Update Linux/SSH/secure_ssh.sh
This commit is contained in:
@@ -1,13 +1,15 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# ──────────────────────────────────────────────────────────────────────────────
|
||||
# Secure-SSH Setup for Modern Linux (2025-edition)
|
||||
# ------------------------------------------------
|
||||
# * Generates hardened OpenSSH configuration (IPv4-only)
|
||||
# * Installs/updates OpenSSH-server + creates host keys
|
||||
# * Creates users, adds SSH public keys, restricts login
|
||||
# * Removes all legacy / deprecated directives
|
||||
# * Adds post-quantum KEX, rate-limiting, strict auth flow & root lockdown
|
||||
# Secure‑SSH Setup – Modern Linux (2025‑edition, PAM‑aware)
|
||||
# ----------------------------------------------------------
|
||||
# ✦ Generates hardened OpenSSH config (IPv4‑only)
|
||||
# ✦ Installs / updates OpenSSH‑server + creates host keys
|
||||
# ✦ Creates users, adds SSH public keys, restricts login
|
||||
# ✦ Removes deprecated directives – fully OpenSSH ≥9.x compliant
|
||||
# ✦ Dynamically omits UsePAM if PAM isn’t present (e.g. Alpine)
|
||||
# ✦ Adds post‑quantum KEX, minimal cipher suite, strict auth‑flow,
|
||||
# rate‑limiting & root lockdown
|
||||
# ──────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
printf "\033c" # clear terminal
|
||||
@@ -19,128 +21,105 @@ ED25519_KEY="/etc/ssh/ssh_host_ed25519_key"
|
||||
ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"
|
||||
|
||||
# ─── ANSI colors ──────────────────────────────────────────────────────────────
|
||||
RED='\033[1;31m'
|
||||
GREEN='\033[1;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
BLUE='\033[1;34m'
|
||||
WHITE='\033[1;37m'
|
||||
RESET='\033[0m'
|
||||
|
||||
RED='\033[1;31m'; GREEN='\033[1;32m'; YELLOW='\033[1;33m'; BLUE='\033[1;34m'; WHITE='\033[1;37m'; RESET='\033[0m'
|
||||
log() { echo -e "${GREEN}$1${RESET}"; }
|
||||
warn() { echo -e "${YELLOW}$1${RESET}"; }
|
||||
error() { echo -e "${RED}$1${RESET}"; }
|
||||
|
||||
# ─── Service-Manager detection (systemd │ sysvinit │ openrc) ───────────────────
|
||||
# ─── Service‑manager detection ───────────────────────────────────────────────
|
||||
detect_service_manager() {
|
||||
if command -v systemctl &>/dev/null; then echo "systemd"
|
||||
elif command -v service &>/dev/null; then echo "sysvinit"
|
||||
elif [ -x /sbin/rc-service ]; then echo "openrc"
|
||||
else echo "unknown"; fi
|
||||
if command -v systemctl &>/dev/null; then echo systemd
|
||||
elif command -v rc-service &>/dev/null; then echo openrc # Alpine, Gentoo…
|
||||
elif command -v service &>/dev/null; then echo sysvinit
|
||||
else echo unknown; fi
|
||||
}
|
||||
|
||||
# ─── SSH service name detection ───────────────────────────────────────────────
|
||||
# ─── SSH service‑name detection ───────────────────────────────────────────────
|
||||
detect_ssh_service() {
|
||||
local manager=$1
|
||||
local services=(sshd ssh openssh-server openssh)
|
||||
local manager=$1 services=(sshd ssh openssh-server openssh)
|
||||
case $manager in
|
||||
systemd) for s in "${services[@]}"; do systemctl list-units --type=service | grep -q $s && echo $s && return; done ;;
|
||||
sysvinit) for s in "${services[@]}"; do service --status-all | grep -q $s && echo $s && return; done ;;
|
||||
openrc) for s in "${services[@]}"; do rc-service -l | grep -q $s && echo $s && return; done ;;
|
||||
systemd)
|
||||
for s in "${services[@]}"; do systemctl list-units --type=service | grep -q "^$s" && { echo $s; return; }; done ;;
|
