Del-c.net/debian-first-boot-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added ssh key, no sysadmin lockout

Browse Source
This commit is contained in:
Sérgio
2025-11-13 21:47:28 +00:00
parent 10e9129ed4
commit 88e79d6229
1 changed files with 67 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
setup.sh
View File

@@ -23,6 +23,9 @@ USE_FAIL2BAN=""
SYSADMIN_USER_CREATED="" SYSADMIN_USER_CREATED=""
ADDITIONAL_USER_CREATED="" ADDITIONAL_USER_CREATED=""
# Track sysadmin password (will be set to generated password)
SYSADMIN_NEW_PASSWORD=""
# Logging functions # Logging functions
log() { log() {
echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}" echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}"
@@ -37,6 +40,13 @@ error() {
exit 1 exit 1
} }
# Generate a strong random password (32 characters)
generate_password() {
# Use openssl to generate a secure 32-character password
# Base64 encoding of 24 random bytes gives us 32 characters
openssl rand -base64 24 | tr -d "=+/" | cut -c1-32
}
# Check if running as root # Check if running as root
check_root() { check_root() {
if [[ $EUID -ne 0 ]]; then if [[ $EUID -ne 0 ]]; then
@@ -185,18 +195,23 @@ ask_ssh_key_setup() {
local user_public_key="" local user_public_key=""
# Special case for user "sergio" - offer pre-defined key # Special case for user "sergio" - offer pre-defined keys
local sergio_keys_added=false
if [[ " ${users_for_ssh[*]} " =~ " sergio " ]]; then if [[ " ${users_for_ssh[*]} " =~ " sergio " ]]; then
echo "" echo ""
echo "Detected user 'sergio' in selected users." echo "Detected user 'sergio' in selected users."
echo "Use pre-configured SSH key for sergio? (Y/n)" echo "Use pre-configured SSH keys for sergio? (Y/n)"
echo "Key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1" echo "Key 1 (mbpm1): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1"
echo "Key 2 (MacMini): ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhVmvYRywoWQoviB72DGnuv5uEaiumpNAHhDVYFLL+M MacMini"
echo "" echo ""
read -p "Use this key? (Y/n): " use_sergio_key read -p "Use these keys? (Y/n): " use_sergio_keys
if [[ ! "$use_sergio_key" =~ ^[Nn]$ ]]; then if [[ ! "$use_sergio_keys" =~ ^[Nn]$ ]]; then
user_public_key="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1" # Add both keys for sergio
log "Using pre-configured key for sergio" setup_ssh_key_for_user "sergio" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYyuGSa2wswiiObp2qj30MoiNRyFdBIBciFSbtrkZ8 mbpm1"
setup_ssh_key_for_user "sergio" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhVmvYRywoWQoviB72DGnuv5uEaiumpNAHhDVYFLL+M MacMini"
log "Using pre-configured keys for sergio"
sergio_keys_added=true
fi fi
fi fi
@@ -224,10 +239,19 @@ ask_ssh_key_setup() {
# Add key to all selected users and generate SSH keys for them # Add key to all selected users and generate SSH keys for them
for username in "${users_for_ssh[@]}"; do for username in "${users_for_ssh[@]}"; do
# Skip sergio if we already added their pre-configured keys
if [[ "$username" == "sergio" && "$sergio_keys_added" == true ]]; then
continue
fi
setup_ssh_key_for_user "$username" "$user_public_key" setup_ssh_key_for_user "$username" "$user_public_key"
generate_ssh_key_for_user "$username" generate_ssh_key_for_user "$username"
done done
# Always generate SSH key for sergio if present
if [[ " ${users_for_ssh[*]} " =~ " sergio " ]]; then
generate_ssh_key_for_user "sergio"
fi
echo "" echo ""
log "SSH key added to: ${users_for_ssh[*]}" log "SSH key added to: ${users_for_ssh[*]}"
log "SSH keys generated for: ${users_for_ssh[*]}" log "SSH keys generated for: ${users_for_ssh[*]}"
@@ -325,17 +349,12 @@ create_sysadmin_user() {
warn "User $SYSADMIN_USER already exists, skipping creation" warn "User $SYSADMIN_USER already exists, skipping creation"
log "User $SYSADMIN_USER found in system, UID: $(id -u $SYSADMIN_USER)" log "User $SYSADMIN_USER found in system, UID: $(id -u $SYSADMIN_USER)"
SYSADMIN_USER_CREATED="no" SYSADMIN_USER_CREATED="no"
# Check if the existing user has the default password "hhh" # Generate and set a new strong password for existing user
if echo "hhh" | su - "$SYSADMIN_USER" -c "exit" 2>/dev/null; then log "Generating strong password for existing user $SYSADMIN_USER..."
warn "User $SYSADMIN_USER has default password 'hhh', changing to random password" SYSADMIN_NEW_PASSWORD=$(generate_password)
SYSADMIN_NEW_PASSWORD=$(openssl rand -base64 12) echo "$SYSADMIN_USER:$SYSADMIN_NEW_PASSWORD" | chpasswd
echo "$SYSADMIN_USER:$SYSADMIN_NEW_PASSWORD" | chpasswd log "Password set for existing user $SYSADMIN_USER"
echo "=========================================="
echo "NEW PASSWORD for $SYSADMIN_USER: $SYSADMIN_NEW_PASSWORD"
echo "=========================================="
log "Password changed for existing user $SYSADMIN_USER"
fi
else else
# Create user with home directory # Create user with home directory
log "Attempting to create user $SYSADMIN_USER with home directory..." log "Attempting to create user $SYSADMIN_USER with home directory..."
@@ -349,25 +368,12 @@ create_sysadmin_user() {
else else
error "Failed to create user $SYSADMIN_USER. Exit code: $?" error "Failed to create user $SYSADMIN_USER. Exit code: $?"
fi fi
# Set password for sysadmin user with retry logic # Generate and set strong password for new user
local max_attempts=3 log "Generating strong password for $SYSADMIN_USER..."
local attempt=1 SYSADMIN_NEW_PASSWORD=$(generate_password)
echo "$SYSADMIN_USER:$SYSADMIN_NEW_PASSWORD" | chpasswd
while [ $attempt -le $max_attempts ]; do log "Password set successfully for $SYSADMIN_USER"
echo "Please set a password for user $SYSADMIN_USER (attempt $attempt of $max_attempts):"
if passwd "$SYSADMIN_USER"; then
log "Password set successfully for $SYSADMIN_USER"
break
else
warn "Failed to set password for $SYSADMIN_USER"
if [ $attempt -eq $max_attempts ]; then
error "Failed to set password after $max_attempts attempts. Exiting."
fi
echo "Please try again..."
((attempt++))
fi
done
fi fi
# Add sysadmin to sudo group # Add sysadmin to sudo group
@@ -443,11 +449,10 @@ configure_security() {
log "Disabling root SSH login..." log "Disabling root SSH login..."
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# Disable sysadmin SSH login # Sysadmin SSH login is ENABLED (no DenyUsers for sysadmin)
log "Disabling sysadmin SSH login..." log "Sysadmin SSH login will be enabled..."
echo "DenyUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config
# Configure SSH settings # Configure SSH settings
log "Applying SSH security settings..." log "Applying SSH security settings..."
@@ -474,11 +479,14 @@ configure_security() {
fi fi
# Configure AllowUsers (remove old entries first) # Configure AllowUsers (remove old entries first)
# Sysadmin is always allowed to SSH in
sed -i '/^AllowUsers/d' /etc/ssh/sshd_config sed -i '/^AllowUsers/d' /etc/ssh/sshd_config
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" >> /etc/ssh/sshd_config echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" >> /etc/ssh/sshd_config
log "SSH access enabled for: $SYSADMIN_USER and $ADDITIONAL_USER"
else else
echo "AllowUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config echo "AllowUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config
log "SSH access enabled for: $SYSADMIN_USER"
fi fi
# Test SSH configuration # Test SSH configuration
@@ -488,19 +496,9 @@ configure_security() {
# Remove/lock root password # Remove/lock root password
log "Locking root password..." log "Locking root password..."
passwd -l root passwd -l root
# Lock sysadmin password only if an additional user was successfully created/configured # Sysadmin password is NOT locked - it has a strong generated password instead
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then log "Sysadmin password remains unlocked with strong generated password"
# Verify the additional user actually exists and can be used
if id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
log "Locking sysadmin password (additional user $ADDITIONAL_USER is available)..."
passwd -l "$SYSADMIN_USER"
else
warn "Additional user $ADDITIONAL_USER not properly configured - keeping sysadmin password unlocked for safety"
fi
else
warn "No additional user created - keeping sysadmin password unlocked for access"
fi
# Configure firewall if requested # Configure firewall if requested
if [[ "$USE_UFW" == "yes" ]]; then if [[ "$USE_UFW" == "yes" ]]; then
@@ -673,18 +671,20 @@ finalize_setup() {
echo -e "${BLUE}=== SETUP SUMMARY ===${NC}" echo -e "${BLUE}=== SETUP SUMMARY ===${NC}"
echo -e "${YELLOW}• Root SSH login: DISABLED${NC}" echo -e "${YELLOW}• Root SSH login: DISABLED${NC}"
echo -e "${YELLOW}• Root password: LOCKED${NC}" echo -e "${YELLOW}• Root password: LOCKED${NC}"
echo -e "${YELLOW}• Sysadmin SSH login: DISABLED${NC}" echo -e "${GREEN}• Sysadmin SSH login: ENABLED${NC}"
echo -e "${GREEN}• Sysadmin password: UNLOCKED (strong password set)${NC}"
# Show sysadmin password status based on actual configuration
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]] && id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
echo -e "${YELLOW}• Sysadmin password: LOCKED (additional user available)${NC}"
else
echo -e "${RED}• Sysadmin password: UNLOCKED (no additional user or failed setup)${NC}"
fi
echo -e "${YELLOW}• Main user: $SYSADMIN_USER (sudo access)${NC}" echo -e "${YELLOW}• Main user: $SYSADMIN_USER (sudo access)${NC}"
# Always display the generated password prominently
if [[ -n "$SYSADMIN_NEW_PASSWORD" ]]; then if [[ -n "$SYSADMIN_NEW_PASSWORD" ]]; then
echo -e "${RED}• IMPORTANT: Sysadmin password was changed from 'hhh' to: $SYSADMIN_NEW_PASSWORD${NC}" echo ""
echo -e "${RED}========================================${NC}"
echo -e "${RED} IMPORTANT - SAVE THIS PASSWORD!${NC}"
echo -e "${RED}========================================${NC}"
echo -e "${RED}Sysadmin user: $SYSADMIN_USER${NC}"
echo -e "${RED}Password: $SYSADMIN_NEW_PASSWORD${NC}"
echo -e "${RED}========================================${NC}"
echo ""
fi fi
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then