From 007556d212c64a915002366adde7e73d9fcec615 Mon Sep 17 00:00:00 2001
From: Akemi Izuko <akemi@noway.moe>
Date: Sat, 23 Dec 2023 20:14:04 -0700
Subject: [PATCH] Add ssh[d] templates and checks

---
 post_install.sh          | 50 ++++++++++++++++++++++++++++++++++++++++
 ssh/template.config      | 30 ++++++++++++++++++++++++
 ssh/template.sshd_config | 18 +++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 ssh/template.config
 create mode 100644 ssh/template.sshd_config

diff --git a/post_install.sh b/post_install.sh
index 5e85c74..c9e5ab5 100755
--- a/post_install.sh
+++ b/post_install.sh
@@ -360,6 +360,55 @@ check_gitconfig() {
   return $return_code
 }
 
+####################
+# SSH
+####################
+ssh_checks() {
+  check_sshconfig
+  check_sshdconfig
+}
+
+check_sshconfig() {
+  local return_code=0
+
+  if ! [[ -r ~/.ssh/config ]]; then
+    printf 'ERR: Missing ssh config at ~/.ssh/config\n'
+    printf '\tSee ./ssh/template.config for an example\n'
+    return_code=1
+  elif ! grep -Eq 'Host (codeberg.org|github.com|\*sr.ht)' ~/.ssh/config; then
+    printf 'ERR: No hosts in ~/.ssh/config\n'
+    printf '\tSee ./ssh/template.config for an example\n'
+    return_code=1
+  fi
+
+  return $return_code
+}
+
+check_sshdconfig() {
+  local return_code=0
+
+  if ! grep -q 'PasswordAuthentication no' /etc/ssh/sshd_config; then
+    printf 'ERR: Password authentication permitted in /etc/ssh/sshd_config\n'
+    printf '\tSee ./ssh/template.sshd_config for an example\n'
+    return_code=1
+  fi
+
+  if ! grep -q 'PermitRootLogin no' /etc/ssh/sshd_config; then
+    printf 'ERR: Root login permitted in /etc/ssh/sshd_config\n'
+    printf '\tSee ./ssh/template.sshd_config for an example\n'
+    return_code=1
+  fi
+
+  if grep -q 'Port 22' /etc/ssh/sshd_config || ! grep -q 'Port' /etc/ssh/sshd_config; then
+    printf 'ERR: Still using port 22 for sshd\n'
+    printf '\tSee ./ssh/template.sshd_config for an example\n'
+    return_code=1
+  fi
+
+  return $return_code
+}
+
+
 if [[ "$1" == 'status' && "$(uname -s)" == 'Linux' ]]; then
   configs_pointer_is_setup || exit 1
 
@@ -372,6 +421,7 @@ if [[ "$1" == 'status' && "$(uname -s)" == 'Linux' ]]; then
   tmux_check
   aerc_checks
   git_checks
+  ssh_checks
 else
   print_help
 fi
diff --git a/ssh/template.config b/ssh/template.config
new file mode 100644
index 0000000..5dbf96c
--- /dev/null
+++ b/ssh/template.config
@@ -0,0 +1,30 @@
+# vim: set ft=sshconfig:
+
+Host undergrad
+    ForwardX11 no
+    Hostname cs.ox.ac.uk
+    IdentitiesOnly=yes
+    IdentityFile ~/.ssh/cs_labs
+    LocalForward 8001 localhost:7000
+    Port 22
+    User emiliko
+
+Host waybook
+    Hostname 192.168.0.10
+    IdentitiesOnly=yes
+    IdentityFile ~/.ssh/waybook
+    LocalForward 9002 localhost:9001
+    Port 22
+    User emiliko
+
+Host github.com
+    Hostname github.com
+    IdentityFile ~/.ssh/github_main
+
+Host codeberg.org
+    Hostname codeberg.org
+    IdentityFile ~/.ssh/codeberg_main
+
+Host *sr.ht
+    IdentityFile ~/.ssh/sourcehut_main
+    PreferredAuthentications publickey
diff --git a/ssh/template.sshd_config b/ssh/template.sshd_config
new file mode 100644
index 0000000..e4f6ceb
--- /dev/null
+++ b/ssh/template.sshd_config
@@ -0,0 +1,18 @@
+# vim: set ft=sshdconfig:
+
+# Security - Not optional.
+PasswordAuthentication no
+AuthenticationMethods publickey
+PermitRootLogin no
+PermitEmptyPasswords no
+# Ipv4 only. Use inet6 for ipv6 only
+AddressFamily inet
+
+# Server setup
+    # Not port 22, to avoid clogging up journalctl from bots
+Port 29800
+    # Prone to spoofing, use ClientAlive* instead
+TCPKeepAlive no
+    # Send a message every 30s, disconnect after an (30s * 120) = 1 hour
+ClientAliveInterval 30
+ClientAliveCountMax 120