Del-c.net/debian-first-boot-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SSH security configuration options to setup script. Implement user prompts for disabling SSH password authentication and setting up SSH keys. Enhance logging and user feedback during SSH key setup process, including checks for existing keys in authorized_keys.

Browse Source
This commit is contained in:
Sérgio
2025-09-05 12:55:28 +01:00
parent 9ce963b1b7
commit c1951eec11
1 changed files with 176 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

289
setup.sh
View File

@@ -18,6 +18,8 @@ CREATE_ADDITIONAL_USER=""
ADDITIONAL_USER=""
USE_UFW=""
USE_FAIL2BAN=""
DISABLE_SSH_PASSWORD=""
SETUP_SSH_KEYS=""
# Logging functions
log() {
@@ -114,6 +116,55 @@ ask_additional_user() {
fi
}
# Ask user about SSH security preferences
ask_ssh_security() {
echo ""
echo -e "${BLUE}=== SSH Security Configuration ===${NC}"
echo "This script can disable SSH password authentication for enhanced security."
echo ""
echo -e "${YELLOW}⚠️ WARNING: Disabling password authentication means you can ONLY log in with SSH keys!${NC}"
echo "If you lose your SSH keys, you could be locked out of the server."
echo ""
echo -e "${YELLOW}Consider keeping password authentication if:${NC}"
echo "• This is your first time setting up SSH keys"
echo "• You don't have a reliable way to store SSH keys"
echo "• You need emergency access options"
echo ""
read -p "Disable SSH password authentication? (y/N): " disable_password_choice
if [[ "$disable_password_choice" =~ ^[Yy]$ ]]; then
DISABLE_SSH_PASSWORD="yes"
log "SSH password authentication will be disabled"
echo ""
echo -e "${BLUE}=== SSH Key Setup ===${NC}"
echo "Since password authentication will be disabled, you'll need SSH keys to connect."
echo "You need to add YOUR computer's SSH public key to the server."
echo ""
read -p "Add your SSH public key to authorized_keys for login? (Y/n): " setup_keys_choice
if [[ "$setup_keys_choice" =~ ^[Nn]$ ]]; then
SETUP_SSH_KEYS="no"
warn "SSH keys will NOT be set up automatically"
warn "You MUST manually add your public key to authorized_keys files after setup"
else
SETUP_SSH_KEYS="yes"
log "You will be prompted to paste your SSH public key"
fi
else
DISABLE_SSH_PASSWORD="no"
SETUP_SSH_KEYS="no"
log "SSH password authentication will remain enabled"
echo ""
read -p "Still want to add your SSH public key for convenient access? (Y/n): " add_keys_choice
if [[ ! "$add_keys_choice" =~ ^[Nn]$ ]]; then
SETUP_SSH_KEYS="yes"
log "You will be prompted to paste your SSH public key"
fi
fi
}
# Ask user about firewall preferences
ask_firewall_preferences() {
echo ""
@@ -264,11 +315,30 @@ configure_security() {
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# Additional SSH hardening
# Configure SSH settings (remove old custom settings first)
log "Applying SSH security settings..."
# Remove previous custom settings to avoid duplicates
sed -i '/^Protocol 2$/d' /etc/ssh/sshd_config
sed -i '/^PasswordAuthentication /d' /etc/ssh/sshd_config
sed -i '/^PubkeyAuthentication /d' /etc/ssh/sshd_config
sed -i '/^PermitEmptyPasswords /d' /etc/ssh/sshd_config
sed -i '/^X11Forwarding /d' /etc/ssh/sshd_config
sed -i '/^MaxAuthTries /d' /etc/ssh/sshd_config
sed -i '/^ClientAliveInterval /d' /etc/ssh/sshd_config
sed -i '/^ClientAliveCountMax /d' /etc/ssh/sshd_config
sed -i '/^AllowUsers /d' /etc/ssh/sshd_config
# Add current settings
{
echo "Protocol 2"
echo "PasswordAuthentication no"
if [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then
echo "PasswordAuthentication no"
log "SSH password authentication disabled"
else
echo "PasswordAuthentication yes"
log "SSH password authentication enabled"
fi
echo "PubkeyAuthentication yes"
echo "PermitEmptyPasswords no"
echo "X11Forwarding no"
@@ -412,8 +482,9 @@ EOF
}
configure_fail2ban() {
log "Configuring fail2ban..."
