From 88e79d6229b93ce03f53eff6825d0546bee4b878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9rgio=20Barbosa?= Date: Thu, 13 Nov 2025 21:47:28 +0000 Subject: [PATCH] added ssh key, no sysadmin lockout --- setup.sh | 134 +++++++++++++++++++++++++++---------------------------- 1 file changed, 67 insertions(+), 67 deletions(-) diff --git a/setup.sh b/setup.sh index 93e6830..705bfb4 100755 --- a/setup.sh +++ b/setup.sh @@ -23,6 +23,9 @@ USE_FAIL2BAN="" SYSADMIN_USER_CREATED="" ADDITIONAL_USER_CREATED="" +# Track sysadmin password (will be set to generated password) +SYSADMIN_NEW_PASSWORD="" + # Logging functions log() { echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}" @@ -37,6 +40,13 @@ error() { exit 1 } +# Generate a strong random password (32 characters) +generate_password() { + # Use openssl to generate a secure 32-character password + # Base64 encoding of 24 random bytes gives us 32 characters + openssl rand -base64 24 | tr -d "=+/" | cut -c1-32 +} + # Check if running as root check_root() { if [[ $EUID -ne 0 ]]; then @@ -185,18 +195,23 @@ ask_ssh_key_setup() { local user_public_key="" - # Special case for user "sergio" - offer pre-defined key + # Special case for user "sergio" - offer pre-defined keys + local sergio_keys_added=false if [[ " ${users_for_ssh[*]} " =~ " sergio " ]]; then echo "" echo "Detected user 'sergio' in selected users." - echo "Use pre-configured SSH key for sergio? (Y/n)" - echo "Key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1" + echo "Use pre-configured SSH keys for sergio? (Y/n)" + echo "Key 1 (mbpm1): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1" + echo "Key 2 (MacMini): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhVmvYRywoWQoviB72DGnuv5uEaiumpNAHhDVYFLL+M MacMini" echo "" - read -p "Use this key? (Y/n): " use_sergio_key - - if [[ ! "$use_sergio_key" =~ ^[Nn]$ ]]; then - user_public_key="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1" - log "Using pre-configured key for sergio" + read -p "Use these keys? (Y/n): " use_sergio_keys + + if [[ ! "$use_sergio_keys" =~ ^[Nn]$ ]]; then + # Add both keys for sergio + setup_ssh_key_for_user "sergio" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1" + setup_ssh_key_for_user "sergio" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhVmvYRywoWQoviB72DGnuv5uEaiumpNAHhDVYFLL+M MacMini" + log "Using pre-configured keys for sergio" + sergio_keys_added=true fi fi @@ -224,10 +239,19 @@ ask_ssh_key_setup() { # Add key to all selected users and generate SSH keys for them for username in "${users_for_ssh[@]}"; do + # Skip sergio if we already added their pre-configured keys + if [[ "$username" == "sergio" && "$sergio_keys_added" == true ]]; then + continue + fi setup_ssh_key_for_user "$username" "$user_public_key" generate_ssh_key_for_user "$username" done - + + # Always generate SSH key for sergio if present + if [[ " ${users_for_ssh[*]} " =~ " sergio " ]]; then + generate_ssh_key_for_user "sergio" + fi + echo "" log "SSH key added to: ${users_for_ssh[*]}" log "SSH keys generated for: ${users_for_ssh[*]}" @@ -325,17 +349,12 @@ create_sysadmin_user() { warn "User $SYSADMIN_USER already exists, skipping creation" log "User $SYSADMIN_USER found in system, UID: $(id -u $SYSADMIN_USER)" SYSADMIN_USER_CREATED="no" - - # Check if the existing user has the default password "hhh" - if echo "hhh" | su - "$SYSADMIN_USER" -c "exit" 2>/dev/null; then - warn "User $SYSADMIN_USER has default password 'hhh', changing to random password" - SYSADMIN_NEW_PASSWORD=$(openssl rand -base64 12) - echo "$SYSADMIN_USER:$SYSADMIN_NEW_PASSWORD" | chpasswd - echo "==========================================" - echo "NEW PASSWORD for $SYSADMIN_USER: $SYSADMIN_NEW_PASSWORD" - echo "==========================================" - log "Password changed for existing user $SYSADMIN_USER" - fi + + # Generate and set a new strong password for existing user + log "Generating strong password for existing user $SYSADMIN_USER..." + SYSADMIN_NEW_PASSWORD=$(generate_password) + echo "$SYSADMIN_USER:$SYSADMIN_NEW_PASSWORD" | chpasswd + log "Password set for existing user $SYSADMIN_USER" else # Create user with home directory log "Attempting to create user $SYSADMIN_USER with home directory..." @@ -349,25 +368,12 @@ create_sysadmin_user() { else