Skip to content

Commit

Permalink
Enable support for adjusting SSH server (#49)
Browse files Browse the repository at this point in the history 
* Enable support for adjusting SSH server

* Add bits to README and move to system section

* Update config.ng.jobs.json

fixed merge conflict

* Update README.md

* fixed doc

---------

Co-authored-by: Joey Turner <[email protected]>
Co-authored-by: Tearran <[email protected]>
  • Loading branch information
@igorpecovnik @Tearran
3 people authored Sep 4, 2024
1 parent 3156e94 commit fd725e7
Show file tree
Hide file tree
Showing 4 changed files with 215 additions and 9 deletions.
14 changes: 13 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@

# Armbian Configuration Utility
Updated: Sun Sep 1 03:03:48 PM EDT 2024
Updated: Tue Sep 3 09:22:06 PM EDT 2024

Utility for configuring your board, adjusting services, and installing applications. It comes with Armbian by default.

Expand All @@ -16,6 +16,7 @@ sudo armbian-config
- **S04** - Install Linux headers
- **S05** - Remove Linux headers
- **S06** - Install to internal storage
- **S07** - Manage SSH login options
- **S30** - Change shell system wide to BASH
- **S31** - Change shell system wide to ZSH

Expand Down Expand Up @@ -92,6 +93,7 @@ Usage: armbian-configng [option] [arguments]
--cli S04 - Install Linux headers
--cli S05 - Remove Linux headers
--cli S06 - Install to internal storage
--cli S07 - Manage SSH login options
--cli S30 - Change shell system wide to BASH
--cli S31 - Change shell system wide to ZSH
--cli N00 - Install Bluetooth support
Expand Down Expand Up @@ -210,6 +212,16 @@ Jobs:
armbian-install
~~~

### S07

Manage SSH login options

Jobs:

