Enhance SSH configuration in setup script with safer settings and backup restoration. Add recovery instructions for broken SSH service to README. Improve logging and error handling during SSH service restart.

2025-09-05 13:01:40 +01:00
parent c1951eec11
commit 84ff4b318e
3 changed files with 179 additions and 35 deletions
--- a/setup.sh
+++ b/setup.sh
@@ -315,42 +315,57 @@ configure_security() {
    sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
    sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
    
-    # Configure SSH settings (remove old custom settings first)
+    # Configure SSH settings safely
    log "Applying SSH security settings..."
    
-    # Remove previous custom settings to avoid duplicates
-    sed -i '/^Protocol 2$/d' /etc/ssh/sshd_config
-    sed -i '/^PasswordAuthentication /d' /etc/ssh/sshd_config
-    sed -i '/^PubkeyAuthentication /d' /etc/ssh/sshd_config
-    sed -i '/^PermitEmptyPasswords /d' /etc/ssh/sshd_config
-    sed -i '/^X11Forwarding /d' /etc/ssh/sshd_config
-    sed -i '/^MaxAuthTries /d' /etc/ssh/sshd_config
-    sed -i '/^ClientAliveInterval /d' /etc/ssh/sshd_config
-    sed -i '/^ClientAliveCountMax /d' /etc/ssh/sshd_config
-    sed -i '/^AllowUsers /d' /etc/ssh/sshd_config
+    # Backup original sshd_config
+    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S)
    
-    # Add current settings
-    {
-        echo "Protocol 2"
-        if [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then
-            echo "PasswordAuthentication no"
-            log "SSH password authentication disabled"
-        else
-            echo "PasswordAuthentication yes"
-            log "SSH password authentication enabled"
-        fi
-        echo "PubkeyAuthentication yes"
-        echo "PermitEmptyPasswords no"
-        echo "X11Forwarding no"
-        echo "MaxAuthTries 3"
-        echo "ClientAliveInterval 300"
-        echo "ClientAliveCountMax 2"
-        if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
-            echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER"
-        else
-            echo "AllowUsers $SYSADMIN_USER"
-        fi
-    } >> /etc/ssh/sshd_config
+    # Configure PasswordAuthentication
+    if [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then
+        sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+        log "SSH password authentication disabled"
+    else
+        sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
+        log "SSH password authentication enabled"
+    fi
+    
+    # Configure other SSH settings more safely
+    sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
+    sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
+    sed -i 's/^#*X11Forwarding.*/X11Forwarding no/' /etc/ssh/sshd_config
+    sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' /etc/ssh/sshd_config
+    
+    # Add settings that might not exist
+    if ! grep -q "^ClientAliveInterval" /etc/ssh/sshd_config; then
+        echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
+    else
+        sed -i 's/^#*ClientAliveInterval.*/ClientAliveInterval 300/' /etc/ssh/sshd_config
+    fi
+    
+    if ! grep -q "^ClientAliveCountMax" /etc/ssh/sshd_config; then
+        echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config
+    else
+        sed -i 's/^#*ClientAliveCountMax.*/ClientAliveCountMax 2/' /etc/ssh/sshd_config
+    fi
+    
+    # Configure AllowUsers (remove old entries first)
+    sed -i '/^AllowUsers/d' /etc/ssh/sshd_config
+    if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
+        echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" >> /etc/ssh/sshd_config
+    else
+        echo "AllowUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config
+    fi
+    
+    # Test SSH configuration before proceeding
+    log "Testing SSH configuration..."
+    if ! sshd -t; then
+        error "SSH configuration is invalid! Restoring backup..."
+        mv /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S) /etc/ssh/sshd_config
+        exit 1
+    fi
+    
+    log "SSH configuration is valid"
    
    # Remove/lock root password
    log "Locking root password..."
@@ -625,9 +640,22 @@ show_ssh_setup_summary() {

 ### === CLEANUP AND FINALIZATION === ###
 finalize_setup() {
-    # Restart SSH service
+    # Restart SSH service safely
    log "Restarting SSH service..."
-    systemctl restart sshd
+    if ! systemctl restart sshd; then
+        error "Failed to restart SSH service! Check configuration and try again."
+        log "You can restore SSH configuration from backup if needed:"
+        log "ls /etc/ssh/sshd_config.backup.*"
+        exit 1
+    fi
+    
+    # Verify SSH service is running
+    if ! systemctl is-active --quiet sshd; then
+        error "SSH service is not running after restart!"
+        exit 1
+    fi
+    
+    log "SSH service restarted successfully"
    
    # Clean up
    log "Cleaning up..."