НЕНАВИЖУ
ЭКРАНИРОВАНИЕ
This commit is contained in:
2025-08-24 08:17:31 +03:00
parent cd98f92c77
commit 4d9039a081
+21 -21
View File
@@ -121,43 +121,43 @@ create_user() {
} }
configure_ssh() { configure_ssh() {
run "Configuring SSH access" bash -c ' run "Configuring SSH access" bash -c "
install -d -m 700 -o "$USERNAME" -g "$USERNAME" "/home/$USERNAME/.ssh" install -d -m 700 -o \"$USERNAME\" -g \"$USERNAME\" \"/home/$USERNAME/.ssh\"
printf "%s\n" "$SSH_KEY" > "/home/$USERNAME/.ssh/authorized_keys" printf \"%s\n\" \"$SSH_KEY\" > \"/home/$USERNAME/.ssh/authorized_keys\"
chmod 600 "/home/$USERNAME/.ssh/authorized_keys" chmod 600 \"/home/$USERNAME/.ssh/authorized_keys\"
chown -R "$USERNAME":"$USERNAME" "/home/$USERNAME/.ssh" chown -R \"$USERNAME\":\"$USERNAME\" \"/home/$USERNAME/.ssh\"
if ! grep -qE "^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf" /etc/ssh/sshd_config; then if ! grep -qE \"^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf\" /etc/ssh/sshd_config; then
echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config echo \"Include /etc/ssh/sshd_config.d/*.conf\" >> /etc/ssh/sshd_config
fi fi
install -d -m 755 /etc/ssh/sshd_config.d install -d -m 755 /etc/ssh/sshd_config.d
dir=/etc/ssh/sshd_config.d dir=/etc/ssh/sshd_config.d
shopt -s nullglob shopt -s nullglob
for f in "$dir"/*.conf; do for f in \"\$dir\"/*.conf; do
base=$(basename "$f") base=\$(basename \"\$f\")
case "$base" in case \"\$base\" in
[0-9][0-9]-*.conf) [0-9][0-9]-*.conf)
[[ $base == 99-* ]] && mv "$f" "${f%.conf}.disabled" [[ \$base == 99-* ]] && mv \"\$f\" \"\${f%.conf}.disabled\"
;; ;;
*) *)
mv "$f" "${f%.conf}.disabled" mv \"\$f\" \"\${f%.conf}.disabled\"
;; ;;
esac esac
done done
shopt -u nullglob shopt -u nullglob
max=$(find "$dir" -maxdepth 1 -type f -name "[0-9][0-9]-*.conf" | sed -n "s#.*/\\([0-9][0-9]\\)-.*#\\1#p" | sort -n | tail -1) max=\$(find \"\$dir\" -maxdepth 1 -type f -name '[0-9][0-9]-*.conf' | sed -n 's#.*/\\([0-9][0-9]\\)-.*#\\1#p' | sort -n | tail -1)
if [ -z "$max" ]; then if [ -z \"\$max\" ]; then
next=10 next=10
else else
next=$((10#$max + 10)) next=\$((10#\$max + 10))
[ "$next" -gt 99 ] && next=99 [ \"\$next\" -gt 99 ] && next=99
fi fi
newfile=$(printf "%s/%02d-hardening.conf" "$dir" "$next") newfile=\$(printf '%s/%02d-hardening.conf' \"\$dir\" \"\$next\")
printf "%s\n" "PasswordAuthentication no" "PermitRootLogin no" "KbdInteractiveAuthentication no" > "$newfile" printf \"%s\n\" 'PasswordAuthentication no' 'PermitRootLogin no' 'KbdInteractiveAuthentication no' > \"\$newfile\"
chown root:root "$newfile" chown root:root \"\$newfile\"
chmod 0644 "$newfile" chmod 0644 \"\$newfile\"
sshd -t sshd -t
systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || systemctl restart sshd 2>/dev/null || systemctl restart ssh systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || systemctl restart sshd 2>/dev/null || systemctl restart ssh
' "
run "Checking SSH configuration" bash -c "sshd -T | grep -q '^passwordauthentication no$' && sshd -T | grep -q '^permitrootlogin no$' && sshd -T | grep -q '^kbdinteractiveauthentication no$'" run "Checking SSH configuration" bash -c "sshd -T | grep -q '^passwordauthentication no$' && sshd -T | grep -q '^permitrootlogin no$' && sshd -T | grep -q '^kbdinteractiveauthentication no$'"
} }