akemi/dotfiles
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add ssh[d] templates and checks

Browse source
This commit is contained in:
Akemi Izuko 2022-12-07 22:27:01 -07:00
parent 2f63f2014b
commit ca1103c45e
No known key found for this signature in database
GPG key ID: 905D444F6A5E4BE4
3 changed files with 98 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
post_install.sh
View file

@ -360,6 +360,55 @@ check_gitconfig() {
return $return_code return $return_code
} }
####################
# SSH
####################
ssh_checks() {
check_sshconfig
check_sshdconfig
}
check_sshconfig() {
local return_code=0
if ! [[ -r ~/.ssh/config ]]; then
printf 'ERR: Missing ssh config at ~/.ssh/config\n'
printf '\tSee ./ssh/template.config for an example\n'
return_code=1
elif ! grep -Eq 'Host (codeberg.org|github.com|\*sr.ht)' ~/.ssh/config; then
printf 'ERR: No hosts in ~/.ssh/config\n'
printf '\tSee ./ssh/template.config for an example\n'
return_code=1
fi
return $return_code
}
check_sshdconfig() {
local return_code=0
if ! grep -q 'PasswordAuthentication no' /etc/ssh/sshd_config; then
printf 'ERR: Password authentication permitted in /etc/ssh/sshd_config\n'
printf '\tSee ./ssh/template.sshd_config for an example\n'
return_code=1
fi
if ! grep -q 'PermitRootLogin no' /etc/ssh/sshd_config; then
printf 'ERR: Root login permitted in /etc/ssh/sshd_config\n'
printf '\tSee ./ssh/template.sshd_config for an example\n'
return_code=1
fi
if grep -q 'Port 22' /etc/ssh/sshd_config || ! grep -q 'Port' /etc/ssh/sshd_config; then
printf 'ERR: Still using port 22 for sshd\n'
printf '\tSee ./ssh/template.sshd_config for an example\n'
return_code=1
fi
return $return_code
}
if [[ "$1" == 'status' && "$(uname -s)" == 'Linux' ]]; then if [[ "$1" == 'status' && "$(uname -s)" == 'Linux' ]]; then
configs_pointer_is_setup || exit 1 configs_pointer_is_setup || exit 1
@ -372,6 +421,7 @@ if [[ "$1" == 'status' && "$(uname -s)" == 'Linux' ]]; then
tmux_check tmux_check
aerc_checks aerc_checks
git_checks git_checks
ssh_checks
else else
print_help print_help
fi fi

30
ssh/template.config Normal file
View file

@ -0,0 +1,30 @@
# vim: set ft=sshconfig:
Host undergrad
ForwardX11 no
Hostname cs.ox.ac.uk
IdentitiesOnly=yes
IdentityFile ~/.ssh/cs_labs
LocalForward 8001 localhost:7000
Port 22
User emiliko
Host waybook
Hostname 192.168.0.10
IdentitiesOnly=yes
IdentityFile ~/.ssh/waybook
LocalForward 9002 localhost:9001
Port 22
User emiliko
Host github.com
Hostname github.com
IdentityFile ~/.ssh/github_main
Host codeberg.org
Hostname codeberg.org
IdentityFile ~/.ssh/codeberg_main
Host *sr.ht
IdentityFile ~/.ssh/sourcehut_main
PreferredAuthentications publickey

18
ssh/template.sshd_config Normal file
View file

@ -0,0 +1,18 @@
# vim: set ft=sshdconfig:
# Security - Not optional.
PasswordAuthentication no
AuthenticationMethods publickey
PermitRootLogin no
PermitEmptyPasswords no
# Ipv4 only. Use inet6 for ipv6 only
AddressFamily inet
# Server setup
# Not port 22, to avoid clogging up journalctl from bots
Port 29800
# Prone to spoofing, use ClientAlive* instead
TCPKeepAlive no
# Send a message every 30s, disconnect after an (30s * 120) = 1 hour
ClientAliveInterval 30
ClientAliveCountMax 120