Skip to content

Commit

Permalink
Enable support for adjusting SSH server
Browse files Browse the repository at this point in the history
  • Loading branch information
@igorpecovnik
igorpecovnik committed Aug 31, 2024
1 parent 2ba14a4 commit 53700e7
Show file tree
Hide file tree
Showing 2 changed files with 200 additions and 7 deletions.
64 changes: 58 additions & 6 deletions lib/armbian-configng/config.ng.functions.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,6 @@ function set_header_remove() {

}


module_options+=(
["check_if_installed,author"]="Igor Pecovnik"
["check_if_installed,ref_link"]=""
Expand All @@ -96,12 +95,65 @@ module_options+=(
#
function check_if_installed (){

local DPKG_Status="$(dpkg -s "$1" 2>/dev/null | awk -F": " '/^Status/ {print $2}')"
if [[ "X${DPKG_Status}" = "X" || "${DPKG_Status}" = *deinstall* ]]; then
return 1
else
return 0
local DPKG_Status="$(dpkg -s "$1" 2>/dev/null | awk -F": " '/^Status/ {print $2}')"
if [[ "X${DPKG_Status}" = "X" || "${DPKG_Status}" = *deinstall* ]]; then
return 1
else
return 0
fi

}


module_options+=(
["update_skel,author"]="Igor Pecovnik"
["update_skel,ref_link"]=""
["update_skel,feature"]="update_skel"
["update_skel,desc"]="Update the /etc/skel files in users directories"
["update_skel,example"]="update_skel"
["update_skel,status"]="Active"
)
#
# check dpkg status of $1 -- currently only 'not installed at all' case caught
#
function update_skel (){

getent passwd |
while IFS=: read -r username x uid gid gecos home shell
do
if [ ! -d "$home" ] || [ "$username" == 'root' ] || [ "$uid" -lt 1000 ]
then
continue
fi
tar -C /etc/skel/ -cf - . | su - "$username" -c "tar --skip-old-files -xf -"
done

}


module_options+=(
["qr_code,author"]="Igor Pecovnik"
["qr_code,ref_link"]=""
["qr_code,feature"]="qr_code"
["qr_code,desc"]="Show or generate QR code for Google OTP"
["qr_code,example"]="qr_code generate"
["qr_code,status"]="Active"
)
#
# check dpkg status of $1 -- currently only 'not installed at all' case caught
#
function qr_code (){

clear
if [[ "$1" == "generate" ]]; then
google-authenticator -t -d -f -r 3 -R 30 -W -q
cp /root/.google_authenticator /etc/skel
update_skel
fi
export TOP_SECRET=$(head -1 /root/.google_authenticator)
qrencode -m 2 -d 9 -8 -t ANSI256 "otpauth://totp/test?secret=$TOP_SECRET"
echo -e '\nScan QR code with your OTP application on mobile phone\n'
read -n 1 -s -r -p "Press any key to continue"

}

Expand Down
143 changes: 142 additions & 1 deletion lib/armbian-configng/config.ng.jobs.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,8 +229,149 @@
"src_reference": "",
"author": "",
"condition": "check_if_installed avahi-daemon"
},
{
"id": "N12",
"description": "Reconfigure OpenSSH daemon (secure shell)",
"sub": [
{
"id": "SSH01",
"description": "Disable root login",
"command": [
"sed -i \"s|^#\\?PermitRootLogin.*|PermitRootLogin no|\" /etc/ssh/sshd_config",
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q '^PermitRootLogin yes' /etc/ssh/sshd_config"
},
{
"id": "SSH02",
"description": "Enable root login",
"command": [
"sed -i \"s/^#\\?PermitRootLogin.*/PermitRootLogin yes/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q '^PermitRootLogin no' /etc/ssh/sshd_config"
},
{
"id": "SSH03",
"description": "Disable password login",
"command": [
"sed -i \"s/^#\\?PasswordAuthentication.*/PasswordAuthentication no/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PasswordAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "SSH04",
"description": "Enable password login",
"command": [
"sed -i \"s/^#\\?PasswordAuthentication.*/PasswordAuthentication yes/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PasswordAuthentication no' /etc/ssh/sshd_config"
},
{
"id": "SSH05",
"description": "Disable Public key authentication login",
"command": [
"sed -i \"s/^#\\?PubkeyAuthentication.*/PubkeyAuthentication no/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PubkeyAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "SSH06",
"description": "Enable Public key authentication login",
"command": [
"sed -i \"s/^#\\?PubkeyAuthentication.*/PubkeyAuthentication yes/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PubkeyAuthentication no' /etc/ssh/sshd_config"
},
{
"id": "SSH07",
"description": "Disable OTP authentication",
"command": [
"clear",
"! check_if_installed libpam-google-authenticator && ! check_if_installed qrencode || debconf-apt-progress -- apt-get -y purge libpam-google-authenticator qrencode",
"sed -i \"s/^#\\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/\" /etc/ssh/sshd_config || sed -i \"0,/KbdInteractiveAuthentication/s//ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config" ,
"sed -i '/^auth required pam_google_authenticator.so nullok/ d' /etc/pam.d/sshd",
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'ChallengeResponseAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "SSH08",
"description": "Enable OTP authentication",
"command": [
"check_if_installed libpam-google-authenticator || debconf-apt-progress -- apt-get -y install libpam-google-authenticator",
"check_if_installed qrencode || debconf-apt-progress -- apt-get -y install qrencode",
"sed -i \"s/^#\\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config || sed -i $'/KbdInteractiveAuthentication/{iChallengeResponseAuthentication yes\\n:a;n;ba}' /etc/ssh/sshd_config" ,
"sed -n -i '/password updating/{p;:a;N;/@include common-password/!ba;s/.*\\n/auth required pam_google_authenticator.so nullok\\nauth required pam_permit.so\\n/};p' /etc/pam.d/sshd",
"[ ! -f /root/.google_authenticator ] && qr_code generate",
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "! check_if_installed libpam-google-authenticator || ! check_if_installed qrencode || grep -q '^ChallengeResponseAuthentication no' /etc/ssh/sshd_config || ! grep -q 'ChallengeResponseAuthentication' /etc/ssh/sshd_config"
},
{
"id": "SSH09",
"description": "Generate new OTP authentication QR code",
"command": [
"qr_code generate"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q '^ChallengeResponseAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "SSH10",
"description": "Show OTP authentication QR code",
"command": [
"qr_code"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "Igor Pecovnik",
"condition": "grep -q '^ChallengeResponseAuthentication yes' /etc/ssh/sshd_config && [ -f /root/.google_authenticator ]"
}
]
}
]
]
},
{
"id": "Localisation",
Expand Down

0 comments on commit 53700e7

Please sign in to comment.