cat > /etc/fail2ban/jail.local << EOF
if [[ "$USE_FAIL2BAN" == "yes" ]]; then
log "Configuring fail2ban..."
cat > /etc/fail2ban/jail.local << EOF
[DEFAULT]
bantime = 1h
findtime = 10m
@@ -427,38 +498,80 @@ logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
EOF
# Start and enable fail2ban
systemctl enable fail2ban
systemctl start fail2ban
log "Fail2ban configured and started"
# Start and enable fail2ban
systemctl enable fail2ban
systemctl start fail2ban
log "Fail2ban configured and started"
else
# Remove/disable fail2ban if user chose not to use it
if systemctl is-active --quiet fail2ban; then
log "Stopping and disabling fail2ban..."
systemctl stop fail2ban
systemctl disable fail2ban
fi
if dpkg -l | grep -q fail2ban; then
log "Removing fail2ban package..."
apt remove --purge -y fail2ban
apt autoremove -y
fi
log "Fail2ban has been removed/disabled"
fi
}
### === SSH KEY GENERATION === ###
generate_ssh_keys() {
echo "[+] Please enter your email for the SSH keys:"
read -p "Enter your email: " user_email
# Generate SSH key for sysadmin user
generate_user_ssh_key "$SYSADMIN_USER" "$user_email"
# Generate SSH key for additional user if created
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
generate_user_ssh_key "$ADDITIONAL_USER" "$user_email"
### === SSH KEY SETUP === ###
setup_user_ssh_keys() {
if [[ "$SETUP_SSH_KEYS" == "no" ]]; then
log "SSH key setup skipped"
return
fi
# Generate SSH key for root user
generate_root_ssh_key "$user_email"
echo ""
echo -e "${BLUE}=== SSH Public Key Setup ===${NC}"
echo "To set up SSH key authentication, you need to provide your SSH public key."
echo "You can find your public key on your computer by running:"
echo -e "${YELLOW} cat ~/.ssh/id_rsa.pub${NC}"
echo -e "${YELLOW} # or${NC}"
echo -e "${YELLOW} cat ~/.ssh/id_ed25519.pub${NC}"
echo ""
echo "If you don't have an SSH key pair, generate one on your computer first:"
echo -e "${YELLOW} ssh-keygen -t ed25519 -C \"your_email@example.com\"${NC}"
echo ""
while true; do
echo "Please paste your SSH public key (starts with ssh-rsa, ssh-ed25519, etc.):"
read -r user_public_key
if [[ -z "$user_public_key" ]]; then
echo -e "${RED}Public key cannot be empty. Please try again.${NC}"
continue
elif [[ "$user_public_key" =~ ^(ssh-rsa|ssh-dss|ssh-ed25519|ecdsa-sha2-) ]]; then
break
else
echo -e "${RED}Invalid SSH public key format. Please ensure you copied the entire key.${NC}"
continue
fi
done
# Add SSH key to sysadmin user
setup_ssh_key_for_user "$SYSADMIN_USER" "$user_public_key"
# Add SSH key to additional user if created
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
setup_ssh_key_for_user "$ADDITIONAL_USER" "$user_public_key"
fi
}
generate_user_ssh_key() {
setup_ssh_key_for_user() {
local username="$1"
local user_email="$2"
local public_key="$2"
local user_home="/home/$username"
local ssh_dir="$user_home/.ssh"
local ssh_key="$ssh_dir/id_ed25519"
local authorized_keys="$ssh_dir/authorized_keys"
log "Setting up SSH key for user: $username"
@@ -468,96 +581,45 @@ generate_user_ssh_key() {
sudo -u "$username" chmod 700 "$ssh_dir"
fi
if [ ! -f "$ssh_key.pub" ]; then
log "Generating SSH key for $username..."
# Generate SSH key as user
sudo -u "$username" ssh-keygen -t ed25519 -C "$user_email" -f "$ssh_key" -N ""
# Set proper permissions
sudo -u "$username" chmod 600 "$ssh_key"
sudo -u "$username" chmod 644 "$ssh_key.pub"
log "SSH key generated successfully for $username"
# Add public key to authorized_keys
log "Adding public key to authorized_keys for $username..."
