diff --git a/setup.sh b/setup.sh index b6d4195..4a47dd9 100755 --- a/setup.sh +++ b/setup.sh @@ -18,6 +18,8 @@ CREATE_ADDITIONAL_USER="" ADDITIONAL_USER="" USE_UFW="" USE_FAIL2BAN="" +DISABLE_SSH_PASSWORD="" +SETUP_SSH_KEYS="" # Logging functions log() { @@ -114,6 +116,55 @@ ask_additional_user() { fi } +# Ask user about SSH security preferences +ask_ssh_security() { + echo "" + echo -e "${BLUE}=== SSH Security Configuration ===${NC}" + echo "This script can disable SSH password authentication for enhanced security." + echo "" + echo -e "${YELLOW}⚠️ WARNING: Disabling password authentication means you can ONLY log in with SSH keys!${NC}" + echo "If you lose your SSH keys, you could be locked out of the server." + echo "" + echo -e "${YELLOW}Consider keeping password authentication if:${NC}" + echo "• This is your first time setting up SSH keys" + echo "• You don't have a reliable way to store SSH keys" + echo "• You need emergency access options" + echo "" + read -p "Disable SSH password authentication? (y/N): " disable_password_choice + + if [[ "$disable_password_choice" =~ ^[Yy]$ ]]; then + DISABLE_SSH_PASSWORD="yes" + log "SSH password authentication will be disabled" + + echo "" + echo -e "${BLUE}=== SSH Key Setup ===${NC}" + echo "Since password authentication will be disabled, you'll need SSH keys to connect." + echo "You need to add YOUR computer's SSH public key to the server." + echo "" + read -p "Add your SSH public key to authorized_keys for login? (Y/n): " setup_keys_choice + + if [[ "$setup_keys_choice" =~ ^[Nn]$ ]]; then + SETUP_SSH_KEYS="no" + warn "SSH keys will NOT be set up automatically" + warn "You MUST manually add your public key to authorized_keys files after setup" + else + SETUP_SSH_KEYS="yes" + log "You will be prompted to paste your SSH public key" + fi + else + DISABLE_SSH_PASSWORD="no" + SETUP_SSH_KEYS="no" + log "SSH password authentication will remain enabled" + + echo "" + read -p "Still want to add your SSH public key for convenient access? (Y/n): " add_keys_choice + if [[ ! "$add_keys_choice" =~ ^[Nn]$ ]]; then + SETUP_SSH_KEYS="yes" + log "You will be prompted to paste your SSH public key" + fi + fi +} + # Ask user about firewall preferences ask_firewall_preferences() { echo "" @@ -264,11 +315,30 @@ configure_security() { sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config - # Additional SSH hardening + # Configure SSH settings (remove old custom settings first) log "Applying SSH security settings..." + + # Remove previous custom settings to avoid duplicates + sed -i '/^Protocol 2$/d' /etc/ssh/sshd_config + sed -i '/^PasswordAuthentication /d' /etc/ssh/sshd_config + sed -i '/^PubkeyAuthentication /d' /etc/ssh/sshd_config + sed -i '/^PermitEmptyPasswords /d' /etc/ssh/sshd_config + sed -i '/^X11Forwarding /d' /etc/ssh/sshd_config + sed -i '/^MaxAuthTries /d' /etc/ssh/sshd_config + sed -i '/^ClientAliveInterval /d' /etc/ssh/sshd_config + sed -i '/^ClientAliveCountMax /d' /etc/ssh/sshd_config + sed -i '/^AllowUsers /d' /etc/ssh/sshd_config + + # Add current settings { echo "Protocol 2" - echo "PasswordAuthentication no" + if [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then + echo "PasswordAuthentication no" + log "SSH password authentication disabled" + else + echo "PasswordAuthentication yes" + log "SSH password authentication enabled" + fi echo "PubkeyAuthentication yes" echo "PermitEmptyPasswords no" echo "X11Forwarding no" @@ -412,8 +482,9 @@ EOF } configure_fail2ban() { - log "Configuring fail2ban..." - cat > /etc/fail2ban/jail.local << EOF + if [[ "$USE_FAIL2BAN" == "yes" ]]; then + log "Configuring fail2ban..." + cat > /etc/fail2ban/jail.local << EOF [DEFAULT] bantime = 1h findtime = 10m @@ -427,38 +498,80 @@ logpath = /var/log/auth.log maxretry = 3 bantime = 1h EOF - - # Start and enable fail2ban - systemctl enable fail2ban - systemctl start fail2ban - - log "Fail2ban configured and started" + + # Start and enable fail2ban + systemctl enable fail2ban + systemctl start fail2ban + + log "Fail2ban configured and started" + else + # Remove/disable fail2ban if user chose not to use it + if systemctl is-active --quiet fail2ban; then + log "Stopping and disabling fail2ban..." + systemctl stop fail2ban + systemctl disable fail2ban + fi + + if dpkg -l | grep -q fail2ban; then + log "Removing fail2ban package..." + apt remove --purge -y fail2ban + apt autoremove -y + fi + + log "Fail2ban has been removed/disabled" + fi } -### === SSH KEY GENERATION === ### -generate_ssh_keys() { - echo "[+] Please enter your email for the SSH keys:" - read -p "Enter your email: " user_email - - # Generate SSH key for sysadmin user - generate_user_ssh_key "$SYSADMIN_USER" "$user_email" - - # Generate SSH key for additional user if created - if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then - generate_user_ssh_key "$ADDITIONAL_USER" "$user_email" +### === SSH KEY SETUP === ### +setup_user_ssh_keys() { + if [[ "$SETUP_SSH_KEYS" == "no" ]]; then + log "SSH key setup skipped" + return fi - # Generate SSH key for root user - generate_root_ssh_key "$user_email" + echo "" + echo -e "${BLUE}=== SSH Public Key Setup ===${NC}" + echo "To set up SSH key authentication, you need to provide your SSH public key." + echo "You can find your public key on your computer by running:" + echo -e "${YELLOW} cat ~/.ssh/id_rsa.pub${NC}" + echo -e "${YELLOW} # or${NC}" + echo -e "${YELLOW} cat ~/.ssh/id_ed25519.pub${NC}" + echo "" + echo "If you don't have an SSH key pair, generate one on your computer first:" + echo -e "${YELLOW} ssh-keygen -t ed25519 -C \"your_email@example.com\"${NC}" + echo "" + + while true; do + echo "Please paste your SSH public key (starts with ssh-rsa, ssh-ed25519, etc.):" + read -r user_public_key + + if [[ -z "$user_public_key" ]]; then + echo -e "${RED}Public key cannot be empty. Please try again.${NC}" + continue + elif [[ "$user_public_key" =~ ^(ssh-rsa|ssh-dss|ssh-ed25519|ecdsa-sha2-) ]]; then + break + else + echo -e "${RED}Invalid SSH public key format. Please ensure you copied the entire key.${NC}" + continue + fi + done + + # Add SSH key to sysadmin user + setup_ssh_key_for_user "$SYSADMIN_USER" "$user_public_key" + + # Add SSH key to additional user if created + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + setup_ssh_key_for_user "$ADDITIONAL_USER" "$user_public_key" + fi } -generate_user_ssh_key() { +setup_ssh_key_for_user() { local username="$1" - local user_email="$2" + local public_key="$2" local user_home="/home/$username" local ssh_dir="$user_home/.ssh" - local ssh_key="$ssh_dir/id_ed25519" + local authorized_keys="$ssh_dir/authorized_keys" log "Setting up SSH key for user: $username" @@ -468,96 +581,45 @@ generate_user_ssh_key() { sudo -u "$username" chmod 700 "$ssh_dir" fi - if [ ! -f "$ssh_key.pub" ]; then - log "Generating SSH key for $username..." - - # Generate SSH key as user - sudo -u "$username" ssh-keygen -t ed25519 -C "$user_email" -f "$ssh_key" -N "" - - # Set proper permissions - sudo -u "$username" chmod 600 "$ssh_key" - sudo -u "$username" chmod 644 "$ssh_key.pub" - - log "SSH key generated successfully for $username" + # Add public key to authorized_keys + log "Adding public key to authorized_keys for $username..." + + # Check if key already exists in authorized_keys + if [ -f "$authorized_keys" ] && grep -Fxq "$public_key" "$authorized_keys"; then + warn "SSH key already exists in authorized_keys for $username" else - warn "SSH key already exists for $username" + echo "$public_key" | sudo -u "$username" tee -a "$authorized_keys" > /dev/null + sudo -u "$username" chmod 