~~~
No commands available
~~~

### S30

Change shell system wide to BASH
Expand Down
5 changes: 3 additions & 2 deletions lib/armbian-configng/config.ng.docs.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -458,11 +458,12 @@ jq -r '
.menu[] |
.sub[] |
"### " + .id + "\n\n" +
.description + "\n\nJobs:\n\n~~~\n" +
(.command | join("\n")) +
(.description // "No description available") + "\n\nJobs:\n\n~~~\n" +
((.command // ["No commands available"]) | join("\n")) +
"\n~~~\n"
' $json_file
}

module_options+=(
["see_cli_list,author"]="Joey Turner"
["see_cli_list,ref_link"]=""
Expand Down
64 changes: 58 additions & 6 deletions lib/armbian-configng/config.ng.functions.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,6 @@ function set_header_remove() {

}


module_options+=(
["check_if_installed,author"]="Igor Pecovnik"
["check_if_installed,ref_link"]=""
Expand All @@ -96,12 +95,65 @@ module_options+=(
#
function check_if_installed (){

local DPKG_Status="$(dpkg -s "$1" 2>/dev/null | awk -F": " '/^Status/ {print $2}')"
if [[ "X${DPKG_Status}" = "X" || "${DPKG_Status}" = *deinstall* ]]; then
return 1
else
return 0
local DPKG_Status="$(dpkg -s "$1" 2>/dev/null | awk -F": " '/^Status/ {print $2}')"
if [[ "X${DPKG_Status}" = "X" || "${DPKG_Status}" = *deinstall* ]]; then
return 1
else
return 0
fi

}


module_options+=(
["update_skel,author"]="Igor Pecovnik"
["update_skel,ref_link"]=""
["update_skel,feature"]="update_skel"
["update_skel,desc"]="Update the /etc/skel files in users directories"
["update_skel,example"]="update_skel"
["update_skel,status"]="Active"
)
#
# check dpkg status of $1 -- currently only 'not installed at all' case caught
#
function update_skel (){

getent passwd |
while IFS=: read -r username x uid gid gecos home shell
do
if [ ! -d "$home" ] || [ "$username" == 'root' ] || [ "$uid" -lt 1000 ]
then
continue
fi
tar -C /etc/skel/ -cf - . | su - "$username" -c "tar --skip-old-files -xf -"
done

}


module_options+=(
["qr_code,author"]="Igor Pecovnik"
["qr_code,ref_link"]=""
["qr_code,feature"]="qr_code"
["qr_code,desc"]="Show or generate QR code for Google OTP"
["qr_code,example"]="qr_code generate"
["qr_code,status"]="Active"
)
#
# check dpkg status of $1 -- currently only 'not installed at all' case caught
#
function qr_code (){

clear
if [[ "$1" == "generate" ]]; then
google-authenticator -t -d -f -r 3 -R 30 -W -q
cp /root/.google_authenticator /etc/skel
update_skel
fi
export TOP_SECRET=$(head -1 /root/.google_authenticator)
qrencode -m 2 -d 9 -8 -t ANSI256 "otpauth://totp/test?secret=$TOP_SECRET"
echo -e '\nScan QR code with your OTP application on mobile phone\n'
read -n 1 -s -r -p "Press any key to continue"

}

Expand Down
141 changes: 141 additions & 0 deletions lib/armbian-configng/config.ng.jobs.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,146 @@
"author": "https://github.com/igorpecovnik",
"condition": "[[ -n $(ls /sbin/armbian-install) ]]"
},
{
"id": "S07",
"description": "Manage SSH login options",
"sub": [
{
"id": "S08",
"description": "Disable root login",
"command": [
"sed -i \"s|^#\\?PermitRootLogin.*|PermitRootLogin no|\" /etc/ssh/sshd_config",
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q '^PermitRootLogin yes' /etc/ssh/sshd_config"
},
{
"id": "S09",
"description": "Enable root login",
"command": [
"sed -i \"s/^#\\?PermitRootLogin.*/PermitRootLogin yes/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q '^PermitRootLogin no' /etc/ssh/sshd_config"
},
{
"id": "S10",
"description": "Disable password login",
"command": [
"sed -i \"s/^#\\?PasswordAuthentication.*/PasswordAuthentication no/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PasswordAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "S11",
"description": "Enable password login",
"command": [
"sed -i \"s/^#\\?PasswordAuthentication.*/PasswordAuthentication yes/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PasswordAuthentication no' /etc/ssh/sshd_config"
},
{
"id": "S12",
"description": "Disable Public key authentication login",
"command": [
"sed -i \"s/^#\\?PubkeyAuthentication.*/PubkeyAuthentication no/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PubkeyAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "S13",
"description": "Enable Public key authentication login",
"command": [
"sed -i \"s/^#\\?PubkeyAuthentication.*/PubkeyAuthentication yes/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PubkeyAuthentication no' /etc/ssh/sshd_config"
},
{
"id": "S14",
"description": "Disable OTP authentication",
"command": [
"clear",
"! check_if_installed libpam-google-authenticator && ! check_if_installed qrencode || debconf-apt-progress -- apt-get -y purge libpam-google-authenticator qrencode",
"sed -i \"s/^#\\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/\" /etc/ssh/sshd_config || sed -i \"0,/KbdInteractiveAuthentication/s//ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config" ,
"sed -i '/^auth required pam_google_authenticator.so nullok/ d' /etc/pam.d/sshd",
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'ChallengeResponseAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "S15",
"description": "Enable OTP authentication",
"command": [
"check_if_installed libpam-google-authenticator || debconf-apt-progress -- apt-get -y install libpam-google-authenticator",
"check_if_installed qrencode || debconf-apt-progress -- apt-get -y install qrencode",
"sed -i \"s/^#\\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config",
"sed -i $'/KbdInteractiveAuthentication/{iChallengeResponseAuthentication yes\\n:a;n;ba}' /etc/ssh/sshd_config || sed -n -i '/password updating/{p;:a;N;/@include common-password/!ba;s/.*\\n/auth required pam_google_authenticator.so nullok\\nauth required pam_permit.so\\n/};p' /etc/pam.d/sshd",
"[ ! -f /root/.google_authenticator ] && qr_code generate",
"systemctl restart sshd.service"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "! check_if_installed libpam-google-authenticator || ! check_if_installed qrencode || grep -q '^ChallengeResponseAuthentication no' /etc/ssh/sshd_config || ! grep -q 'ChallengeResponseAuthentication' /etc/ssh/sshd_config"
},
{
"id": "S16",
"description": "Generate new OTP authentication QR code",
"command": [
"qr_code generate"
],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q '^ChallengeResponseAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "S17",
"description": "Show OTP authentication QR code",
"command": ["qr_code"],
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "Igor Pecovnik",
"condition": "grep -q '^ChallengeResponseAuthentication yes' /etc/ssh/sshd_config && [ -f /root/.google_authenticator ]"
}
]
},

{
"id": "S30",
"description": "Change shell system wide to BASH",
Expand Down Expand Up @@ -110,6 +250,7 @@
"author": "https://github.com/igorpecovnik",
"condition": "[[ $(cat /etc/passwd | grep \"^root:\" | rev | cut -d\":\" -f1 | cut -d\"/\" -f1| rev) == \"bash\" ]]"
}

]
},
{
Expand Down

0 comments on commit fd725e7

Please sign in to comment.