Del-c.net/debian-first-boot-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SSH security configuration options to setup script. Implement user prompts for disabling SSH password authentication and setting up SSH keys. Enhance logging and user feedback during SSH key setup process, including checks for existing keys in authorized_keys.

Browse Source
This commit is contained in:
Sérgio
2025-09-05 12:55:28 +01:00
parent 9ce963b1b7
commit c1951eec11
1 changed files with 176 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

265
setup.sh
View File

@@ -18,6 +18,8 @@ CREATE_ADDITIONAL_USER=""
ADDITIONAL_USER="" ADDITIONAL_USER=""
USE_UFW="" USE_UFW=""
USE_FAIL2BAN="" USE_FAIL2BAN=""
DISABLE_SSH_PASSWORD=""
SETUP_SSH_KEYS=""
# Logging functions # Logging functions
log() { log() {
@@ -114,6 +116,55 @@ ask_additional_user() {
fi fi
} }
# Ask user about SSH security preferences
ask_ssh_security() {
echo ""
echo -e "${BLUE}=== SSH Security Configuration ===${NC}"
echo "This script can disable SSH password authentication for enhanced security."
echo ""
echo -e "${YELLOW}⚠️ WARNING: Disabling password authentication means you can ONLY log in with SSH keys!${NC}"
echo "If you lose your SSH keys, you could be locked out of the server."
echo ""
echo -e "${YELLOW}Consider keeping password authentication if:${NC}"
echo "• This is your first time setting up SSH keys"
echo "• You don't have a reliable way to store SSH keys"
echo "• You need emergency access options"
echo ""
read -p "Disable SSH password authentication? (y/N): " disable_password_choice
if [[ "$disable_password_choice" =~ ^[Yy]$ ]]; then
DISABLE_SSH_PASSWORD="yes"
log "SSH password authentication will be disabled"
echo ""
echo -e "${BLUE}=== SSH Key Setup ===${NC}"
echo "Since password authentication will be disabled, you'll need SSH keys to connect."
echo "You need to add YOUR computer's SSH public key to the server."
echo ""
read -p "Add your SSH public key to authorized_keys for login? (Y/n): " setup_keys_choice
if [[ "$setup_keys_choice" =~ ^[Nn]$ ]]; then
SETUP_SSH_KEYS="no"
warn "SSH keys will NOT be set up automatically"
warn "You MUST manually add your public key to authorized_keys files after setup"
else
SETUP_SSH_KEYS="yes"
log "You will be prompted to paste your SSH public key"
fi
else
DISABLE_SSH_PASSWORD="no"
SETUP_SSH_KEYS="no"
log "SSH password authentication will remain enabled"
echo ""
read -p "Still want to add your SSH public key for convenient access? (Y/n): " add_keys_choice
if [[ ! "$add_keys_choice" =~ ^[Nn]$ ]]; then
SETUP_SSH_KEYS="yes"
log "You will be prompted to paste your SSH public key"
fi
fi
}
# Ask user about firewall preferences # Ask user about firewall preferences
ask_firewall_preferences() { ask_firewall_preferences() {
echo "" echo ""
@@ -264,11 +315,30 @@ configure_security() {
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# Additional SSH hardening # Configure SSH settings (remove old custom settings first)
log "Applying SSH security settings..." log "Applying SSH security settings..."
# Remove previous custom settings to avoid duplicates
sed -i '/^Protocol 2$/d' /etc/ssh/sshd_config
sed -i '/^PasswordAuthentication /d' /etc/ssh/sshd_config
sed -i '/^PubkeyAuthentication /d' /etc/ssh/sshd_config
sed -i '/^PermitEmptyPasswords /d' /etc/ssh/sshd_config
sed -i '/^X11Forwarding /d' /etc/ssh/sshd_config
sed -i '/^MaxAuthTries /d' /etc/ssh/sshd_config
sed -i '/^ClientAliveInterval /d' /etc/ssh/sshd_config
sed -i '/^ClientAliveCountMax /d' /etc/ssh/sshd_config
sed -i '/^AllowUsers /d' /etc/ssh/sshd_config
# Add current settings
{ {
echo "Protocol 2" echo "Protocol 2"
if [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then
echo "PasswordAuthentication no" echo "PasswordAuthentication no"
log "SSH password authentication disabled"
else
echo "PasswordAuthentication yes"
log "SSH password authentication enabled"
fi
echo "PubkeyAuthentication yes" echo "PubkeyAuthentication yes"
echo "PermitEmptyPasswords no" echo "PermitEmptyPasswords no"
echo "X11Forwarding no" echo "X11Forwarding no"
@@ -412,6 +482,7 @@ EOF
} }
configure_fail2ban() { configure_fail2ban() {
if [[ "$USE_FAIL2BAN" == "yes" ]]; then
log "Configuring fail2ban..." log "Configuring fail2ban..."
