#!/usr/bin/env bash set -e echo "===============================" echo " SSH Configuration Script" echo "===============================" SSHD_CONFIG="/etc/ssh/sshd_config" # ------------------------------- # Install SSH Key # ------------------------------- echo "Installing SSH key..." SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDosb5jR9eu4Avc0HmMzR8HQDYOGRSxwRYgprpDuggDG eddsa-key-20260531" mkdir -p ~/.ssh chmod 700 ~/.ssh grep -qxF "$SSH_KEY" ~/.ssh/authorized_keys 2>/dev/null || echo "$SSH_KEY" >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys echo "✅ Key installed" # ------------------------------- # Backup config # ------------------------------- cp ${SSHD_CONFIG} ${SSHD_CONFIG}.bak.$(date +%s) # ------------------------------- # SSH SETTINGS # ------------------------------- echo "Updating SSH settings..." # Pubkey if grep -q "^PubkeyAuthentication" "$SSHD_CONFIG"; then sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONFIG" else echo "PubkeyAuthentication yes" >> "$SSHD_CONFIG" fi # Password (initially enabled for safety) if grep -q "^PasswordAuthentication" "$SSHD_CONFIG"; then sed -i "s/^PasswordAuthentication.*/PasswordAuthentication yes/" "$SSHD_CONFIG" else echo "PasswordAuthentication yes" >> "$SSHD_CONFIG" fi # KbdInteractive ✅ if grep -q "^KbdInteractiveAuthentication" "$SSHD_CONFIG"; then sed -i "s/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" "$SSHD_CONFIG" else echo "KbdInteractiveAuthentication yes" >> "$SSHD_CONFIG" fi # ChallengeResponse if grep -q "^ChallengeResponseAuthentication" "$SSHD_CONFIG"; then sed -i "s/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" "$SSHD_CONFIG" else echo "ChallengeResponseAuthentication yes" >> "$SSHD_CONFIG" fi systemctl restart ssh echo "✅ SSH restarted" # ------------------------------- # Optional Lockdown # ------------------------------- read -p "Disable password login? (y/N): " DISABLE_PASS if [[ "$DISABLE_PASS" =~ ^[Yy]$ ]]; then sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONFIG" systemctl restart ssh echo "✅ Password login disabled" fi read -p "Disable root login? (y/N): " DISABLE_ROOT if [[ "$DISABLE_ROOT" =~ ^[Yy]$ ]]; then sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" "$SSHD_CONFIG" systemctl restart ssh echo "✅ Root login disabled" fi echo "" echo "===============================" echo " ✅ SSH CONFIG COMPLETE" echo "===============================" echo "⚠️ Test SSH access before closing your session"