From 4d9039a081e342bf2a44d6dc661e5e8a3b746628 Mon Sep 17 00:00:00 2001 From: deadcxap Date: Sun, 24 Aug 2025 08:17:31 +0300 Subject: [PATCH] =?UTF-8?q?=D0=AF=20=D0=9D=D0=95=D0=9D=D0=90=D0=92=D0=98?= =?UTF-8?q?=D0=96=D0=A3=20=D0=AD=D0=9A=D0=A0=D0=90=D0=9D=D0=98=D0=A0=D0=9E?= =?UTF-8?q?=D0=92=D0=90=D0=9D=D0=98=D0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- setup.sh | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/setup.sh b/setup.sh index 060f294..1868453 100644 --- a/setup.sh +++ b/setup.sh @@ -121,43 +121,43 @@ create_user() { } configure_ssh() { - run "Configuring SSH access" bash -c ' - install -d -m 700 -o "$USERNAME" -g "$USERNAME" "/home/$USERNAME/.ssh" - printf "%s\n" "$SSH_KEY" > "/home/$USERNAME/.ssh/authorized_keys" - chmod 600 "/home/$USERNAME/.ssh/authorized_keys" - chown -R "$USERNAME":"$USERNAME" "/home/$USERNAME/.ssh" - if ! grep -qE "^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf" /etc/ssh/sshd_config; then - echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config + run "Configuring SSH access" bash -c " + install -d -m 700 -o \"$USERNAME\" -g \"$USERNAME\" \"/home/$USERNAME/.ssh\" + printf \"%s\n\" \"$SSH_KEY\" > \"/home/$USERNAME/.ssh/authorized_keys\" + chmod 600 \"/home/$USERNAME/.ssh/authorized_keys\" + chown -R \"$USERNAME\":\"$USERNAME\" \"/home/$USERNAME/.ssh\" + if ! grep -qE \"^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf\" /etc/ssh/sshd_config; then + echo \"Include /etc/ssh/sshd_config.d/*.conf\" >> /etc/ssh/sshd_config fi install -d -m 755 /etc/ssh/sshd_config.d dir=/etc/ssh/sshd_config.d shopt -s nullglob - for f in "$dir"/*.conf; do - base=$(basename "$f") - case "$base" in + for f in \"\$dir\"/*.conf; do + base=\$(basename \"\$f\") + case \"\$base\" in [0-9][0-9]-*.conf) - [[ $base == 99-* ]] && mv "$f" "${f%.conf}.disabled" + [[ \$base == 99-* ]] && mv \"\$f\" \"\${f%.conf}.disabled\" ;; *) - mv "$f" "${f%.conf}.disabled" + mv \"\$f\" \"\${f%.conf}.disabled\" ;; esac done shopt -u nullglob - max=$(find "$dir" -maxdepth 1 -type f -name "[0-9][0-9]-*.conf" | sed -n "s#.*/\\([0-9][0-9]\\)-.*#\\1#p" | sort -n | tail -1) - if [ -z "$max" ]; then + max=\$(find \"\$dir\" -maxdepth 1 -type f -name '[0-9][0-9]-*.conf' | sed -n 's#.*/\\([0-9][0-9]\\)-.*#\\1#p' | sort -n | tail -1) + if [ -z \"\$max\" ]; then next=10 else - next=$((10#$max + 10)) - [ "$next" -gt 99 ] && next=99 + next=\$((10#\$max + 10)) + [ \"\$next\" -gt 99 ] && next=99 fi - newfile=$(printf "%s/%02d-hardening.conf" "$dir" "$next") - printf "%s\n" "PasswordAuthentication no" "PermitRootLogin no" "KbdInteractiveAuthentication no" > "$newfile" - chown root:root "$newfile" - chmod 0644 "$newfile" + newfile=\$(printf '%s/%02d-hardening.conf' \"\$dir\" \"\$next\") + printf \"%s\n\" 'PasswordAuthentication no' 'PermitRootLogin no' 'KbdInteractiveAuthentication no' > \"\$newfile\" + chown root:root \"\$newfile\" + chmod 0644 \"\$newfile\" sshd -t systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || systemctl restart sshd 2>/dev/null || systemctl restart ssh - ' + " run "Checking SSH configuration" bash -c "sshd -T | grep -q '^passwordauthentication no$' && sshd -T | grep -q '^permitrootlogin no$' && sshd -T | grep -q '^kbdinteractiveauthentication no$'" }