600 "$authorized_keys" + log "Public key added to authorized_keys for $username" fi } -generate_root_ssh_key() { - local user_email="$1" - local root_ssh_dir="/root/.ssh" - local root_ssh_key="$root_ssh_dir/id_ed25519" - - log "Setting up SSH key for root user" - - # Create .ssh directory for root if it doesn't exist - if [ ! -d "$root_ssh_dir" ]; then - mkdir -p "$root_ssh_dir" - chmod 700 "$root_ssh_dir" - fi - - if [ ! -f "$root_ssh_key.pub" ]; then - log "Generating SSH key for root..." - - # Generate SSH key as root - ssh-keygen -t ed25519 -C "$user_email" -f "$root_ssh_key" -N "" - - # Set proper permissions - chmod 600 "$root_ssh_key" - chmod 644 "$root_ssh_key.pub" - - log "SSH key generated successfully for root" - else - warn "SSH key already exists for root" - fi -} - -show_ssh_keys() { - local sysadmin_home="/home/$SYSADMIN_USER" - local sysadmin_ssh_key="$sysadmin_home/.ssh/id_ed25519.pub" - local root_ssh_key="/root/.ssh/id_ed25519.pub" - - echo "" - echo -e "${BLUE}=== SSH PUBLIC KEYS ===${NC}" - echo "Add the following public keys to your Git server and any other systems:" - echo "" - - echo -e "${YELLOW}SYSADMIN USER ($SYSADMIN_USER) SSH KEY:${NC}" - echo "----------------------------------------" - cat "$sysadmin_ssh_key" - echo "----------------------------------------" - echo "" - - # Show additional user SSH key if created - if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then - local additional_home="/home/$ADDITIONAL_USER" - local additional_ssh_key="$additional_home/.ssh/id_ed25519.pub" - - echo -e "${YELLOW}ADDITIONAL USER ($ADDITIONAL_USER) SSH KEY:${NC}" - echo "----------------------------------------" - cat "$additional_ssh_key" - echo "----------------------------------------" +show_ssh_setup_summary() { + if [[ "$SETUP_SSH_KEYS" == "yes" ]]; then + echo "" + echo -e "${GREEN}✓ SSH key authentication has been set up for:${NC}" + echo " - User: $SYSADMIN_USER" + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + echo " - User: $ADDITIONAL_USER" + fi + echo "" + echo -e "${YELLOW}Your SSH public key has been added to authorized_keys files.${NC}" + echo "You can now connect using your SSH private key." + elif [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then + echo "" + echo -e "${RED}⚠️ SSH password authentication is DISABLED${NC}" + echo -e "${YELLOW}You MUST add your SSH public key manually:${NC}" + echo "" + echo "1. On your computer, get your public key:" + echo " cat ~/.ssh/id_ed25519.pub" + echo "" + echo "2. Add it to the server's authorized_keys:" + echo " echo 'YOUR_PUBLIC_KEY' >> /home/$SYSADMIN_USER/.ssh/authorized_keys" + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + echo " echo 'YOUR_PUBLIC_KEY' >> /home/$ADDITIONAL_USER/.ssh/authorized_keys" + fi echo "" fi - - echo -e "${YELLOW}ROOT USER SSH KEY:${NC}" - echo "----------------------------------------" - cat "$root_ssh_key" - echo "----------------------------------------" - echo "" - - echo -e "${YELLOW}Instructions:${NC}" - if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then - echo "1. Copy all keys above" - echo "2. Add all keys to your git server and any other systems you need access to" - else - echo "1. Copy both keys above" - echo "2. Add both keys to your git server and any other systems you need access to" - fi - echo "3. You can now use these keys for SSH authentication" - echo "" - read -p "Press Enter to continue..." } @@ -654,8 +716,9 @@ main() { exit 0 fi - # Ask for user and firewall preferences + # Ask for user and security preferences ask_additional_user + ask_ssh_security ask_firewall_preferences # System setup @@ -665,8 +728,8 @@ main() { configure_security # SSH key setup - generate_ssh_keys - show_ssh_keys + setup_user_ssh_keys + show_ssh_setup_summary # Finalize finalize_setup