||||
openrc)
|
||||
for s in "${services[@]}"; do rc-service -l | grep -q "^$s$" && { echo $s; return; }; done ;;
|
||||
sysvinit)
|
||||
for s in "${services[@]}"; do [ -x "/etc/init.d/$s" ] && { echo $s; return; }; done ;;
|
||||
esac
|
||||
[ -x /usr/sbin/sshd ] && echo sshd || echo unknown
|
||||
}
|
||||
|
||||
restart_ssh_service() {
|
||||
local manager=$1 service=$2
|
||||
warn "Starte SSH-Dienst ($service) neu…"
|
||||
local manager=$1 service=$2; warn "Starte SSH‑Dienst ($service) neu…"
|
||||
case $manager in
|
||||
systemd) sudo systemctl restart "$service" && return 0 ;;
|
||||
sysvinit) sudo service "$service" restart && return 0 ;;
|
||||
openrc) sudo rc-service "$service" restart && return 0 ;;
|
||||
systemd) sudo systemctl restart "$service" && return 0 ;;
|
||||
openrc) sudo rc-service "$service" restart && return 0 ;;
|
||||
sysvinit) sudo "/etc/init.d/$service" restart 2>/dev/null && return 0 ;;
|
||||
esac
|
||||
sudo killall -HUP sshd 2>/dev/null && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
install_package() {
|
||||
local pkg=$1
|
||||
warn "Installiere $pkg…"
|
||||
if command -v apt &>/dev/null; then sudo apt update -qq && sudo apt install -y $pkg -qq ;
|
||||
elif command -v dnf &>/dev/null; then sudo dnf install -y $pkg &>/dev/null ;
|
||||
elif command -v yum &>/dev/null; then sudo yum install -y $pkg &>/dev/null ;
|
||||
elif command -v apk &>/dev/null; then sudo apk add $pkg &>/dev/null ;
|
||||
elif command -v pacman&>/dev/null; then sudo pacman -Sy --noconfirm $pkg &>/dev/null ;
|
||||
elif command -v zypper&>/dev/null; then sudo zypper install -y $pkg &>/dev/null ;
|
||||
else error "Kein unterstützter Paketmanager – installiere $pkg manuell."; return 1; fi
|
||||
log "$pkg wurde installiert."
|
||||
local p=$1; warn "Installiere $p…"
|
||||
if command -v apt &>/dev/null; then sudo apt update -qq && sudo apt install -y $p -qq
|
||||
elif command -v dnf &>/dev/null; then sudo dnf install -y $p &>/dev/null
|
||||
elif command -v yum &>/dev/null; then sudo yum install -y $p &>/dev/null
|
||||
elif command -v apk &>/dev/null; then sudo apk add $p &>/dev/null
|
||||
elif command -v pacman &>/dev/null; then sudo pacman -Sy --noconfirm $p &>/dev/null
|
||||
elif command -v zypper &>/dev/null; then sudo zypper install -y $p &>/dev/null
|
||||
else error "Paketmanager nicht erkannt – installiere $p manuell."; return 1; fi
|
||||
log "$p installiert."
|
||||
}
|
||||
|
||||
# ─── Setup prerequisites ─────────────────────────────────────────────────────
|
||||
SERVICE_MANAGER=$(detect_service_manager); log "Service-Manager: $SERVICE_MANAGER"
|
||||
|
||||
# ─── Preparations ─────────────────────────────────────────────────────────────
|
||||
SERVICE_MANAGER=$(detect_service_manager); log "Service‑Manager: $SERVICE_MANAGER"
|
||||
command -v sudo &>/dev/null || { warn "sudo fehlt – Installation…"; install_package sudo; }
|
||||
command -v sshd &>/dev/null || install_package openssh-server
|
||||
|
||||
[ -d "$SSH_CONFIG_DIR" ] || { warn "Erstelle $SSH_CONFIG_DIR"; sudo mkdir -p "$SSH_CONFIG_DIR"; }
|
||||
|
||||
# ─── Host keys (ed25519 & ecdsa-p384) ─────────────────────────────────────────
|
||||
for key in "$ED25519_KEY ed25519" "$ECDSA_KEY ecdsa -b 384"; do
|
||||
set -- $key; file=$1; shift; args=$*;
|
||||
[ -f "$file" ] || {
|
||||
warn "Generiere Host-Schlüssel $(basename $file)…";
|
||||
sudo ssh-keygen -t $args -f "$file" -N "" -q && sudo chmod 600 "$file" && log "Schlüssel $(basename $file) erstellt.";
|
||||
}
|
||||