cat > /etc/fail2ban/jail.local << EOF cat > /etc/fail2ban/jail.local << EOF
[DEFAULT] [DEFAULT]
@@ -433,32 +504,74 @@ EOF
systemctl start fail2ban systemctl start fail2ban
log "Fail2ban configured and started" log "Fail2ban configured and started"
} else
# Remove/disable fail2ban if user chose not to use it
if systemctl is-active --quiet fail2ban; then
### === SSH KEY GENERATION === ### log "Stopping and disabling fail2ban..."
generate_ssh_keys() { systemctl stop fail2ban
echo "[+] Please enter your email for the SSH keys:" systemctl disable fail2ban
read -p "Enter your email: " user_email
# Generate SSH key for sysadmin user
generate_user_ssh_key "$SYSADMIN_USER" "$user_email"
# Generate SSH key for additional user if created
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
generate_user_ssh_key "$ADDITIONAL_USER" "$user_email"
fi fi
# Generate SSH key for root user if dpkg -l | grep -q fail2ban; then
generate_root_ssh_key "$user_email" log "Removing fail2ban package..."
apt remove --purge -y fail2ban
apt autoremove -y
fi
log "Fail2ban has been removed/disabled"
fi
} }
generate_user_ssh_key() {
### === SSH KEY SETUP === ###
setup_user_ssh_keys() {
if [[ "$SETUP_SSH_KEYS" == "no" ]]; then
log "SSH key setup skipped"
return
fi
echo ""
echo -e "${BLUE}=== SSH Public Key Setup ===${NC}"
echo "To set up SSH key authentication, you need to provide your SSH public key."
echo "You can find your public key on your computer by running:"
echo -e "${YELLOW} cat ~/.ssh/id_rsa.pub${NC}"
echo -e "${YELLOW} # or${NC}"
echo -e "${YELLOW} cat ~/.ssh/id_ed25519.pub${NC}"
echo ""
echo "If you don't have an SSH key pair, generate one on your computer first:"
echo -e "${YELLOW} ssh-keygen -t ed25519 -C \"your_email@example.com\"${NC}"
echo ""
while true; do
echo "Please paste your SSH public key (starts with ssh-rsa, ssh-ed25519, etc.):"
read -r user_public_key
if [[ -z "$user_public_key" ]]; then
echo -e "${RED}Public key cannot be empty. Please try again.${NC}"
continue
elif [[ "$user_public_key" =~ ^(ssh-rsa|ssh-dss|ssh-ed25519|ecdsa-sha2-) ]]; then
break
else
echo -e "${RED}Invalid SSH public key format. Please ensure you copied the entire key.${NC}"
continue
fi
done
# Add SSH key to sysadmin user
setup_ssh_key_for_user "$SYSADMIN_USER" "$user_public_key"
# Add SSH key to additional user if created
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
setup_ssh_key_for_user "$ADDITIONAL_USER" "$user_public_key"
fi
}
setup_ssh_key_for_user() {
local username="$1" local username="$1"
local user_email="$2" local public_key="$2"
local user_home="/home/$username" local user_home="/home/$username"
local ssh_dir="$user_home/.ssh" local ssh_dir="$user_home/.ssh"
local ssh_key="$ssh_dir/id_ed25519" local authorized_keys="$ssh_dir/authorized_keys"
log "Setting up SSH key for user: $username" log "Setting up SSH key for user: $username"
@@ -468,96 +581,45 @@ generate_user_ssh_key() {
sudo -u "$username" chmod 700 "$ssh_dir" sudo -u "$username" chmod 700 "$ssh_dir"
fi fi
if [ ! -f "$ssh_key.pub" ]; then # Add public key to authorized_keys
log "Generating SSH key for $username..." log "Adding public key to authorized_keys for $username..."
