mirror of
https://github.com/webinstall/webi-installers.git
synced 2026-02-14 17:49:53 +00:00
2.1 KiB
2.1 KiB
title, homepage, tagline, linux
| title | homepage | tagline | linux |
|---|---|---|---|
| SSH Prohibit Password | https://webinstall.dev/ssh-prohibit-password | SSH Prohibit Password: Because friends don't let friends ssh with passwords | true |
Cheat Sheet
Will check if your system This will check if your Modern SSH deployments are key-only and don't allow root login. However, there's a lot of legacy systems out there.
ssh-harden will
- Check that some
/home/*/.ssh/authorized_keysis non-empty - Check that
/etc/sudoers.dis not empty - Optionally create a
sudoerfor a given user and group - Disable
rootlogin - Disable Password and Challenge login
USAGE
ssh-harden [username] [sudo-group]
EXAMPLES
sudo ssh-harden
sudo ssh-harden app
sudo ssh-harden "$(id -n -u)" wheel
How to check for sudoers
sudo sh -c 'grep "^\w\+ ALL=" /etc/sudoers.d/*'
How to check for authorized ssh users
Quick 'n' Easy
sudo sh -c "grep -E '^(ssh|ec)' /home/*/.ssh/authorized_keys" |
cut -d' ' -f3 |
sort -u
Detailed
my_authorized=''
for my_file in /home/*/.ssh/authorized_keys; do
# if no files match the glob becomes a literal string
if test "${my_file}" = '/home/*/.ssh/authorized_keys'; then
break
fi
echo "${my_file} authorizes:"
if ! grep -q -E '^(ssh|ec)' "${my_file}"; then
echo " (none, empty file)"
continue
fi
grep '^(ssh|ec)' "${my_file}" | cut -d' ' -f3 | while read -r my_comment; do
echo " ${my_comment}"
done
my_authorized='true'
done
if test -z "${my_authorized}"; then
echo >&2 ""
echo >&2 "ERROR"
echo >&2 " No authorized remote users found."
echo >&2 ""
exit 1
fi
How to add passwordless sudoer
echo "app ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/app
How to copy allowed keys from root to the new user:
mkdir -p /home/app/.ssh/
chmod 0700 /home/app/.ssh/
cat "$HOME/.ssh/authorized_keys" >> /home/app/.ssh/authorized_keys
chmod 0600 /home/app/.ssh/authorized_keys
chown -R app:app /home/app/.ssh/