# ─── Host keys ────────────────────────────────────────────────────────────────
|
||||
for entry in "$ED25519_KEY ed25519" "$ECDSA_KEY ecdsa -b 384"; do
|
||||
set -- $entry; key=$1; shift; args=$*
|
||||
[ -f "$key" ] || { warn "Generiere Host-Key $(basename $key)…"; sudo ssh-keygen -t $args -f "$key" -N "" -q && sudo chmod 600 "$key" && log "Key erstellt."; }
|
||||
done
|
||||
|
||||
# ─── Replace main config with include only ────────────────────────────────────
|
||||
warn "Setze $SSH_MAIN_CONFIG auf Include…"
|
||||
echo "Include $SSH_CONFIG_DIR/*.conf" | sudo tee "$SSH_MAIN_CONFIG" >/dev/null
|
||||
|
||||
# ─── Remove legacy configs ────────────────────────────────────────────────────
|
||||
sudo rm -f $SSH_CONFIG_DIR/*
|
||||
|
||||
# ─── Collect allowed users + optional creation ───────────────────────────────
|
||||
# ─── User handling ────────────────────────────────────────────────────────────
|
||||
read -rp $'\e[1;34mWelche Benutzer dürfen sich per SSH anmelden? (Leerzeichen-getrennt): \e[0m' SSH_USERS
|
||||
VALID_USERS=""
|
||||
|
||||
# distribution-specific sudo group
|
||||
# distribution‑specific sudo group
|
||||
declare -A distro_sudo=( [ubuntu]=sudo [debian]=sudo [raspbian]=sudo [centos]=wheel [fedora]=wheel [rhel]=wheel [almalinux]=wheel [rocky]=wheel [ol]=wheel [arch]=wheel [manjaro]=wheel [alpine]=wheel )
|
||||
SUDO_GROUP="sudo"
|
||||
[ -f /etc/os-release ] && { . /etc/os-release; SUDO_GROUP=${distro_sudo[$ID]:-sudo}; }
|
||||
SUDO_GROUP=sudo; [ -f /etc/os-release ] && { . /etc/os-release; SUDO_GROUP=${distro_sudo[$ID]:-sudo}; }
|
||||
log "Benutze sudo-Gruppe: $SUDO_GROUP"
|
||||
|
||||
for user in $SSH_USERS; do
|
||||
if id "$user" &>/dev/null; then
|
||||
log "Benutzer $user existiert."
|
||||
VALID_USERS+="$user "
|
||||
continue
|
||||
fi
|
||||
read -rp $'\e[1;34mBenutzer '"$user"$' existiert nicht. Anlegen? [y/N]: \e[0m' CREATE
|
||||
[[ $CREATE =~ ^[Yy]$ ]] || continue
|
||||
read -rsp $'\e[1;34mPasswort für '"$user"$': \e[0m' PW; echo
|
||||
sudo useradd -m -s /bin/bash "$user" && echo "$user:$PW" | sudo chpasswd
|
||||
sudo usermod -aG "$SUDO_GROUP" "$user"
|
||||
sudo install -d -m700 -o "$user" -g "$user" "/home/$user/.ssh"
|
||||
sudo touch "/home/$user/.ssh/authorized_keys" && sudo chmod 600 "/home/$user/.ssh/authorized_keys" && sudo chown "$user":"$user" "/home/$user/.ssh/authorized_keys"
|
||||
read -rp $'\e[1;34mSSH Public Key für '"$user"$' hinzufügen? [y/N]: \e[0m' ADDKEY
|
||||
if [[ $ADDKEY =~ ^[Yy]$ ]]; then
|
||||
read -rp $'\e[1;34mPublic Key: \e[0m' KEY
|
||||
echo "$KEY" | sudo tee -a "/home/$user/.ssh/authorized_keys" >/dev/null
|
||||
fi
|
||||
VALID_USERS+="$user "
|
||||
for u in $SSH_USERS; do
|
||||
if id "$u" &>/dev/null; then log "Benutzer $u existiert."; VALID_USERS+="$u "; continue; fi
|
||||
read -rp $'\e[1;34mBenutzer '"$u"$' anlegen? [y/N]: \e[0m' create; [[ $create =~ ^[Yy]$ ]] || continue
|
||||
read -rsp $'\e[1;34mPasswort für '"$u"$': \e[0m' pw; echo
|
||||
sudo useradd -m -s /bin/bash "$u" && echo "$u:$pw" | sudo chpasswd
|
||||
sudo usermod -aG "$SUDO_GROUP" "$u"
|
||||
sudo install -d -m700 -o "$u" -g "$u" "/home/$u/.ssh"
|
||||
sudo touch "/home/$u/.ssh/authorized_keys" && sudo chmod 600 "/home/$u/.ssh/authorized_keys" && sudo chown "$u":"$u" "/home/$u/.ssh/authorized_keys"
|
||||
read -rp $'\e[1;34mSSH Public Key für '"$u"$' hinzufügen? [y/N]: \e[0m' addkey
|
||||
if [[ $addkey =~ ^[Yy]$ ]]; then read -rp $'\e[1;34mPublic Key: \e[0m' key; echo "$key" | sudo tee -a "/home/$u/.ssh/authorized_keys" >/dev/null; fi
