
main() {
echo ""
echo "IMPORTANT"
echo ""
echo "READ CAREFULLY (or get LOCKED OUT)"
echo ""
my_user_id="$(id -u)"
if test "0" = "${my_user_id}"; then
fn_check_as_root ${1:-app}
else
fn_check_as_sudoer
fi
my_username="$(id -u -n)"
my_sudo_user="${1:-${my_username}}"
my_sudo_exists=''
my_sudo=''
if command -v sudo > /dev/null; then
my_sudo_exists='true'
my_sudo="sudo"
fi
my_root=''
if test "$(id -u)" = "0"; then
my_root='true'
my_sudo=''
fi
my_authorized_exists=''
echo ''
echo "All authorized users:"
if ! $my_sudo sh -c 'ls /home/*/.ssh/authorized_keys' > /devl/null 2>&1; then
echo " (none)"
else
$my_sudo sh -c "grep -E '^(ssh|ec)' /home/*/.ssh/authorized_keys" |
cut -d' ' -f3 |
sort -u |
while read -r my_comment; do
echo " ${my_comment}"
my_authorized_exists='true'
done
fi
my_sudoer_exists=''
echo ''
echo "All sudoers:"
if test -z "${my_sudo_exists}"; then
echo ' (sudo not installed)'
else
{
$my_sudo sh -c "grep -E '(sudo|wheel):' /etc/gshadow" |
cut -d':' -f4 |
tr ',' '\n'
#$my_sudo sh -c "grep '^%\?\w\+ ALL=' /etc/sudoers /etc/sudoers.d/*" |
$my_sudo sh -c "grep '^\w\+ ALL=' /etc/sudoers /etc/sudoers.d/*" |
cut -d':' -f2 |
cut -d' ' -f1
} |
grep -v root |
sort -u |
while read -r my_sudoer; do
my_sudoer_exists='true'
echo " ${my_sudoer}"
done
fi
#adduser "$my_new_user" sudo || adduser "$my_new_user" wheel
echo "$my_new_user ALL=(ALL:ALL) NOPASSWD: ALL" | tee "/etc/sudoers.d/$my_new_user"
# allow users who can already login as 'root' to login as 'app'
mkdir -p "/home/$my_new_user/.ssh/"
chmod 0700 "/home/$my_new_user/.ssh/"
echo "${my_keys}" >> "/home/$my_new_user/.ssh/authorized_keys"
chmod 0600 "/home/$my_new_user/.ssh/authorized_keys"
touch "/home/$my_new_user/.ssh/config"
chmod 0644 "/home/$my_new_user/.ssh/config"
chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
# ensure that 'app' has an SSH Keypair
sudo -i -u "$my_new_user" sh -c "ssh-keygen -b 2048 -t rsa -f '/home/$my_new_user/.ssh/id_rsa' -q -N ''"
chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
# Install webi for the new 'app' user
WEBI_HOST=${WEBI_HOST:-"https://webinstall.dev"}
sudo -i -u "$my_new_user" sh -c "curl -fsSL '$WEBI_HOST/webi' | sh" ||
sudo -i -u "$my_new_user" sh -c "wget -q -O - '$WEBI_HOST/webi' | sh"
# TODO ensure that ssh-password login is off
my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
my_pam=""
if [ "Darwin" = "$(uname -s)" ]; then
# Turn off PAM for macOS or it will allow password login
my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)"
fi
if [ -n "${my_pass}" ] || [ -n "${my_pam}" ]; then
echo "######################################################################"
echo "# #"
echo "# WARNING #"
echo "# #"
echo "# Found /etc/ssh/sshd_config: #"
if [ -n "${my_pass}" ]; then
echo "# PasswordAuthentication yes #"
fi
if [ -n "${my_pam}" ]; then
echo "# UsePAM yes #"
fi
echo "# #"
echo "# This is EXTREMELY DANGEROUS and insecure. #"
echo "# We'll attempt to fix this now... #"
echo "# #"
sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
/etc/ssh/sshd_config
sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \
/etc/ssh/sshd_config
if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
echo "# FAILED. Please check /etc/ssh/sshd_config manually. #"
else
echo "# Fixed... HOWEVER, you'll need to manually restart ssh: #"
echo "# #"
echo "# sudo systemctl restart ssh #"
echo "# #"
echo "# (you may want to make sure you can login as the new user first) #"
fi
echo "# #"
echo "######################################################################"
fi
echo "Created user '${my_new_user}' as sudoer with a random password."
echo "(set a new password with 'password ${my_new_user}')"
}
main "${1:-app}" "${2:-}"
Reference in New Issue View Git Blame Copy Permalink