From 037a59039a171ac2fb1dbb96c0bc396e8562ec8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9rgio=20Barbosa?= Date: Thu, 18 Sep 2025 00:30:12 +0100 Subject: [PATCH] Enhance setup script to check for existing sysadmin user password and change it if set to default. Disable SSH login for sysadmin and lock the sysadmin password for improved security during setup. --- setup.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/setup.sh b/setup.sh index 280e757..0e5333e 100755 --- a/setup.sh +++ b/setup.sh @@ -323,6 +323,17 @@ create_sysadmin_user() { if id "$SYSADMIN_USER" &>/dev/null; then warn "User $SYSADMIN_USER already exists, skipping creation" SYSADMIN_USER_CREATED="no" + + # Check if the existing user has the default password "hhh" + if echo "hhh" | su - "$SYSADMIN_USER" -c "exit" 2>/dev/null; then + warn "User $SYSADMIN_USER has default password 'hhh', changing to random password" + local random_password=$(openssl rand -base64 12) + echo "$SYSADMIN_USER:$random_password" | chpasswd + echo "==========================================" + echo "NEW PASSWORD for $SYSADMIN_USER: $random_password" + echo "==========================================" + log "Password changed for existing user $SYSADMIN_USER" + fi else # Create user with home directory useradd -m -s /bin/bash "$SYSADMIN_USER" @@ -399,6 +410,10 @@ configure_security() { sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config + # Disable sysadmin SSH login + log "Disabling sysadmin SSH login..." + echo "DenyUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config + # Configure SSH settings log "Applying SSH security settings..." @@ -440,6 +455,10 @@ configure_security() { log "Locking root password..." passwd -l root + # Lock sysadmin password + log "Locking sysadmin password..." + passwd -l "$SYSADMIN_USER" + # Configure firewall if requested if [[ "$USE_UFW" == "yes" ]]; then configure_ufw