Verified Commit f7ffd0c3 authored by likewhoa's avatar likewhoa
Browse files

Add SSH public key authentication and disable PAM logins

parent f2d7c875
#!/bin/bash
# shellcheck source=/dev/null disable=SC2154
. "$HOME"/RoninDojo/Scripts/defaults.sh
. "$HOME"/RoninDojo/Scripts/functions.sh
_load_user_conf
OPTIONS=(1 "Firewall"
2 "Secure Shell (SSH)"
3 "Go Back")
CHOICE=$(dialog --clear \
--title "$TITLE" \
--menu "$MENU" \
"$HEIGHT" "$WIDTH" "$CHOICE_HEIGHT" \
"${OPTIONS[@]}" \
2>&1 >/dev/tty)
clear
case $CHOICE in
1)
bash -c "${ronin_firewall_menu}"
;;
2)
bash -c "${ronin_ssh_menu}"
;;
3)
bash -c "${ronin_system_menu2}"
# returns to menu
;;
esac
exit
\ No newline at end of file
#!/bin/bash
# shellcheck source=/dev/null disable=SC2154
. "$HOME"/RoninDojo/Scripts/defaults.sh
. "$HOME"/RoninDojo/Scripts/functions.sh
_load_user_conf
OPTIONS=(1 "Start"
2 "Stop"
3 "Restart"
4 "Enable Public Key Authentication"
5 "Disable Public Key Authentication"
6 "Add Public Key"
7 "Delete Public Key"
8 "Go Back")
CHOICE=$(dialog --clear \
--title "$TITLE" \
--menu "$MENU" \
"$HEIGHT" "$WIDTH" "$CHOICE_HEIGHT" \
"${OPTIONS[@]}" \
2>&1 >/dev/tty)
clear
case $CHOICE in
1)
if _is_active sshd; then
printf "%s\n***\nStarting SSH...\n***%s\n" "${red}" "${nc}"
else
printf "%s\n***\nSSH already started...\n***%s\n" "${red}" "${nc}"
fi
_pause continue
bash -c "${ronin_ssh_menu}"
;;
2)
printf "%s\n***\nStopping SSH...\n***%s\n" "${red}" "${nc}"
if systemctl is-active --quiet sshd; then
sudo systemctl stop --quiet sshd
else
printf "%s\n***\nSSH already stopped...\n***%s\n" "${red}" "${nc}"
fi
_pause continue
bash -c "${ronin_ssh_menu}"
;;
3)
printf "%s\n***\nRestarting SSH...\n***%s\n" "${red}" "${nc}"
sudo systemctl reload-or-restart --quiet sshd
_pause continue
bash -c "${ronin_ssh_menu}"
;;
4)
# If already enabled, just return to menu
if _ssh_key_authentication enable; then
if _ssh_key_authentication add-ssh-key; then
printf "%s\n***\nVerify connection now...\n***%s\n" "${red}" "${nc}"
_pause continue
if ! _yes_or_no "Did connection work?"; then
_ssh_key_authentication disable
fi
printf "%s\n***\nReturning to menu...\n***%s\n" "${red}" "${nc}"
fi
fi
_pause continue
# Return to menu
bash -c "${ronin_ssh_menu}"
;;
5)
if ! sudo grep -q "UsePAM no" /etc/ssh/sshd_config; then
printf "%s\n***\nSSH Key Authentication not enabled! Returning to menu...\n***%s\n" "${red}" "${nc}"
else
printf "%s\n***\nDisabling SSH Key Authentication...\n***%s\n\n" "${red}" "${nc}"
if _yes_or_no "${red}Do you wish to continue?${nc}"; then
_ssh_key_authentication disable
fi
fi
_pause continue
bash -c "${ronin_ssh_menu}"
;;
6)
if ! sudo grep -q "UsePAM no" /etc/ssh/sshd_config; then
printf "%s\n***\nSSH Key Authentication not enabled! Returning to menu...\n***%s\n" "${red}" "${nc}"
else
if _ssh_key_authentication add-ssh-key; then
printf "%s\n***\nKey successfully added... Returning to menu...\n***%s\n" "${red}" "${nc}"
else
printf "%s\n***\nKey already exists... Returning to menu...\n***%s\n" "${red}" "${nc}"
fi
fi
_pause continue
bash -c "${ronin_ssh_menu}"
;;
7)
if ! sudo grep -q "UsePAM no" /etc/ssh/sshd_config; then
printf "%s\n***\nSSH Key Authentication not enabled! Returning to menu...\n***%s\n" "${red}" "${nc}"
else
if _ssh_key_authentication del-ssh-key; then
printf "%s\n***\nKey has been removed... Returning to menu\n***%s\n" "${red}" "${nc}"
else
printf "%s\n***\nKey not available to delete... Returning to menu\n***%s\n" "${red}" "${nc}"
fi
fi
_pause continue
bash -c "${ronin_ssh_menu}"
;;
8)
bash -c "${ronin_networking_menu}"
;;
esac
exit
\ No newline at end of file
......@@ -6,7 +6,7 @@
_load_user_conf
OPTIONS=(1 "Firewall"
OPTIONS=(1 "Networking"
2 "Change User Password"
3 "Change Root Password"
4 "Lock Root User"
......@@ -24,7 +24,7 @@ CHOICE=$(dialog --clear \
clear
case $CHOICE in
1)
bash -c "${ronin_firewall_menu}"
bash -c "${ronin_networking_menu}"
;;
2)
cat <<EOF
......
