From ab28db5bf832493d4f1ac3cea112c4bccbcf69e4 Mon Sep 17 00:00:00 2001 From: Georg Date: Sat, 4 Dec 2021 18:55:51 +0100 Subject: [PATCH] Init SSH CA client deployment script Signed-off-by: Georg --- scripts/sh/deploy_ssh_ca_client.sh | 72 ++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 scripts/sh/deploy_ssh_ca_client.sh diff --git a/scripts/sh/deploy_ssh_ca_client.sh b/scripts/sh/deploy_ssh_ca_client.sh new file mode 100644 index 0000000..078ef77 --- /dev/null +++ b/scripts/sh/deploy_ssh_ca_client.sh @@ -0,0 +1,72 @@ +#!/bin/sh +# +# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script. +# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems. +# +# Author: Georg Pfuetzenreuter +# Last edit: 04/12/2021 +# +# Not ready for production use. + +get_ip_address () { + case $KERNEL in + "OpenBSD" ) ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1 + ;; + "Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}' + ;; + esac + +} +HOSTNAME=$(hostname -s) +KERNEL=$(uname) +IP_ADDRESS="$(get_ip_address)" +if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then + if [ -f /tmp/$HOSTNAME ] && [ -f /tmp/$HOSTNAME-cert.pub ]; then + mkdir /etc/ssh/old + [ -f /etc/ssh/ssh_known_hosts ] && mv /etc/ssh/ssh_known_hosts/ /etc/ssh/old/ + if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then + mv /etc/ssh/ssh_host_* /etc/ssh/old/ + fi + mv /etc/ssh/sshd_config /etc/ssh/old/ + [ -f /etc/ssh/ssh_config ] && mv /etc/ssh/old/ + mv /tmp/$HOSTNAME /etc/ssh/ + mv /tmp/$HOSTNAME-cert.pub /etc/ssh/ + cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config +ListenAddress $IP_ADDRESS +Protocol 2 +SyslogFacility AUTH +LogLevel FATAL + +HostKey /etc/ssh/$HOSTNAME +HostCertificate /etc/ssh/$HOSTNAME-cert.pub +TrustedUserCAKeys /etc/ssh/user_ca +PasswordAuthentication no +ChallengeResponseAuthentication no +AuthenticationMethods publickey + +LoginGraceTime 1m +PermitRootLogin no +StrictModes yes +MaxAuthTries 1 +MaxSessions 3 + +X11Forwarding no +PrintMotd yes +PrintLastLog yes +EOF_SSHD_CONFIG + cat <<'EOF_USER_CA' >/etc/ssh/user_ca +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLbLqHWXcxLGf58aJwa4eSC3KYGfdIiluKynOXS/fZD system@lysergic.dev +EOF_USER_CA + case $KERNEL in + "OpenBSD" ) rcctl reload sshd + ;; + "Linux" ) systemctl reload sshd + ;; + esac + echo "OK" + else + echo "Missing host certificate and public key, copy them to /tmp/ for me." + fi +else + echo "Unsupported operating system, please configure sshd manually." +fi