Skip to content

Lunatic16/ssh-setup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
ssh-setup.sh
ssh-setup.sh
 
 

Repository files navigation

SSH Configuration Setup Script

A production-ready, idempotent bash script that simplifies SSH configuration setup and hardening on Linux systems.

Quick Start

# Run full setup (check + generate keys + configure)
sudo ./ssh-setup.sh all

# Generate SSH keys only
./ssh-setup.sh generate --email "you@example.com"

# Apply security hardening (requires root)
sudo ./ssh-setup.sh harden

# Harden on a custom port
sudo ./ssh-setup.sh harden --port 2222 --yes

# Preview changes without executing
./ssh-setup.sh all --dry-run

# View current configuration summary
./ssh-setup.sh status

Commands

Command Description Requires Root
all Full workflow: check → generate → configure → status Optional
check Verify SSH installation, keys, and permissions No
generate Create Ed25519 SSH key pair No
add-key Add public key to authorized_keys (dedup-aware) No
harden Apply security hardening directives to sshd_config Yes
status Show effective sshd configuration (21 directives) No
help Display full usage documentation No

Options

Option Description
-e, --email <email> Email label for key generation
-f, --file <path> Custom key file path (default: ~/.ssh/id_ed25519)
-k, --key <pubkey> Public key string to add to authorized_keys
-p, --port <port> SSH port to set in sshd_config (default: 22)
-n, --no-backup Skip backup before hardening (dangerous)
-y, --yes Skip confirmation prompts (non-interactive)
-d, --dry-run Preview changes without executing
-v, --verbose Enable debug output
-h, --help Show help message

Hardening Directives

# Directive Default Purpose
1 Port 22 (or custom via --port) Always set explicitly
2 PermitRootLogin no Block direct root login
3 PasswordAuthentication yes Enable password-based auth
4 KbdInteractiveAuthentication yes Enable keyboard-interactive auth (OpenSSH 8.2+)
5 PubkeyAuthentication yes Enable key-based auth
6 ChallengeResponseAuthentication no Disable challenge-response
7 UsePAM yes PAM account management
8 X11Forwarding no Block X11 tunneling
9 AllowTcpForwarding no Block TCP tunneling
10 PermitTunnel no Block layer-2/3 tunneling
11 MaxAuthTries 3 Limit auth attempts
12 MaxSessions 5 Limit concurrent sessions
13 LoginGraceTime 30 30s auth window
14 ClientAliveInterval 300 5-min keepalive
15 ClientAliveCountMax 2 Disconnect after 2 missed
16 AllowAgentForwarding no Block agent forwarding
17 PermitEmptyPasswords no No blank passwords
18 IgnoreRhosts yes Ignore .rhosts files
19 HostbasedAuthentication no Disable host-based auth
20 PrintMotd no Use PAM motd instead

Additional Password Auth Protections

Beyond the directives above, the script also:

  • Comments out AuthenticationMethods — This directive can force specific auth methods and bypass PasswordAuthentication. The script disables it to prevent accidental lockout.
  • Appends a Match all block — Guarantees PasswordAuthentication yes and KbdInteractiveAuthentication yes apply globally, overriding any per-user or per-group Match blocks that might disable password auth.

Safety Features

  • Idempotent: Safe to run multiple times — skips existing keys, detects duplicates, only changes differing values
  • Effective Config Display: status uses sshd -T (when run as root) to show what sshd actually uses — not just file contents, but the resolved configuration after all includes, Match blocks, and defaults are applied
  • Fallback Mode: Without root, status greps the config file for uncommented directives and warns that sudo shows the true effective config
  • Backup & Restore: Automatic timestamped backup before any config mutation, with auto-restore on syntax failure
  • Validation: Post-hardening sshd -t syntax check
  • Dry-run mode: Preview every change with --dry-run before applying
  • Input validation: Port range checks (1–65535), email format, required argument guards
  • Root-gated: Hardening refuses to run without root
  • Logging: All actions logged to ~/.ssh/ssh-setup.log with timestamps

Key Generation

  • Ed25519 keys (preferred over RSA/ECDSA for security and performance)
  • Custom email labels for identification
  • Skips existing keys (idempotent)
  • Sets correct permissions (600 private, 644 public)

Requirements

  • Linux system (bash 4.4+)
  • openssh-client and openssh-server packages
  • Root access for hardening commands only

Examples

New User Setup

# 1. Generate keys
./ssh-setup.sh generate --email "alice@company.com"

# 2. Add your public key to authorized_keys
./ssh-setup.sh add-key

# 3. Check status
./ssh-setup.sh status

Server Hardening

# 1. Check current configuration
./ssh-setup.sh check

# 2. Preview hardening changes
sudo ./ssh-setup.sh harden --port 22 --dry-run

# 3. Apply hardening
sudo ./ssh-setup.sh harden --port 22 --yes

# 4. Verify
./ssh-setup.sh status

Custom Port

# Change SSH port to 2222 and harden
sudo ./ssh-setup.sh harden --port 2222 --yes

# Restart SSH service
sudo systemctl restart sshd

# Verify the port is set
./ssh-setup.sh status

Full Automated Deployment

# Non-interactive full setup
sudo ./ssh-setup.sh all --yes --email "admin@example.com"

Connecting from Mobile (Termius, JuiceSSH, etc.)

If you get "No more authentication methods to try" on mobile SSH clients:

  1. In your SSH client, explicitly select Password as the authentication method
  2. Enter your system username and password
  3. The script sets PasswordAuthentication yes by default, so password login works

To force password auth from any client:

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host

Log File

All actions are logged to ~/.ssh/ssh-setup.log:

tail -f ~/.ssh/ssh-setup.log

Troubleshooting

SSH service not found

sudo apt install openssh-server   # Debian/Ubuntu
sudo dnf install openssh-server   # Fedora/RHEL
sudo yum install openssh-server   # CentOS

Permission denied on hardening

# Hardening requires root
sudo ./ssh-setup.sh harden

Lost SSH access after hardening

The script creates a backup at /etc/ssh/sshd_config.bak.YYYYMMDDHHMMSS:

# Restore from backup
sudo cp /etc/ssh/sshd_config.bak.* /etc/ssh/sshd_config
sudo systemctl restart sshd

Port not showing in status

Run hardening to add the explicit Port directive:

sudo ./ssh-setup.sh harden --port 22 --yes

Password auth still not working

Verify the effective configuration:

sudo sshd -T | grep -E 'passwordauthentication|kbdinteractiveauthentication'
# Both should output: yes

If AuthenticationMethods was already set in your config, check it's commented out:

grep -i 'AuthenticationMethods' /etc/ssh/sshd_config
# Lines should be prefixed with #

Check the Match all block is present at the end of the config:

tail -5 /etc/ssh/sshd_config
# Should show: Match all / PasswordAuthentication yes / KbdInteractiveAuthentication yes

Then restart SSH:

sudo systemctl restart sshd

Exit Codes

Code Meaning
0 Success
1 General error
2 Invalid arguments
3 Missing prerequisites
4 Permission denied

License

MIT License

About

A production-ready, idempotent bash script that simplifies SSH configuration setup and hardening on Linux systems.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages