added ssh key, no sysadmin lockout
This commit is contained in:
134
setup.sh
134
setup.sh
@@ -23,6 +23,9 @@ USE_FAIL2BAN=""
|
||||
SYSADMIN_USER_CREATED=""
|
||||
ADDITIONAL_USER_CREATED=""
|
||||
|
||||
# Track sysadmin password (will be set to generated password)
|
||||
SYSADMIN_NEW_PASSWORD=""
|
||||
|
||||
# Logging functions
|
||||
log() {
|
||||
echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}"
|
||||
@@ -37,6 +40,13 @@ error() {
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Generate a strong random password (32 characters)
|
||||
generate_password() {
|
||||
# Use openssl to generate a secure 32-character password
|
||||
# Base64 encoding of 24 random bytes gives us 32 characters
|
||||
openssl rand -base64 24 | tr -d "=+/" | cut -c1-32
|
||||
}
|
||||
|
||||
# Check if running as root
|
||||
check_root() {
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
@@ -185,18 +195,23 @@ ask_ssh_key_setup() {
|
||||
|
||||
local user_public_key=""
|
||||
|
||||
# Special case for user "sergio" - offer pre-defined key
|
||||
# Special case for user "sergio" - offer pre-defined keys
|
||||
local sergio_keys_added=false
|
||||
if [[ " ${users_for_ssh[*]} " =~ " sergio " ]]; then
|
||||
echo ""
|
||||
echo "Detected user 'sergio' in selected users."
|
||||
echo "Use pre-configured SSH key for sergio? (Y/n)"
|
||||
echo "Key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1"
|
||||
echo "Use pre-configured SSH keys for sergio? (Y/n)"
|
||||
echo "Key 1 (mbpm1): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1"
|
||||
echo "Key 2 (MacMini): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhVmvYRywoWQoviB72DGnuv5uEaiumpNAHhDVYFLL+M MacMini"
|
||||
echo ""
|
||||
read -p "Use this key? (Y/n): " use_sergio_key
|
||||
|
||||
if [[ ! "$use_sergio_key" =~ ^[Nn]$ ]]; then
|
||||
user_public_key="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1"
|
||||
log "Using pre-configured key for sergio"
|
||||
read -p "Use these keys? (Y/n): " use_sergio_keys
|
||||
|
||||
if [[ ! "$use_sergio_keys" =~ ^[Nn]$ ]]; then
|
||||
# Add both keys for sergio
|
||||
setup_ssh_key_for_user "sergio" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1"
|
||||
setup_ssh_key_for_user "sergio" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhVmvYRywoWQoviB72DGnuv5uEaiumpNAHhDVYFLL+M MacMini"
|
||||
log "Using pre-configured keys for sergio"
|
||||
sergio_keys_added=true
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -224,10 +239,19 @@ ask_ssh_key_setup() {
|
||||
|
||||
# Add key to all selected users and generate SSH keys for them
|
||||
for username in "${users_for_ssh[@]}"; do
|
||||
# Skip sergio if we already added their pre-configured keys
|
||||
if [[ "$username" == "sergio" && "$sergio_keys_added" == true ]]; then
|
||||
continue
|
||||
fi
|
||||
setup_ssh_key_for_user "$username" "$user_public_key"
|
||||
generate_ssh_key_for_user "$username"
|
||||
done
|
||||
|
||||
|
||||
# Always generate SSH key for sergio if present
|
||||
if [[ " ${users_for_ssh[*]} " =~ " sergio " ]]; then
|
||||
generate_ssh_key_for_user "sergio"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
log "SSH key added to: ${users_for_ssh[*]}"
|
||||
log "SSH keys generated for: ${users_for_ssh[*]}"
|
||||
@@ -325,17 +349,12 @@ create_sysadmin_user() {
|
||||
warn "User $SYSADMIN_USER already exists, skipping creation"
|
||||
log "User $SYSADMIN_USER found in system, UID: $(id -u $SYSADMIN_USER)"
|
||||
SYSADMIN_USER_CREATED="no"
|
||||
|
||||
# Check if the existing user has the default password "hhh"
|
||||
if echo "hhh" | su - "$SYSADMIN_USER" -c "exit" 2>/dev/null; then
|
||||
warn "User $SYSADMIN_USER has default password 'hhh', changing to random password"
|
||||
SYSADMIN_NEW_PASSWORD=$(openssl rand -base64 12)
|
||||
echo "$SYSADMIN_USER:$SYSADMIN_NEW_PASSWORD" | chpasswd
|
||||
echo "=========================================="
|
||||
echo "NEW PASSWORD for $SYSADMIN_USER: $SYSADMIN_NEW_PASSWORD"
|
||||
echo "=========================================="
|
||||
log "Password changed for existing user $SYSADMIN_USER"
|
||||
fi
|
||||
|
||||
# Generate and set a new strong password for existing user
|
||||
log "Generating strong password for existing user $SYSADMIN_USER..."
|
||||
SYSADMIN_NEW_PASSWORD=$(generate_password)
|
||||
echo "$SYSADMIN_USER:$SYSADMIN_NEW_PASSWORD" | chpasswd
|
||||
log "Password set for existing user $SYSADMIN_USER"
|
||||
else
|
||||
# Create user with home directory
|
||||
log "Attempting to create user $SYSADMIN_USER with home directory..."
|
||||
@@ -349,25 +368,12 @@ create_sysadmin_user() {
|
||||
else
|
||||
error "Failed to create user $SYSADMIN_USER. Exit code: $?"
