nikola
51 lines
1.2 KiB
Bash
Executable File
51 lines
1.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
if [[ "${EUID}" -ne 0 ]]; then
|
|
echo "Run as root (sudo)." >&2
|
|
exit 1
|
|
fi
|
|
|
|
SSH_USER="${1:-devops}"
|
|
SSH_PORT="${2:-42315}"
|
|
SSH_PUBKEY="${3:-}"
|
|
|
|
if [[ -z "${SSH_PUBKEY}" ]]; then
|
|
echo "Usage: $0 <ssh_user> <ssh_port> <ssh_public_key>" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if ! id -u "${SSH_USER}" >/dev/null 2>&1; then
|
|
useradd -m -s /bin/bash "${SSH_USER}"
|
|
fi
|
|
|
|
usermod -aG sudo "${SSH_USER}"
|
|
|
|
install -d -m 700 -o "${SSH_USER}" -g "${SSH_USER}" "/home/${SSH_USER}/.ssh"
|
|
touch "/home/${SSH_USER}/.ssh/authorized_keys"
|
|
chown "${SSH_USER}:${SSH_USER}" "/home/${SSH_USER}/.ssh/authorized_keys"
|
|
chmod 600 "/home/${SSH_USER}/.ssh/authorized_keys"
|
|
|
|
if ! grep -Fqx "${SSH_PUBKEY}" "/home/${SSH_USER}/.ssh/authorized_keys"; then
|
|
echo "${SSH_PUBKEY}" >>"/home/${SSH_USER}/.ssh/authorized_keys"
|
|
fi
|
|
|
|
cat >/etc/ssh/sshd_config.d/99-company.conf <<EOF
|
|
Port ${SSH_PORT}
|
|
PermitRootLogin no
|
|
PasswordAuthentication no
|
|
PubkeyAuthentication yes
|
|
ChallengeResponseAuthentication no
|
|
UsePAM yes
|
|
EOF
|
|
|
|
sshd -t
|
|
systemctl restart ssh || systemctl restart sshd
|
|
|
|
echo "Company baseline applied:"
|
|
echo "- user: ${SSH_USER}"
|
|
echo "- ssh port: ${SSH_PORT}"
|
|
echo "- root login: disabled"
|
|
echo "- password auth: disabled"
|
|
|