Init SSH CA client deployment script

Signed-off-by: Georg <georg@lysergic.dev>
2021-12-04 18:55:51 +01:00 · 2021-12-04 18:55:51 +01:00 · 7bcae4982d
commit 7bcae4982d
parent 209f09dc5c
1 changed files with 72 additions and 0 deletions
--- a/scripts/sh/deploy_ssh_ca_client.sh
+++ b/scripts/sh/deploy_ssh_ca_client.sh
@ -0,0 +1,72 @@
+#!/bin/sh
+#
+# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script.
+# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems.
+#
+# Author: Georg Pfuetzenreuter <georg@lysergic.dev>
+# Last edit: 04/12/2021
+#
+# Not ready for production use.
+
+get_ip_address () {
+        case $KERNEL in
+                "OpenBSD" ) ifconfig  | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1
+                ;;
+                "Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}'
+                ;;
+        esac
+
+}
+HOSTNAME=$(hostname -s)
+KERNEL=$(uname)
+IP_ADDRESS="$(get_ip_address)"
+if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then
+        if [ -f /tmp/$HOSTNAME ] && [ -f /tmp/$HOSTNAME-cert.pub ]; then
+                mkdir /etc/ssh/old
+                [ -f /etc/ssh/ssh_known_hosts ] && mv /etc/ssh/ssh_known_hosts/ /etc/ssh/old/
+                if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then
+                mv /etc/ssh/ssh_host_* /etc/ssh/old/
+                fi
+                mv /etc/ssh/sshd_config /etc/ssh/old/
+                [ -f /etc/ssh/ssh_config ] && mv /etc/ssh/old/
+                mv /tmp/$HOSTNAME /etc/ssh/
+                mv /tmp/$HOSTNAME-cert.pub /etc/ssh/
+                cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config
+ListenAddress   $IP_ADDRESS
+Protocol        2
+SyslogFacility  AUTH
+LogLevel        FATAL
+
+HostKey                         /etc/ssh/$HOSTNAME
+HostCertificate                 /etc/ssh/$HOSTNAME-cert.pub
+TrustedUserCAKeys               /etc/ssh/user_ca
+PasswordAuthentication          no
+ChallengeResponseAuthentication no
+AuthenticationMethods           publickey
+
+LoginGraceTime  1m
+PermitRootLogin no
+StrictModes     yes
+MaxAuthTries    1
+MaxSessions     3
+
+X11Forwarding   no
+PrintMotd       yes
+PrintLastLog    yes
+EOF_SSHD_CONFIG
+        cat <<'EOF_USER_CA' >/etc/ssh/user_ca
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLbLqHWXcxLGf58aJwa4eSC3KYGfdIiluKynOXS/fZD system@lysergic.dev
+EOF_USER_CA
+                case $KERNEL in
+                        "OpenBSD" ) rcctl reload sshd
+                        ;;
+                        "Linux" ) systemctl reload sshd
+                        ;;
+                esac
+                echo "OK"
+        else
+                echo "Missing host certificate and public key, copy them to /tmp/ for me."
+        fi
+else
+        echo "Unsupported operating system, please configure sshd manually."
+fi