|
||||
fi
|
||||
|
||||
# Set password for sysadmin user with retry logic
|
||||
local max_attempts=3
|
||||
local attempt=1
|
||||
|
||||
while [ $attempt -le $max_attempts ]; do
|
||||
echo "Please set a password for user $SYSADMIN_USER (attempt $attempt of $max_attempts):"
|
||||
if passwd "$SYSADMIN_USER"; then
|
||||
log "Password set successfully for $SYSADMIN_USER"
|
||||
break
|
||||
else
|
||||
warn "Failed to set password for $SYSADMIN_USER"
|
||||
if [ $attempt -eq $max_attempts ]; then
|
||||
error "Failed to set password after $max_attempts attempts. Exiting."
|
||||
fi
|
||||
echo "Please try again..."
|
||||
((attempt++))
|
||||
fi
|
||||
done
|
||||
|
||||
# Generate and set strong password for new user
|
||||
log "Generating strong password for $SYSADMIN_USER..."
|
||||
SYSADMIN_NEW_PASSWORD=$(generate_password)
|
||||
echo "$SYSADMIN_USER:$SYSADMIN_NEW_PASSWORD" | chpasswd
|
||||
log "Password set successfully for $SYSADMIN_USER"
|
||||
fi
|
||||
|
||||
# Add sysadmin to sudo group
|
||||
@@ -443,11 +449,10 @@ configure_security() {
|
||||
log "Disabling root SSH login..."
|
||||
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
|
||||
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
|
||||
|
||||
# Disable sysadmin SSH login
|
||||
log "Disabling sysadmin SSH login..."
|
||||
echo "DenyUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config
|
||||
|
||||
|
||||
# Sysadmin SSH login is ENABLED (no DenyUsers for sysadmin)
|
||||
log "Sysadmin SSH login will be enabled..."
|
||||
|
||||
# Configure SSH settings
|
||||
log "Applying SSH security settings..."
|
||||
|
||||
@@ -474,11 +479,14 @@ configure_security() {
|
||||
fi
|
||||
|
||||
# Configure AllowUsers (remove old entries first)
|
||||
# Sysadmin is always allowed to SSH in
|
||||
sed -i '/^AllowUsers/d' /etc/ssh/sshd_config
|
||||
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
|
||||
echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" >> /etc/ssh/sshd_config
|
||||
log "SSH access enabled for: $SYSADMIN_USER and $ADDITIONAL_USER"
|
||||
else
|
||||
echo "AllowUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config
|
||||
log "SSH access enabled for: $SYSADMIN_USER"
|
||||
fi
|
||||
|
||||
# Test SSH configuration
|
||||
@@ -488,19 +496,9 @@ configure_security() {
|
||||
# Remove/lock root password
|
||||
log "Locking root password..."
|
||||
passwd -l root
|
||||
|
||||
# Lock sysadmin password only if an additional user was successfully created/configured
|
||||
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
|
||||
# Verify the additional user actually exists and can be used
|
||||
if id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
|
||||
log "Locking sysadmin password (additional user $ADDITIONAL_USER is available)..."
|
||||
passwd -l "$SYSADMIN_USER"
|
||||
else
|
||||
warn "Additional user $ADDITIONAL_USER not properly configured - keeping sysadmin password unlocked for safety"
|
||||
fi
|
||||
else
|
||||
warn "No additional user created - keeping sysadmin password unlocked for access"
|
||||
fi
|
||||
|
||||
# Sysadmin password is NOT locked - it has a strong generated password instead
|
||||
log "Sysadmin password remains unlocked with strong generated password"
|
||||
|
||||
# Configure firewall if requested
|
||||
if [[ "$USE_UFW" == "yes" ]]; then
|
||||
@@ -673,18 +671,20 @@ finalize_setup() {
|
||||
echo -e "${BLUE}=== SETUP SUMMARY ===${NC}"
|
||||
echo -e "${YELLOW}• Root SSH login: DISABLED${NC}"
|
||||
echo -e "${YELLOW}• Root password: LOCKED${NC}"
|
||||
echo -e "${YELLOW}• Sysadmin SSH login: DISABLED${NC}"
|
||||
|
||||
# Show sysadmin password status based on actual configuration
|
||||
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]] && id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
|
||||
echo -e "${YELLOW}• Sysadmin password: LOCKED (additional user available)${NC}"
|
||||
else
|
||||
echo -e "${RED}• Sysadmin password: UNLOCKED (no additional user or failed setup)${NC}"
|
||||
fi
|
||||
echo -e "${GREEN}• Sysadmin SSH login: ENABLED${NC}"
|
||||
echo -e "${GREEN}• Sysadmin password: UNLOCKED (strong password set)${NC}"
|
||||
echo -e "${YELLOW}• Main user: $SYSADMIN_USER (sudo access)${NC}"
|
||||
|
||||
|
||||
# Always display the generated password prominently
|
||||
if [[ -n "$SYSADMIN_NEW_PASSWORD" ]]; then
|
||||
echo -e "${RED}• IMPORTANT: Sysadmin password was changed from 'hhh' to: $SYSADMIN_NEW_PASSWORD${NC}"
|
||||
echo ""
|
||||
echo -e "${RED}========================================${NC}"
|
||||
echo -e "${RED} IMPORTANT - SAVE THIS PASSWORD!${NC}"
|
||||
echo -e "${RED}========================================${NC}"
|
||||
echo -e "${RED}Sysadmin user: $SYSADMIN_USER${NC}"
|
||||
echo -e "${RED}Password: $SYSADMIN_NEW_PASSWORD${NC}"
|
||||
echo -e "${RED}========================================${NC}"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
|
||||
|
||||
Reference in New Issue
Block a user