error "Failed to create user $SYSADMIN_USER. Exit code: $?" fi - - # Set password for sysadmin user with retry logic - local max_attempts=3 - local attempt=1 - - while [ $attempt -le $max_attempts ]; do - echo "Please set a password for user $SYSADMIN_USER (attempt $attempt of $max_attempts):" - if passwd "$SYSADMIN_USER"; then - log "Password set successfully for $SYSADMIN_USER" - break - else - warn "Failed to set password for $SYSADMIN_USER" - if [ $attempt -eq $max_attempts ]; then - error "Failed to set password after $max_attempts attempts. Exiting." - fi - echo "Please try again..." - ((attempt++)) - fi - done + + # Generate and set strong password for new user + log "Generating strong password for $SYSADMIN_USER..." + SYSADMIN_NEW_PASSWORD=$(generate_password) + echo "$SYSADMIN_USER:$SYSADMIN_NEW_PASSWORD" | chpasswd + log "Password set successfully for $SYSADMIN_USER" fi # Add sysadmin to sudo group @@ -443,11 +449,10 @@ configure_security() { log "Disabling root SSH login..." sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config - - # Disable sysadmin SSH login - log "Disabling sysadmin SSH login..." - echo "DenyUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config - + + # Sysadmin SSH login is ENABLED (no DenyUsers for sysadmin) + log "Sysadmin SSH login will be enabled..." + # Configure SSH settings log "Applying SSH security settings..." @@ -474,11 +479,14 @@ configure_security() { fi # Configure AllowUsers (remove old entries first) + # Sysadmin is always allowed to SSH in sed -i '/^AllowUsers/d' /etc/ssh/sshd_config if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" >> /etc/ssh/sshd_config + log "SSH access enabled for: $SYSADMIN_USER and $ADDITIONAL_USER" else echo "AllowUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config + log "SSH access enabled for: $SYSADMIN_USER" fi # Test SSH configuration @@ -488,19 +496,9 @@ configure_security() { # Remove/lock root password log "Locking root password..." passwd -l root - - # Lock sysadmin password only if an additional user was successfully created/configured - if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then - # Verify the additional user actually exists and can be used - if id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then - log "Locking sysadmin password (additional user $ADDITIONAL_USER is available)..." - passwd -l "$SYSADMIN_USER" - else - warn "Additional user $ADDITIONAL_USER not properly configured - keeping sysadmin password unlocked for safety" - fi - else - warn "No additional user created - keeping sysadmin password unlocked for access" - fi + + # Sysadmin password is NOT locked - it has a strong generated password instead + log "Sysadmin password remains unlocked with strong generated password" # Configure firewall if requested if [[ "$USE_UFW" == "yes" ]]; then @@ -673,18 +671,20 @@ finalize_setup() { echo -e "${BLUE}=== SETUP SUMMARY ===${NC}" echo -e "${YELLOW}• Root SSH login: DISABLED${NC}" echo -e "${YELLOW}• Root password: LOCKED${NC}" - echo -e "${YELLOW}• Sysadmin SSH login: DISABLED${NC}" - - # Show sysadmin password status based on actual configuration - if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]] && id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then - echo -e "${YELLOW}• Sysadmin password: LOCKED (additional user available)${NC}" - else - echo -e "${RED}• Sysadmin password: UNLOCKED (no additional user or failed setup)${NC}" - fi + echo -e "${GREEN}• Sysadmin SSH login: ENABLED${NC}" + echo -e "${GREEN}• Sysadmin password: UNLOCKED (strong password set)${NC}" echo -e "${YELLOW}• Main user: $SYSADMIN_USER (sudo access)${NC}" - + + # Always display the generated password prominently if [[ -n "$SYSADMIN_NEW_PASSWORD" ]]; then - echo -e "${RED}• IMPORTANT: Sysadmin password was changed from 'hhh' to: $SYSADMIN_NEW_PASSWORD${NC}" + echo "" + echo -e "${RED}========================================${NC}" + echo -e "${RED} IMPORTANT - SAVE THIS PASSWORD!${NC}" + echo -e "${RED}========================================${NC}" + echo -e "${RED}Sysadmin user: $SYSADMIN_USER${NC}" + echo -e "${RED}Password: $SYSADMIN_NEW_PASSWORD${NC}" + echo -e "${RED}========================================${NC}" + echo "" fi if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then