From 6620d6c0a9ad8ad4f4a14d3e5eb69f0c432b3873 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Sun, 4 Jan 2026 11:03:58 -0600 Subject: [PATCH] variables --- scripts/ssh-server-check.sh | 46 ++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/scripts/ssh-server-check.sh b/scripts/ssh-server-check.sh index d55f3c5..ff6ae13 100755 --- a/scripts/ssh-server-check.sh +++ b/scripts/ssh-server-check.sh @@ -4,6 +4,12 @@ GREEN_CHECK="\e[32m✔\e[0m" RED_X="\e[31m✗\e[0m" YELLOW_BANG="\e[33m!\e[0m" +SSH_CFG_DIR="/etc/ssh" +SSH_USER_CA="$SSH_CFG_DIR/ssh_user_ca.pub" +SSH_HOST_KEY="$SSH_CFG_DIR/ssh_host_ed25519_key" +SSH_HOST_PUBLIC_KEY="$SSH_HOST_KEY.pub" +SSH_HOST_CERT="$SSH_HOST_KEY-cert.pub" + # # Function Definition # @@ -23,6 +29,18 @@ ssh_config_val() { } +sign_host_cert() { + local if="eth0" + local IP_ADDRESS=$(ip -4 addr show dev $if | awk '/inet /{print $2}' | cut -d/ -f1) && \ + local hostname=$(hostname -s) && \ + step ssh certificate --host --sign \ + --principal "$hostname" \ + --principal "$hostname.john-stream.com" \ + --principal "$IP_ADDRESS" \ + --provisioner admin \ + "$hostname" "$SSH_HOST_PUBLIC_KEY" +} + check_ssh_files() { row_success() { @@ -113,6 +131,18 @@ check_cert_config() { local base_dir="/etc/ssh/sshd_config.d" local cfg_path="$base_dir/${1:-certs.conf}" + install_cert_config() { + mkdir -p $(dirname $cfg_path) + + cat < $cfg_path +TrustedUserCAKeys $SSH_USER_CA +HostKey $SSH_HOST_KEY +HostCertificate $SSH_HOST_CERT +EOF + + echo -e "$GREEN_CHECK Configured sshd to use and accept SSH certs." + } + if [[ ! -e $cfg_path ]]; then echo -e "$YELLOW_BANG sshd not configured to use SSH certs" read -p "Do you want to configure sshd? (y/n) " -n 1 -r @@ -124,22 +154,6 @@ check_cert_config() { fi } -install_cert_config() { - local base_dir="/etc/ssh/sshd_config.d" - local cfg_path="${1:-$base_dir/certs.conf}" - - mkdir -p $(dirname $cfg_path) - - cat < $cfg_path -TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub -HostKey /etc/ssh/ssh_host_ed25519_key -HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub -EOF - - echo -e "$GREEN_CHECK Configured sshd to use and accept SSH certs." -} - - restart_sshd() { if systemctl is-active --quiet sshd; then local sshd_pid=$(systemctl show --property MainPID --value sshd)