diff --git a/setup.sh b/setup.sh index 3fb5b03..6427078 100644 --- a/setup.sh +++ b/setup.sh @@ -126,32 +126,25 @@ configure_ssh() { printf \"%s\n\" \"$SSH_KEY\" > \"/home/$USERNAME/.ssh/authorized_keys\" chmod 600 \"/home/$USERNAME/.ssh/authorized_keys\" chown -R \"$USERNAME\":\"$USERNAME\" \"/home/$USERNAME/.ssh\" - if ! grep -qE \"^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf\" /etc/ssh/sshd_config; then - echo \"Include /etc/ssh/sshd_config.d/*.conf\" >> /etc/ssh/sshd_config + if grep -qE '^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf' /etc/ssh/sshd_config; then + sed -i '/^[[:space:]]*Include[[:space:]]*\/etc\/ssh\/sshd_config.d\/\*.conf/d' /etc/ssh/sshd_config + echo 'Include /etc/ssh/sshd_config.d/*.conf' >> /etc/ssh/sshd_config + else + sed -i '1i Include /etc/ssh/sshd_config.d/*.conf' /etc/ssh/sshd_config fi install -d -m 755 /etc/ssh/sshd_config.d dir=/etc/ssh/sshd_config.d shopt -s nullglob for f in \"\$dir\"/*.conf; do base=\$(basename \"\$f\") - case \"\$base\" in - [0-9][0-9]-*.conf) - [[ \$base == 00-* ]] && mv \"\$f\" \"\${f%.conf}.disabled\" - ;; - *) - mv \"\$f\" \"\${f%.conf}.disabled\" - ;; - esac + if [[ \$base == 00-* ]]; then + mv \"\$f\" \"\$dir/01-\$base\" + elif [[ \$base != [0-9][0-9]-* ]]; then + mv \"\$f\" \"\${f%.conf}.disabled\" + fi done shopt -u nullglob - min=\$(find "\$dir" -maxdepth 1 -type f -name '[0-9][0-9]-*.conf' | sed -n 's#.*/\([0-9][0-9]\)-.*#\1#p' | sort -n | head -1) - if [ -z "\$min" ]; then - next=0 - else - next=\$((10#\$min - 10)) - [ "\$next" -lt 0 ] && next=0 - fi - newfile=\$(printf '%s/%02d-hardening.conf' "\$dir" "\$next") + newfile=\"\$dir/00-hardening.conf\" printf \"%s\n\" 'PasswordAuthentication no' 'PermitRootLogin no' 'KbdInteractiveAuthentication no' > \"\$newfile\" chown root:root \"\$newfile\" chmod 0644 \"\$newfile\"