john/janus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b7fba3f39c2a4d47e1ea602a0b3b26f6543124c
janus/scripts/ssh-server-check.sh
John Lancaster 7b7fba3f39 check_cert_config
2026-01-04 10:52:53 -06:00

170 lines
4.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
GREEN_CHECK="\e[32m✔\e[0m"
RED_X="\e[31m✗\e[0m"
YELLOW_BANG="\e[33m!\e[0m"
#
# Function Definition
#
# This test loads the sshd config to see what values actually get parsed.
ssh_config_val() {
local field="$1"
local val
if [[ -z "$field" ]]; then
echo "usage: ssh_config_val <config name>" >&2
return 2
fi
echo $(sshd -T 2>/dev/null | grep -i "^$field " | head -1 | awk '{print $2}')
}
check_ssh_files() {
row_success() {
local key="$1"
local path="$2"
local perms=$(stat -c '%a' "$path")
printf "%-17b %-20s %-6s %s\n" " $GREEN_CHECK" "$key" "$perms" "$path"
}
row_missing() {
local key="$1"
local path="$2"
printf "%-15b %-20s %-6s %s\n" " $YELLOW_BANG" "$key" "-" "$path (missing)"
}
row_unconfigured() {
local key="$1"
printf "%-17b %-20s %-6s %s\n" " $RED_X" "$key" "-" "(not configured)"
}
get_key_status() {
local path="$1"
if [[ -z "$path" ]]; then
echo "unconfigured"
elif [[ ! -e "$path" ]]; then
echo "missing"
else
echo "success"
fi
}
row_process() {
local key="$1"
path=$(ssh_config_val "$key")
status=$(get_key_status "$path")
case "$status" in
success) row_success "$key" "$path" ;;
missing) row_missing "$key" "$path" ;;
unconfigured) row_unconfigured "$key" ;;
esac
}
printf "%-6s %-20s %-6s %s\n" "STATUS" "KEY" "PERMS" "PATH"
row_process "hostkey"
row_process "hostcertificate"
row_process "trustedusercakeys"
case "$status" in
success) return ;;
missing)
# Do something if trustedusercakeys is missing
read -p "Create the trusted keys file? (y/n) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
(step ssh config --roots > "$path")
echo -e "$GREEN_CHECK Created public key file for SSH user CA"
fi
;;
unconfigured) return;;
esac
}
ssh_fingerprint() {
local field="$1"
local ca_path
if [[ -z "$field" ]]; then
echo "usage: ssh_fingerprint <trusteduserca|hostcertificate|...>" >&2
return 2
fi
cfg_path=$(ssh_config_val $field)
if [[ -z "$cfg_path" ]]; then
echo "error: sshd field '$field' not found or empty" >&2
return 1
fi
if [[ ! -r "$cfg_path" ]]; then
echo "error: file not readable: $cfg_path" >&2
return 1
fi
ssh-keygen -lf "$cfg_path" | awk '{ print $2 }'
}
check_cert_config() {
local base_dir="/etc/ssh/sshd_config.d"
local cfg_path="$base_dir/${1:-certs.conf}"
if [[ ! -e $cfg_path ]]; then
echo -e "$YELLOW_BANG sshd not configured to use SSH certs"
read -p "Do you want to configure sshd? (y/n) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
install_cert_config
restart_sshd
fi
fi
}
install_cert_config() {
local base_dir="/etc/ssh/sshd_config.d"
local cfg_path="${1:-$base_dir/certs.conf}"
mkdir -p $(dirname $cfg_path)
cat <<EOF > $cfg_path
TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
EOF
echo -e "$GREEN_CHECK Configured sshd to use and accept SSH certs."
}
restart_sshd() {
if systemctl is-active --quiet sshd; then
local sshd_pid=$(systemctl show --property MainPID --value sshd)
echo "Restarting sshd service..."
systemctl restart sshd
echo -e "$GREEN_CHECK Restarted sshd service on PID: $sshd_pid"
else
echo -e "$YELLOW_BANG Not running sshd service"
read -p "Do you want to start sshd? (y/n) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
systemctl start sshd
echo -e "$GREEN_CHECK Started sshd"
fi
fi
}
#
# Run Process
#
check_cert_config "certs.conf"
check_ssh_files
echo ""
echo "Host key fingerprint"
ssh_fingerprint hostkey
Reference in New Issue View Git Blame Copy Permalink