benwaco/gist:3c69b71d35ddeeba0703e6d586acf3bd

## gistfile1.txt
#!/bin/bash

# 1. Check if the script is run as root (sudo)
if [ "$EUID" -ne 0 ]; then
  echo "❌ Error: Please run this script with sudo or as root."
  exit 1
fi

echo "--- SSH Security Hardening Script ---"

# 2. Prompt user for the SSH Public Key
echo "Please paste the public SSH key (starts with ssh-rsa, ssh-ed25519, etc.):"
read -r SSH_KEY

if [ -z "$SSH_KEY" ]; then
    echo "❌ Error: No key provided. Exiting."
    exit 1
fi

# 3. Setup .ssh directory for root
echo "🔹 Configuring SSH key for user: root..."
ROOT_SSH_DIR="/root/.ssh"
AUTH_KEYS="$ROOT_SSH_DIR/authorized_keys"

# Create directory if it doesn't exist and set permissions (700)
if [ ! -d "$ROOT_SSH_DIR" ]; then
    mkdir -p "$ROOT_SSH_DIR"
    chmod 700 "$ROOT_SSH_DIR"
fi

# Add the key to authorized_keys
echo "$SSH_KEY" >> "$AUTH_KEYS"
# Set permissions for the file (600)
chmod 600 "$AUTH_KEYS"
echo "✅ SSH key added to root account."

# 4. Modify SSH Configuration
SSH_CONFIG="/etc/ssh/sshd_config"
BACKUP_CONFIG="/etc/ssh/sshd_config.bak_$(date +%F_%T)"

echo "🔹 Backing up current SSH config to $BACKUP_CONFIG..."
cp "$SSH_CONFIG" "$BACKUP_CONFIG"

echo "🔹 Configuring SSH daemon to require keys..."

# Ensure PubkeyAuthentication is yes
if grep -q "^PubkeyAuthentication" "$SSH_CONFIG"; then
    sed -i 's/^PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG"
else
    echo "PubkeyAuthentication yes" >> "$SSH_CONFIG"
fi

# Disable PasswordAuthentication
if grep -q "^PasswordAuthentication" "$SSH_CONFIG"; then
    sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG"
else
    echo "PasswordAuthentication no" >> "$SSH_CONFIG"
fi

# Ensure Root Login is allowed (via keys only)
# We set this to 'prohibit-password' (or 'without-password' on older systems)
# to allow root login ONLY via keys.
if grep -q "^PermitRootLogin" "$SSH_CONFIG"; then
    sed -i 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/' "$SSH_CONFIG"
else
    echo "PermitRootLogin prohibit-password" >> "$SSH_CONFIG"
fi

# Disable ChallengeResponseAuthentication (often used for PAM)
if grep -q "^ChallengeResponseAuthentication" "$SSH_CONFIG"; then
    sed -i 's/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' "$SSH_CONFIG"
else
    echo "ChallengeResponseAuthentication no" >> "$SSH_CONFIG"
fi

echo "✅ Configuration updated."

# 5. Restart SSH Service
echo "🔹 Restarting SSH service..."
if command -v systemctl &> /dev/null; then
    systemctl restart sshd
    if [ $? -eq 0 ]; then
        echo "✅ SSHD restarted successfully."
    else
        echo "⚠️ Warning: Failed to restart SSHD using systemctl. Try 'service ssh restart'."
    fi
elif command -v service &> /dev/null; then
    service ssh restart
    echo "✅ SSHD restarted successfully."
else
    echo "⚠️ Warning: Could not detect systemctl or service command. Please restart SSH manually."
fi

echo "---"
echo "🎉 Setup Complete."
echo "IMPORTANT: Do not close this terminal yet. Open a NEW terminal window and try to SSH in as root to verify access."
	#!/bin/bash

	# 1. Check if the script is run as root (sudo)
	if [ "$EUID" -ne 0 ]; then
	echo "❌ Error: Please run this script with sudo or as root."
	exit 1
	fi

	echo "--- SSH Security Hardening Script ---"

	# 2. Prompt user for the SSH Public Key
	echo "Please paste the public SSH key (starts with ssh-rsa, ssh-ed25519, etc.):"
	read -r SSH_KEY

	if [ -z "$SSH_KEY" ]; then
	echo "❌ Error: No key provided. Exiting."
	exit 1
	fi

	# 3. Setup .ssh directory for root
	echo "🔹 Configuring SSH key for user: root..."
	ROOT_SSH_DIR="/root/.ssh"
	AUTH_KEYS="$ROOT_SSH_DIR/authorized_keys"

	# Create directory if it doesn't exist and set permissions (700)
	if [ ! -d "$ROOT_SSH_DIR" ]; then
	mkdir -p "$ROOT_SSH_DIR"
	chmod 700 "$ROOT_SSH_DIR"
	fi

	# Add the key to authorized_keys
	echo "$SSH_KEY" >> "$AUTH_KEYS"
	# Set permissions for the file (600)
	chmod 600 "$AUTH_KEYS"
	echo "✅ SSH key added to root account."

	# 4. Modify SSH Configuration
	SSH_CONFIG="/etc/ssh/sshd_config"
	BACKUP_CONFIG="/etc/ssh/sshd_config.bak_$(date +%F_%T)"

	echo "🔹 Backing up current SSH config to $BACKUP_CONFIG..."
	cp "$SSH_CONFIG" "$BACKUP_CONFIG"

	echo "🔹 Configuring SSH daemon to require keys..."

	# Ensure PubkeyAuthentication is yes
	if grep -q "^PubkeyAuthentication" "$SSH_CONFIG"; then
	sed -i 's/^PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG"
	else
	echo "PubkeyAuthentication yes" >> "$SSH_CONFIG"
	fi

	# Disable PasswordAuthentication
	if grep -q "^PasswordAuthentication" "$SSH_CONFIG"; then
	sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG"
	else
	echo "PasswordAuthentication no" >> "$SSH_CONFIG"
	fi

	# Ensure Root Login is allowed (via keys only)
	# We set this to 'prohibit-password' (or 'without-password' on older systems)
	# to allow root login ONLY via keys.
	if grep -q "^PermitRootLogin" "$SSH_CONFIG"; then
	sed -i 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/' "$SSH_CONFIG"
	else
	echo "PermitRootLogin prohibit-password" >> "$SSH_CONFIG"
	fi

	# Disable ChallengeResponseAuthentication (often used for PAM)
	if grep -q "^ChallengeResponseAuthentication" "$SSH_CONFIG"; then
	sed -i 's/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' "$SSH_CONFIG"
	else
	echo "ChallengeResponseAuthentication no" >> "$SSH_CONFIG"
	fi

	echo "✅ Configuration updated."

	# 5. Restart SSH Service
	echo "🔹 Restarting SSH service..."
	if command -v systemctl &> /dev/null; then
	systemctl restart sshd
	if [ $? -eq 0 ]; then
	echo "✅ SSHD restarted successfully."
	else
	echo "⚠️ Warning: Failed to restart SSHD using systemctl. Try 'service ssh restart'."
	fi
	elif command -v service &> /dev/null; then
	service ssh restart
	echo "✅ SSHD restarted successfully."
	else
	echo "⚠️ Warning: Could not detect systemctl or service command. Please restart SSH manually."
	fi

	echo "---"
	echo "🎉 Setup Complete."
	echo "IMPORTANT: Do not close this terminal yet. Open a NEW terminal window and try to SSH in as root to verify access."
No results found