# Check if key already exists in authorized_keys
if [ -f "$authorized_keys" ] && grep -Fxq "$public_key" "$authorized_keys"; then
warn "SSH key already exists in authorized_keys for $username"
else
warn "SSH key already exists for $username"
echo "$public_key" | sudo -u "$username" tee -a "$authorized_keys" > /dev/null
sudo -u "$username" chmod 600 "$authorized_keys"
log "Public key added to authorized_keys for $username"
fi
}
generate_root_ssh_key() {
local user_email="$1"
local root_ssh_dir="/root/.ssh"
local root_ssh_key="$root_ssh_dir/id_ed25519"
log "Setting up SSH key for root user"
# Create .ssh directory for root if it doesn't exist
if [ ! -d "$root_ssh_dir" ]; then
mkdir -p "$root_ssh_dir"
chmod 700 "$root_ssh_dir"
fi
if [ ! -f "$root_ssh_key.pub" ]; then
log "Generating SSH key for root..."
# Generate SSH key as root
ssh-keygen -t ed25519 -C "$user_email" -f "$root_ssh_key" -N ""
# Set proper permissions
chmod 600 "$root_ssh_key"
chmod 644 "$root_ssh_key.pub"
log "SSH key generated successfully for root"
else
warn "SSH key already exists for root"
fi
}
show_ssh_keys() {
local sysadmin_home="/home/$SYSADMIN_USER"
local sysadmin_ssh_key="$sysadmin_home/.ssh/id_ed25519.pub"
local root_ssh_key="/root/.ssh/id_ed25519.pub"
echo ""
echo -e "${BLUE}=== SSH PUBLIC KEYS ===${NC}"
echo "Add the following public keys to your Git server and any other systems:"
echo ""
echo -e "${YELLOW}SYSADMIN USER ($SYSADMIN_USER) SSH KEY:${NC}"
echo "----------------------------------------"
cat "$sysadmin_ssh_key"
echo "----------------------------------------"
echo ""
# Show additional user SSH key if created
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
local additional_home="/home/$ADDITIONAL_USER"
local additional_ssh_key="$additional_home/.ssh/id_ed25519.pub"
echo -e "${YELLOW}ADDITIONAL USER ($ADDITIONAL_USER) SSH KEY:${NC}"
echo "----------------------------------------"
cat "$additional_ssh_key"
echo "----------------------------------------"
show_ssh_setup_summary() {
if [[ "$SETUP_SSH_KEYS" == "yes" ]]; then
echo ""
echo -e "${GREEN}✓ SSH key authentication has been set up for:${NC}"
echo " - User: $SYSADMIN_USER"
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
echo " - User: $ADDITIONAL_USER"
fi
echo ""
echo -e "${YELLOW}Your SSH public key has been added to authorized_keys files.${NC}"
echo "You can now connect using your SSH private key."
elif [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then
echo ""
echo -e "${RED}⚠️ SSH password authentication is DISABLED${NC}"
echo -e "${YELLOW}You MUST add your SSH public key manually:${NC}"
echo ""
echo "1. On your computer, get your public key:"
echo " cat ~/.ssh/id_ed25519.pub"
echo ""
echo "2. Add it to the server's authorized_keys:"
echo " echo 'YOUR_PUBLIC_KEY' >> /home/$SYSADMIN_USER/.ssh/authorized_keys"
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
echo " echo 'YOUR_PUBLIC_KEY' >> /home/$ADDITIONAL_USER/.ssh/authorized_keys"
fi
echo ""
fi
echo -e "${YELLOW}ROOT USER SSH KEY:${NC}"
echo "----------------------------------------"
cat "$root_ssh_key"
echo "----------------------------------------"
echo ""
echo -e "${YELLOW}Instructions:${NC}"
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
echo "1. Copy all keys above"
echo "2. Add all keys to your git server and any other systems you need access to"
else
echo "1. Copy both keys above"
echo "2. Add both keys to your git server and any other systems you need access to"
fi
echo "3. You can now use these keys for SSH authentication"
echo ""
read -p "Press Enter to continue..."
}
@@ -654,8 +716,9 @@ main() {
exit 0
fi
# Ask for user and firewall preferences
# Ask for user and security preferences
ask_additional_user
ask_ssh_security
ask_firewall_preferences
# System setup
@@ -665,8 +728,8 @@ main() {
configure_security
# SSH key setup
generate_ssh_keys
show_ssh_keys
setup_user_ssh_keys
show_ssh_setup_summary
# Finalize
finalize_setup