rodger/imagehost-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SSH settings fix

Browse Source
This commit is contained in:
Rodger Castle 2026-05-04 14:49:58 -04:00
parent 57f4c0c24f
commit ba08f4887b
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
imagehost-setup.sh
View File

@ -187,22 +187,29 @@ path.write_text(text)
PYEOF PYEOF
fi fi
printf '%s\n' "$SFTP_STANZA" >> "$SSHD_CONFIG" # Apply global hardening options FIRST (before the Match block)
# Additional SSH hardening (idempotent: only add if not already set)
apply_ssh_option() { apply_ssh_option() {
local key="$1" val="$2" local key="$1" val="$2"
if grep -qiE "^\s*${key}\s" "$SSHD_CONFIG"; then if grep -qiE "^\s*${key}\s" "$SSHD_CONFIG"; then
sed -i -E "s|^\s*${key}\s.*|${key} ${val}|i" "$SSHD_CONFIG" sed -i -E "s|^\s*${key}\s.*|${key} ${val}|i" "$SSHD_CONFIG"
else
# Insert before the first Match block, or append if no Match block exists
if grep -q "^Match " "$SSHD_CONFIG"; then
sed -i "/^Match /i ${key} ${val}" "$SSHD_CONFIG"
else else
echo "${key} ${val}" >> "$SSHD_CONFIG" echo "${key} ${val}" >> "$SSHD_CONFIG"
fi fi
fi
} }
apply_ssh_option "PermitRootLogin" "prohibit-password" apply_ssh_option "PermitRootLogin" "prohibit-password"
apply_ssh_option "PasswordAuthentication" "yes" # needed for SFTP password auth apply_ssh_option "PasswordAuthentication" "yes"
apply_ssh_option "MaxAuthTries" "4" apply_ssh_option "MaxAuthTries" "4"
apply_ssh_option "LoginGraceTime" "30" apply_ssh_option "LoginGraceTime" "30"
# Append the Match block LAST
printf '%s\n' "$SFTP_STANZA" >> "$SSHD_CONFIG"
sshd -t || die "SSH config test failed — check ${SSHD_CONFIG}" sshd -t || die "SSH config test failed — check ${SSHD_CONFIG}"
systemctl restart sshd systemctl restart sshd
success "SSH/SFTP configured." success "SSH/SFTP configured."