diff options
author | Georg | 2021-12-04 18:55:51 +0100 |
---|---|---|
committer | Georg | 2021-12-04 18:55:51 +0100 |
commit | 7bcae4982d3025d7e9b54e962586c7ed84b9e02e (patch) | |
tree | c820be134edbd540ab95e477744b500c2cce1146 /scripts | |
parent | 209f09dc5cde22b913217812fe3dca5c12241489 (diff) | |
download | system-7bcae4982d3025d7e9b54e962586c7ed84b9e02e.tar.gz system-7bcae4982d3025d7e9b54e962586c7ed84b9e02e.tar.bz2 system-7bcae4982d3025d7e9b54e962586c7ed84b9e02e.zip |
Init SSH CA client deployment script
Signed-off-by: Georg <georg@lysergic.dev>
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/sh/deploy_ssh_ca_client.sh | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/scripts/sh/deploy_ssh_ca_client.sh b/scripts/sh/deploy_ssh_ca_client.sh new file mode 100644 index 0000000..078ef77 --- /dev/null +++ b/scripts/sh/deploy_ssh_ca_client.sh @@ -0,0 +1,72 @@ +#!/bin/sh +# +# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script. +# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems. +# +# Author: Georg Pfuetzenreuter <georg@lysergic.dev> +# Last edit: 04/12/2021 +# +# Not ready for production use. + +get_ip_address () { + case $KERNEL in + "OpenBSD" ) ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1 + ;; + "Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}' + ;; + esac + +} +HOSTNAME=$(hostname -s) +KERNEL=$(uname) +IP_ADDRESS="$(get_ip_address)" +if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then + if [ -f /tmp/$HOSTNAME ] && [ -f /tmp/$HOSTNAME-cert.pub ]; then + mkdir /etc/ssh/old + [ -f /etc/ssh/ssh_known_hosts ] && mv /etc/ssh/ssh_known_hosts/ /etc/ssh/old/ + if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then + mv /etc/ssh/ssh_host_* /etc/ssh/old/ + fi + mv /etc/ssh/sshd_config /etc/ssh/old/ + [ -f /etc/ssh/ssh_config ] && mv /etc/ssh/old/ + mv /tmp/$HOSTNAME /etc/ssh/ + mv /tmp/$HOSTNAME-cert.pub /etc/ssh/ + cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config +ListenAddress $IP_ADDRESS +Protocol 2 +SyslogFacility AUTH +LogLevel FATAL + +HostKey /etc/ssh/$HOSTNAME +HostCertificate /etc/ssh/$HOSTNAME-cert.pub +TrustedUserCAKeys /etc/ssh/user_ca +PasswordAuthentication no +ChallengeResponseAuthentication no +AuthenticationMethods publickey + +LoginGraceTime 1m +PermitRootLogin no +StrictModes yes +MaxAuthTries 1 +MaxSessions 3 + +X11Forwarding no +PrintMotd yes +PrintLastLog yes +EOF_SSHD_CONFIG + cat <<'EOF_USER_CA' >/etc/ssh/user_ca +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLbLqHWXcxLGf58aJwa4eSC3KYGfdIiluKynOXS/fZD system@lysergic.dev +EOF_USER_CA + case $KERNEL in + "OpenBSD" ) rcctl reload sshd + ;; + "Linux" ) systemctl reload sshd + ;; + esac + echo "OK" + else + echo "Missing host certificate and public key, copy them to /tmp/ for me." + fi +else + echo "Unsupported operating system, please configure sshd manually." +fi |