diff --git a/scripts/ssh-server-check.sh b/scripts/ssh-server-check.sh index ee0b7e8..e2f5dec 100755 --- a/scripts/ssh-server-check.sh +++ b/scripts/ssh-server-check.sh @@ -1,5 +1,12 @@ #!/usr/bin/env bash +GREEN_CHECK="\e[32m✔\e[0m" +RED_X="\e[31m✗\e[0m" + +# +# Function Definition +# + ssh_config_val() { local field="$1" local val @@ -12,6 +19,10 @@ ssh_config_val() { echo $(sshd -T | grep -i "^$field " | head -1 | awk '{print $2}') } +green_checkmark() { + printf "\e[32m✔\e[0m" +} + check_ssh_files() { printf "%-6s %-20s %-6s %s\n" "STATUS" "KEY" "PERMS" "PATH" for key in hostkey hostcertificate trustedusercakeys; do @@ -23,9 +34,9 @@ check_ssh_files() { if [[ -e "$path" ]]; then perms=$(stat -c '%a' "$path") - printf "%-7s %-20s %-6s %s\n" "✅" "$key" "$perms" "$path" + printf "%-17b %-20s %-6s %s\n" " $GREEN_CHECK" "$key" "$perms" "$path" else - printf "%-7s %-20s %-6s %s\n" "❌" "$key" "-" "$path (missing)" + printf "%-17b %-20s %-6s %s\n" " $RED_X" "$key" "-" "$path (missing)" fi done } @@ -54,17 +65,30 @@ ssh_fingerprint() { ssh-keygen -lf "$cfg_path" | awk '{ print $2 }' } +install_cert_config() { + local base_dir="/etc/ssh/sshd_config.d" + local cfg_path="${1:-$base_dir/certs.conf}" + + mkdir -p $(dirname $cfg_path) + + cat < $cfg_path +TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub +HostKey /etc/ssh/ssh_host_ed25519_key +HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub +EOF +} + + +# +# Run Process +# + if [[ ! -e "/etc/ssh/sshd_config.d/certs.conf" ]]; then echo "⚠️ sshd not configured to use SSH certs" read -p "Do you want to configure sshd? (y/n) " -n 1 -r echo if [[ $REPLY =~ ^[Yy]$ ]]; then - mkdir -p /etc/ssh/sshd_config.d - cat < /etc/ssh/sshd_config.d/certs.conf -TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub -HostKey /etc/ssh/ssh_host_ed25519_key -HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub -EOF + install_cert_config echo -n "Restarting sshd... " systemctl restart sshd echo "done"