|
||||
VALID_USERS+="$u "
|
||||
done
|
||||
|
||||
# ─── Determine SFTP-server binary ─────────────────────────────────────────────
|
||||
for path in /usr/lib/openssh/sftp-server /usr/libexec/openssh/sftp-server /usr/lib/ssh/sftp-server; do [ -x "$path" ] && SFTP_PATH=$path && break; done
|
||||
SFTP_PATH=${SFTP_PATH:-internal-sftp}
|
||||
log "SFTP-Pfad: $SFTP_PATH"
|
||||
# ─── SFTP binary discovery ───────────────────────────────────────────────────
|
||||
for p in /usr/lib/openssh/sftp-server /usr/libexec/openssh/sftp-server /usr/lib/ssh/sftp-server; do [ -x "$p" ] && SFTP_PATH=$p && break; done
|
||||
SFTP_PATH=${SFTP_PATH:-internal-sftp}; log "SFTP-Pfad: $SFTP_PATH"
|
||||
|
||||
# ─── Check for PAM ────────────────────────────────────────────────────────────
|
||||
# ─── PAM detection ────────────────────────────────────────────────────────────
|
||||
PAM_AVAILABLE=false
|
||||
[ -d /etc/pam.d ] && { find / -maxdepth 2 -name 'libpam.so*' -quit | grep -q libpam && PAM_AVAILABLE=true; }
|
||||
$PAM_AVAILABLE && log "PAM verfügbar." || warn "PAM nicht gefunden – UsePAM wird deaktiviert."
|
||||
$PAM_AVAILABLE && log "PAM verfügbar." || warn "PAM nicht gefunden – UsePAM wird ausgelassen."
|
||||
|
||||
# ─── Generate modern, hardened secure.conf ────────────────────────────────────
|
||||
# ─── Generate secure.conf ─────────────────────────────────────────────────────
|
||||
warn "Erstelle $SSH_CONFIG_FILE (modern hardened)…"
|
||||
|
||||
sudo tee "$SSH_CONFIG_FILE" >/dev/null <<EOF
|
||||
@@ -148,54 +127,47 @@ sudo tee "$SSH_CONFIG_FILE" >/dev/null <<EOF
|
||||
# Generated $(date -u +'%Y-%m-%dT%H:%MZ')
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
AddressFamily inet # IPv4 only
|
||||
Port 22 # default port – change if needed
|
||||
AddressFamily inet
|
||||
Port 22
|
||||
|
||||
# Modern host keys only
|
||||
HostKey $ED25519_KEY
|
||||
HostKey $ECDSA_KEY
|
||||
|
||||
# Post-quantum hybrid first
|
||||
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group14-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512,hmac-sha2-256
|
||||
|
||||
# Logging & rate-limits
|
||||
SyslogFacility AUTHPRIV
|
||||
LogLevel VERBOSE
|
||||
MaxStartups 10:30:100
|
||||
|
||||
# Login settings
|
||||
LoginGraceTime 30s
|
||||
PermitRootLogin no
|
||||
PermitEmptyPasswords no
|
||||
IgnoreRhosts yes
|
||||
StrictModes yes
|
||||
|
||||
# Authentication flow – publickey only (FIDO2/U2F etc.)
|
||||
PubkeyAuthentication yes
|
||||
PasswordAuthentication no
|
||||
KbdInteractiveAuthentication no
|
||||
AuthenticationMethods publickey
|
||||
|
||||
# PAM (if available)
|
||||
UsePAM $($PAM_AVAILABLE && echo yes || echo no)
|
||||
PrintMotd no
|
||||
|
||||
# X11 forwarding disabled
|
||||
# X11 & SFTP
|
||||
X11Forwarding no
|
||||
|
||||
# SFTP subsystem
|
||||
Subsystem sftp $SFTP_PATH
|
||||
|
||||
# Keepalive
|
||||
ClientAliveInterval 300
|
||||
ClientAliveCountMax 2
|
||||
|
||||
AllowUsers ${VALID_USERS%% } # strip trailing space
|
||||
AllowUsers ${VALID_USERS%% }
|
||||
EOF
|
||||
|
||||
log "Secure-Config geschrieben."
|
||||
# Append PAM directives only if available
|
||||
if $PAM_AVAILABLE; then
|
||||
printf '\nUsePAM yes\nPrintMotd no\n' | sudo tee -a "$SSH_CONFIG_FILE" >/dev/null
|
||||
fi
|
||||
|
||||
log "Secure‑Config geschrieben."
|
||||
|
||||
# ─── Validate & restart SSH ──────────────────────────────────────────────────
|
||||
[ -d /run/sshd ] || { sudo mkdir -p /run/sshd; sudo chmod 0755 /run/sshd; }
|
||||
|
||||
Reference in New Issue
Block a user