summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorg2021-12-04 18:55:51 +0100
committerGeorg2021-12-04 18:55:51 +0100
commit7bcae4982d3025d7e9b54e962586c7ed84b9e02e (patch)
treec820be134edbd540ab95e477744b500c2cce1146
parent209f09dc5cde22b913217812fe3dca5c12241489 (diff)
downloadsystem-7bcae4982d3025d7e9b54e962586c7ed84b9e02e.tar.gz
system-7bcae4982d3025d7e9b54e962586c7ed84b9e02e.tar.bz2
system-7bcae4982d3025d7e9b54e962586c7ed84b9e02e.zip
Init SSH CA client deployment script
Signed-off-by: Georg <georg@lysergic.dev>
-rw-r--r--scripts/sh/deploy_ssh_ca_client.sh72
1 files changed, 72 insertions, 0 deletions
diff --git a/scripts/sh/deploy_ssh_ca_client.sh b/scripts/sh/deploy_ssh_ca_client.sh
new file mode 100644
index 0000000..078ef77
--- /dev/null
+++ b/scripts/sh/deploy_ssh_ca_client.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+#
+# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script.
+# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems.
+#
+# Author: Georg Pfuetzenreuter <georg@lysergic.dev>
+# Last edit: 04/12/2021
+#
+# Not ready for production use.
+
+get_ip_address () {
+ case $KERNEL in
+ "OpenBSD" ) ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1
+ ;;
+ "Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}'
+ ;;
+ esac
+
+}
+HOSTNAME=$(hostname -s)
+KERNEL=$(uname)
+IP_ADDRESS="$(get_ip_address)"
+if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then
+ if [ -f /tmp/$HOSTNAME ] && [ -f /tmp/$HOSTNAME-cert.pub ]; then
+ mkdir /etc/ssh/old
+ [ -f /etc/ssh/ssh_known_hosts ] && mv /etc/ssh/ssh_known_hosts/ /etc/ssh/old/
+ if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then
+ mv /etc/ssh/ssh_host_* /etc/ssh/old/
+ fi
+ mv /etc/ssh/sshd_config /etc/ssh/old/
+ [ -f /etc/ssh/ssh_config ] && mv /etc/ssh/old/
+ mv /tmp/$HOSTNAME /etc/ssh/
+ mv /tmp/$HOSTNAME-cert.pub /etc/ssh/
+ cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config
+ListenAddress $IP_ADDRESS
+Protocol 2
+SyslogFacility AUTH
+LogLevel FATAL
+
+HostKey /etc/ssh/$HOSTNAME
+HostCertificate /etc/ssh/$HOSTNAME-cert.pub
+TrustedUserCAKeys /etc/ssh/user_ca
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthenticationMethods publickey
+
+LoginGraceTime 1m
+PermitRootLogin no
+StrictModes yes
+MaxAuthTries 1
+MaxSessions 3
+
+X11Forwarding no
+PrintMotd yes
+PrintLastLog yes
+EOF_SSHD_CONFIG
+ cat <<'EOF_USER_CA' >/etc/ssh/user_ca
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLbLqHWXcxLGf58aJwa4eSC3KYGfdIiluKynOXS/fZD system@lysergic.dev
+EOF_USER_CA
+ case $KERNEL in
+ "OpenBSD" ) rcctl reload sshd
+ ;;
+ "Linux" ) systemctl reload sshd
+ ;;
+ esac
+ echo "OK"
+ else
+ echo "Missing host certificate and public key, copy them to /tmp/ for me."
+ fi
+else
+ echo "Unsupported operating system, please configure sshd manually."
+fi