WirFixenAlles/Boilerplates
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update Linux/SSH/secure_ssh.sh

Browse Source
This commit is contained in:
Manuel Gläser
2025-05-07 19:43:21 +00:00
parent d71f3127c2
commit b3a3f38176
1 changed files with 23 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
Linux/SSH/secure_ssh.sh
View File

@@ -61,6 +61,18 @@ install_package() {
log "$pkg installed." log "$pkg installed."
} }
# ─── PAM Check ─────────────────────────────────────────────────────────────
check_pam_support() {
# Check if PAM is installed and supported by SSH
if [ -d /etc/pam.d ] && find /usr/lib* /lib* -name 'libpam.so*' -quit 2>/dev/null; then
if sshd -T 2>/dev/null | grep -q "usepam"; then
echo "yes"
return
fi
fi
echo "no"
}
# ─── Hauptsetup ──────────────────────────────────────────────────────────── # ─── Hauptsetup ────────────────────────────────────────────────────────────
log "Starting Secure-SSH Setup..." log "Starting Secure-SSH Setup..."
@@ -76,8 +88,15 @@ command -v sshd &>/dev/null || install_package openssh-server
log "Host key generated." log "Host key generated."
} }
# ─── Benutzer/Gruppen-Abfrage ────────────────────────────────────────────── # ─── PAM Support Check ─────────────────────────────────────────────────────
read -rp $'\e[1;34mAllowed SSH group (leave empty if unused): \e[0m' SSH_GROUP PAM_SUPPORT=$(check_pam_support)
if [ "$PAM_SUPPORT" = "yes" ]; then
log "PAM support detected and will be enabled."
PAM_OPTIONS="UsePAM yes\nPrintLastLog yes"
else
warn "PAM not available - skipping PAM-related options."
PAM_OPTIONS="# PAM not available on this system"
fi
# ─── Konfigurationsdatei erstellen ───────────────────────────────────────── # ─── Konfigurationsdatei erstellen ─────────────────────────────────────────
warn "Generating hardened SSH config..." warn "Generating hardened SSH config..."
@@ -93,7 +112,7 @@ PermitEmptyPasswords no
HostKey $ED25519_KEY HostKey $ED25519_KEY
# ─── Access Control ─────────────────────────────────────────────────────── # ─── Access Control ───────────────────────────────────────────────────────
AllowGroups ${SSH_GROUP} AllowGroups $SSH_GROUP
DenyUsers root admin administrator DenyUsers root admin administrator
# ─── Authentication ─────────────────────────────────────────────────────── # ─── Authentication ───────────────────────────────────────────────────────
@@ -120,16 +139,10 @@ PermitTunnel no
# ─── Logging & Auditing ─────────────────────────────────────────────────── # ─── Logging & Auditing ───────────────────────────────────────────────────
LogLevel VERBOSE LogLevel VERBOSE
PrintLastLog yes
SyslogFacility AUTH SyslogFacility AUTH
$PAM_OPTIONS
EOF EOF
# ─── PAM Handling (dynamisch) ──────────────────────────────────────────────
if [ -d /etc/pam.d ] && find / -name 'libpam.so*' -quit 2>/dev/null; then
echo -e "UsePAM yes\nPrintMotd no" | sudo tee -a "$SSH_CONFIG_FILE" >/dev/null
log "PAM support enabled."
fi
# ─── Konfiguration testen & neu starten ──────────────────────────────────── # ─── Konfiguration testen & neu starten ────────────────────────────────────
sudo sshd -t || { error "Invalid SSH config. Fix errors before restarting."; exit 1; } sudo sshd -t || { error "Invalid SSH config. Fix errors before restarting."; exit 1; }
restart_ssh_service $(basename "$(command -v sshd)") || exit 1 restart_ssh_service $(basename "$(command -v sshd)") || exit 1