summaryrefslogtreecommitdiffstats
path: root/ansible/deployment_poc/shell
diff options
context:
space:
mode:
authorGeorg Pfuetzenreuter2022-02-13 16:56:12 +0100
committerGeorg Pfuetzenreuter2022-02-13 16:56:12 +0100
commit2ce8450b893ad9f8a119a1ff24dcc7eb4ba78b82 (patch)
tree031a57c9007535346a2760b352f66ee70dabb761 /ansible/deployment_poc/shell
parent9f8f61a0abb3ab5cf8d94540573191ba4b8893d0 (diff)
downloadsystem-2ce8450b893ad9f8a119a1ff24dcc7eb4ba78b82.tar.gz
system-2ce8450b893ad9f8a119a1ff24dcc7eb4ba78b82.tar.bz2
system-2ce8450b893ad9f8a119a1ff24dcc7eb4ba78b82.zip
Bulk update
Signed-off-by: Georg Pfuetzenreuter <georg@lysergic.dev>
Diffstat (limited to 'ansible/deployment_poc/shell')
-rwxr-xr-xansible/deployment_poc/shell/configure_sshd.sh79
1 files changed, 79 insertions, 0 deletions
diff --git a/ansible/deployment_poc/shell/configure_sshd.sh b/ansible/deployment_poc/shell/configure_sshd.sh
new file mode 100755
index 0000000..2cf3ac4
--- /dev/null
+++ b/ansible/deployment_poc/shell/configure_sshd.sh
@@ -0,0 +1,79 @@
+#!/bin/sh
+#
+# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script.
+# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems. To-Do 2: port this to Ansible deployment_poc.
+#
+# Author: Georg Pfuetzenreuter <georg@lysergic.dev>
+# Last edit: 13/02/2022
+
+PUBKEY="$1"
+
+
+get_ip_address () {
+ case $KERNEL in
+ "OpenBSD" ) ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1
+ ;;
+ "Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}'
+ ;;
+ esac
+
+}
+HOSTNAME=$(hostname -s)
+KERNEL=$(uname)
+IP_ADDRESS="$(get_ip_address)"
+if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then
+ if [ -f /etc/ssh/$HOSTNAME ] && [ -f /etc/ssh/$HOSTNAME-cert.pub ]; then
+ if [ ! -d /etc/ssh/old ]; then
+ mkdir /etc/ssh/old
+ fi
+ if [ -f /etc/ssh/ssh_known_hosts ]; then
+ mv /etc/ssh/ssh_known_hosts /etc/ssh/old/
+ fi
+ #if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then
+ #mv /etc/ssh/ssh_host_* /etc/ssh/old/
+ #fi
+ if [ -f /etc/ssh/ssh_host_rsa_key ]; then
+ mv /etc/ssh/ssh_host_* /etc/ssh/old/
+ fi
+ mv /etc/ssh/sshd_config /etc/ssh/old/
+ if [ -f /etc/ssh/ssh_config ]; then
+ mv /etc/ssh/ssh_config /etc/ssh/old/
+ fi
+ cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config
+ListenAddress %%IP_ADDRESS%%
+Protocol 2
+SyslogFacility AUTH
+LogLevel FATAL
+
+HostKey /etc/ssh/%%HOSTNAME%%
+HostCertificate /etc/ssh/%%HOSTNAME%%-cert.pub
+TrustedUserCAKeys /etc/ssh/user_ca
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthenticationMethods publickey
+
+LoginGraceTime 1m
+PermitRootLogin no
+StrictModes yes
+MaxAuthTries 1
+MaxSessions 3
+
+X11Forwarding no
+PrintMotd yes
+PrintLastLog yes
+EOF_SSHD_CONFIG
+ sed -i -e "s/%%IP_ADDRESS%%/$IP_ADDRESS/" -e "s/%%HOSTNAME%%/$HOSTNAME/" /etc/ssh/sshd_config
+ echo "$PUBKEY" > /etc/ssh/user_ca
+ case $KERNEL in
+ "OpenBSD" ) rcctl reload sshd
+ ;;
+ "Linux" ) systemctl reload sshd
+ ;;
+ esac
+ echo "OK"
+ else
+ echo "Missing host certificate and public key, copy them to /etc/ssh/ for me."
+ fi
+else
+ echo "Unsupported operating system, please configure sshd manually."
+fi