# Generate SSH key as user # Check if key already exists in authorized_keys
sudo -u "$username" ssh-keygen -t ed25519 -C "$user_email" -f "$ssh_key" -N "" if [ -f "$authorized_keys" ] && grep -Fxq "$public_key" "$authorized_keys"; then
warn "SSH key already exists in authorized_keys for $username"
# Set proper permissions
sudo -u "$username" chmod 600 "$ssh_key"
sudo -u "$username" chmod 644 "$ssh_key.pub"
log "SSH key generated successfully for $username"
else else
warn "SSH key already exists for $username" echo "$public_key" | sudo -u "$username" tee -a "$authorized_keys" > /dev/null
sudo -u "$username" chmod 600 "$authorized_keys"
log "Public key added to authorized_keys for $username"
fi fi
} }
generate_root_ssh_key() { show_ssh_setup_summary() {
local user_email="$1" if [[ "$SETUP_SSH_KEYS" == "yes" ]]; then
local root_ssh_dir="/root/.ssh"
local root_ssh_key="$root_ssh_dir/id_ed25519"
log "Setting up SSH key for root user"
# Create .ssh directory for root if it doesn't exist
if [ ! -d "$root_ssh_dir" ]; then
mkdir -p "$root_ssh_dir"
chmod 700 "$root_ssh_dir"
fi
if [ ! -f "$root_ssh_key.pub" ]; then
log "Generating SSH key for root..."
# Generate SSH key as root
ssh-keygen -t ed25519 -C "$user_email" -f "$root_ssh_key" -N ""
# Set proper permissions
chmod 600 "$root_ssh_key"
chmod 644 "$root_ssh_key.pub"
log "SSH key generated successfully for root"
else
warn "SSH key already exists for root"
fi
}
show_ssh_keys() {
local sysadmin_home="/home/$SYSADMIN_USER"
local sysadmin_ssh_key="$sysadmin_home/.ssh/id_ed25519.pub"
local root_ssh_key="/root/.ssh/id_ed25519.pub"
echo "" echo ""
echo -e "${BLUE}=== SSH PUBLIC KEYS ===${NC}" echo -e "${GREEN} SSH key authentication has been set up for:${NC}"
echo "Add the following public keys to your Git server and any other systems:" echo " - User: $SYSADMIN_USER"
echo ""
echo -e "${YELLOW}SYSADMIN USER ($SYSADMIN_USER) SSH KEY:${NC}"
echo "----------------------------------------"
cat "$sysadmin_ssh_key"
echo "----------------------------------------"
echo ""
# Show additional user SSH key if created
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
local additional_home="/home/$ADDITIONAL_USER" echo " - User: $ADDITIONAL_USER"
local additional_ssh_key="$additional_home/.ssh/id_ed25519.pub"
echo -e "${YELLOW}ADDITIONAL USER ($ADDITIONAL_USER) SSH KEY:${NC}"
echo "----------------------------------------"
cat "$additional_ssh_key"
echo "----------------------------------------"
echo ""
fi fi
echo -e "${YELLOW}ROOT USER SSH KEY:${NC}"
echo "----------------------------------------"
cat "$root_ssh_key"
echo "----------------------------------------"
echo "" echo ""
echo -e "${YELLOW}Your SSH public key has been added to authorized_keys files.${NC}"
echo -e "${YELLOW}Instructions:${NC}" echo "You can now connect using your SSH private key."
elif [[ "$DISABLE_SSH_PASSWORD" == "yes" ]]; then
echo ""
echo -e "${RED}⚠️ SSH password authentication is DISABLED${NC}"
echo -e "${YELLOW}You MUST add your SSH public key manually:${NC}"
echo ""
echo "1. On your computer, get your public key:"
echo " cat ~/.ssh/id_ed25519.pub"
echo ""
echo "2. Add it to the server's authorized_keys:"
echo " echo 'YOUR_PUBLIC_KEY' >> /home/$SYSADMIN_USER/.ssh/authorized_keys"
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
echo "1. Copy all keys above" echo " echo 'YOUR_PUBLIC_KEY' >> /home/$ADDITIONAL_USER/.ssh/authorized_keys"
echo "2. Add all keys to your git server and any other systems you need access to"
else
echo "1. Copy both keys above"
echo "2. Add both keys to your git server and any other systems you need access to"
fi fi
echo "3. You can now use these keys for SSH authentication"
echo "" echo ""
read -p "Press Enter to continue..." fi
} }
@@ -654,8 +716,9 @@ main() {
exit 0 exit 0
fi fi
# Ask for user and firewall preferences # Ask for user and security preferences
ask_additional_user ask_additional_user
ask_ssh_security
ask_firewall_preferences ask_firewall_preferences
# System setup # System setup
@@ -665,8 +728,8 @@ main() {
configure_security configure_security
# SSH key setup # SSH key setup
generate_ssh_keys setup_user_ssh_keys
show_ssh_keys show_ssh_setup_summary
# Finalize # Finalize
finalize_setup finalize_setup