Add ssh[d] templates and checks

2022-12-07 22:27:01 -07:00 · 2022-12-07 22:27:01 -07:00 · ca1103c45e
parent 2f63f2014b
commit ca1103c45e
3 changed files with 98 additions and 0 deletions
--- a/post_install.sh
+++ b/post_install.sh
@ -360,6 +360,55 @@ check_gitconfig() {
  return $return_code
 }

+####################
+# SSH
+####################
+ssh_checks() {
+  check_sshconfig
+  check_sshdconfig
+}
+
+check_sshconfig() {
+  local return_code=0
+
+  if ! [[ -r ~/.ssh/config ]]; then
+    printf 'ERR: Missing ssh config at ~/.ssh/config\n'
+    printf '\tSee ./ssh/template.config for an example\n'
+    return_code=1
+  elif ! grep -Eq 'Host (codeberg.org|github.com|\*sr.ht)' ~/.ssh/config; then
+    printf 'ERR: No hosts in ~/.ssh/config\n'
+    printf '\tSee ./ssh/template.config for an example\n'
+    return_code=1
+  fi
+
+  return $return_code
+}
+
+check_sshdconfig() {
+  local return_code=0
+
+  if ! grep -q 'PasswordAuthentication no' /etc/ssh/sshd_config; then
+    printf 'ERR: Password authentication permitted in /etc/ssh/sshd_config\n'
+    printf '\tSee ./ssh/template.sshd_config for an example\n'
+    return_code=1
+  fi
+
+  if ! grep -q 'PermitRootLogin no' /etc/ssh/sshd_config; then
+    printf 'ERR: Root login permitted in /etc/ssh/sshd_config\n'
+    printf '\tSee ./ssh/template.sshd_config for an example\n'
+    return_code=1
+  fi
+
+  if grep -q 'Port 22' /etc/ssh/sshd_config || ! grep -q 'Port' /etc/ssh/sshd_config; then
+    printf 'ERR: Still using port 22 for sshd\n'
+    printf '\tSee ./ssh/template.sshd_config for an example\n'
+    return_code=1
+  fi
+
+  return $return_code
+}
+
+
 if [[ "$1" == 'status' && "$(uname -s)" == 'Linux' ]]; then
  configs_pointer_is_setup || exit 1

@ -372,6 +421,7 @@ if [[ "$1" == 'status' && "$(uname -s)" == 'Linux' ]]; then
  tmux_check
  aerc_checks
  git_checks
+  ssh_checks
 else
  print_help
 fi
--- a/ssh/template.config
+++ b/ssh/template.config
@ -0,0 +1,30 @@
+# vim: set ft=sshconfig:
+
+Host undergrad
+    ForwardX11 no
+    Hostname cs.ox.ac.uk
+    IdentitiesOnly=yes
+    IdentityFile ~/.ssh/cs_labs
+    LocalForward 8001 localhost:7000
+    Port 22
+    User emiliko
+
+Host waybook
+    Hostname 192.168.0.10
+    IdentitiesOnly=yes
+    IdentityFile ~/.ssh/waybook
+    LocalForward 9002 localhost:9001
+    Port 22
+    User emiliko
+
+Host github.com
+    Hostname github.com
+    IdentityFile ~/.ssh/github_main
+
+Host codeberg.org
+    Hostname codeberg.org
+    IdentityFile ~/.ssh/codeberg_main
+
+Host *sr.ht
+    IdentityFile ~/.ssh/sourcehut_main
+    PreferredAuthentications publickey
--- a/ssh/template.sshd_config
+++ b/ssh/template.sshd_config
@ -0,0 +1,18 @@
+# vim: set ft=sshdconfig:
+
+# Security - Not optional.
+PasswordAuthentication no
+AuthenticationMethods publickey
+PermitRootLogin no
+PermitEmptyPasswords no
+# Ipv4 only. Use inet6 for ipv6 only
+AddressFamily inet
+
+# Server setup
+    # Not port 22, to avoid clogging up journalctl from bots
+Port 29800
+    # Prone to spoofing, use ClientAlive* instead
+TCPKeepAlive no
+    # Send a message every 30s, disconnect after an (30s * 120) = 1 hour
+ClientAliveInterval 30
+ClientAliveCountMax 120