......@@ -63,6 +63,8 @@ ronin_boltzmann_menu="$HOME/RoninDojo/Scripts/Menu/menu-boltzmann.sh"
ronin_dojo_menu="$HOME/RoninDojo/Scripts/Menu/menu-dojo.sh"
ronin_dojo_menu2="$HOME/RoninDojo/Scripts/Menu/menu-dojo2.sh"
ronin_electrs_menu="$HOME/RoninDojo/Scripts/Menu/menu-electrs.sh"
ronin_networking_menu="$HOME/RoninDojo/Scripts/Menu/menu-networking.sh"
ronin_ssh_menu="$HOME/RoninDojo/Scripts/Menu/menu-ssh.sh"
ronin_firewall_menu="$HOME/RoninDojo/Scripts/Menu/menu-firewall.sh"
ronin_firewall_menu2="$HOME/RoninDojo/Scripts/Menu/menu-firewall2.sh"
ronin_mempool_menu="$HOME/RoninDojo/Scripts/Menu/menu-mempool.sh"
......
......@@ -2688,3 +2688,144 @@ _ufw_rule_add(){
sudo ufw reload
fi
}
#
# Yes or No Prompt
#
_yes_or_no() {
while true; do
read -rp "$* ${green}[y/n]:${nc} " yn
case $yn in
[Yy]*) return 0;;
[Nn]*) return 1;;
esac
done
}
#
# SSH Key Management
#
_ssh_key_authentication() {
local _add_ssh_key=false _del_ssh_key=false _pub_ssh_key_path=/tmp/pub-ssh-key
# Parse Arguments
while [ $# -gt 0 ]; do
case "$1" in
add-ssh-key)
_add_ssh_key=true
break
;;
del-ssh-key)
_del_ssh_key=true
break
;;
enable)
if sudo grep -q "UsePAM no" /etc/ssh/sshd_config; then
printf "%s\n***\nSSH Key Authentication already enabled! Returning to menu...\n***%s\n" "${red}" "${nc}"
return 1
else
printf "%s\n***\nThis will enable SSH key authentication ONLY and will disable password authentication...\n***%s\n\n" "${red}" "${nc}"
if _yes_or_no "Do you wish to continue?"; then
printf "%s\n***\nGenerating sshd configuration file...\n***%s\n" "${red}" "${nc}"
# Backup original sshd_config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_original
sudo bash -c "cat <<EOF >/etc/ssh/sshd_config
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no
AllowUsers $USER
EOF
"
printf "%s\n***\nRestarting SSH daemon...\n***%s\n\n" "${red}" "${nc}"
sudo systemctl restart --quiet sshd
else
return 1
fi
return 0
fi
;;
disable)
if sudo grep -q "UsePAM no" /etc/ssh/sshd_config; then
printf "%s\n***\nRestoring sshd_config to defaults...\n***%s\n" "${red}" "${nc}"
sudo cp /etc/ssh/sshd_config_original /etc/ssh/sshd_config
printf "%s\n***\nDeleting $HOME/.ssh directory containing keys...\n***%s\n" "${red}" "${nc}"
rm -rf "$HOME"/.ssh || exit
# Restart sshd
sudo systemctl restart --quiet sshd
return 0
else
printf "%s\n***\nSSH Key Authentication not enabled! Returning to menu...\n***%s\n" "${red}" "${nc}"
return 1
fi
;;
esac
done
read -rp "${red}Paste a valid SSH public key: ${nc}" _pub_ssh_key
# Create a temporaly file with pasta contents
echo "${_pub_ssh_key}">"${_pub_ssh_key_path}"
# Verify key
if ssh-keygen -lf "${_pub_ssh_key_path}" 1>/dev/null; then
test -d "$HOME"/.ssh || mkdir "$HOME"/.ssh
# Adding to authorized_keys & removing temporaly file
if [ -f "$HOME"/.ssh/authorized_keys ]; then
if grep -q "${_pub_ssh_key}" "$HOME"/.ssh/authorized_keys; then
if ${_add_ssh_key}; then
# Key already found
printf "%s\n***\nSSH public key already found. Returning to menu...\n***%s\n" "${red}" "${nc}"
return 1
elif ${_del_ssh_key}; then
# Delete key
sed -i "/${_pub_ssh_key}/d" "$HOME"/.ssh/authorized_keys
return 0
fi
else
# Adding new key
echo "${_pub_ssh_key}" >>"$HOME"/.ssh/authorized_keys
# Shred temporaly key
shred -uzfs 42 "${_pub_ssh_key_path}"
# Unset variable
unset _pub_ssh_key_path
return 0
fi
else
if ${_del_ssh_key}; then
# No key found to delete
return 1
elif ${_add_ssh_key}; then
# Adding new key
echo "${_pub_ssh_key}" >>"$HOME"/.ssh/authorized_keys
# Shred temporaly key
shred -uzfs 42 "${_pub_ssh_key_path}"
# Unset variable
unset _pub_ssh_key_path
return 0
fi
fi
else
printf "%s\n***\nInvalid SSH public key!\n***\n\n***Example SSH public key below...\n***%s\n" "${red}" "${nc}"
printf "\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuh9yEnlKJT1A/MijVQm2fFxoxlX3Bb1JXSUMwOX9E/ likewhoa@localhost\n"
printf "%s\n***\nReturning to menu...\n***%s\n" "${red}" "${nc}"
return 1
fi
}
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment