diff --git a/setup.sh b/setup.sh index 5cf4b6f..edfb2dc 100644 --- a/setup.sh +++ b/setup.sh @@ -121,11 +121,24 @@ create_user() { } configure_ssh() { - run "Configuring SSH access" bash -c "install -d -m 700 /home/$USERNAME/.ssh && cat >/home/$USERNAME/.ssh/authorized_keys <<'KEY' -$SSH_KEY -KEY -chmod 600 /home/$USERNAME/.ssh/authorized_keys && chown -R '$USERNAME':'$USERNAME' /home/$USERNAME/.ssh && sed -i 's/^#\\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config && sed -i 's/^#\\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && sed -i 's/^#\\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && sed -i 's/^#\\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config && rm -f /etc/ssh/sshd_config.d/*-cloud-init.conf && sed -i '/^[[:space:]]*PasswordAuthentication[[:space:]]\+yes[[:space:]]*$/d' /etc/ssh/sshd_config.d/*.conf && systemctl restart ssh" - run "Checking SSH configuration" bash -c "ssh -T | grep -q '^passwordauthentication no' && ssh -T | grep -q '^permitrootlogin no'" + run "Configuring SSH access" bash -c ' + install -d -m 700 -o "$USERNAME" -g "$USERNAME" "/home/$USERNAME/.ssh" + printf "%s\n" "$SSH_KEY" > "/home/$USERNAME/.ssh/authorized_keys" + chmod 600 "/home/$USERNAME/.ssh/authorized_keys" + chown -R "$USERNAME":"$USERNAME" "/home/$USERNAME/.ssh" + sed -i -E "s/^[[:space:]]*#?[[:space:]]*PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config + sed -i -E "s/^[[:space:]]*#?[[:space:]]*PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config + sed -i -E "s/^[[:space:]]*#?[[:space:]]*(KbdInteractiveAuthentication|ChallengeResponseAuthentication).*/KbdInteractiveAuthentication no/" /etc/ssh/sshd_config + if [ -d /etc/ssh/sshd_config.d ]; then + rm -f /etc/ssh/sshd_config.d/*-cloud-init.conf + find /etc/ssh/sshd_config.d -maxdepth 1 -type f -name "*.conf" \ + -exec sed -i "/^[[:space:]]*PasswordAuthentication[[:space:]]\\+yes[[:space:]]*$/d" {} + + fi + sshd -t + systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || systemctl restart sshd 2>/dev/null || systemctl restart ssh + ' + + run "Checking SSH configuration" bash -c "sshd -T | grep -q '^passwordauthentication no$' && sshd -T | grep -q '^permitrootlogin no$' && sshd -T | grep -q '^kbdinteractiveauthentication no$'" } configure_ufw() {