#!/bin/bash # Reset root authorized_keys — run on mailserver VM set -e chmod 700 /root mkdir -p /root/.ssh chmod 700 /root/.ssh install -m 600 -o root -g root /tmp/geonet_mailcow_key.pub /root/.ssh/authorized_keys cp -a /root/.ssh/authorized_keys /root/.ssh/authorized_keys2 chmod 600 /root/.ssh/authorized_keys2 sed -i 's/\r$//' /root/.ssh/authorized_keys /root/.ssh/authorized_keys2 rm -f /tmp/geonet_mailcow_key.pub echo '--- path permissions (namei) ---' namei -l /root/.ssh/authorized_keys 2>/dev/null || ls -ld / /root /root/.ssh /root/.ssh/authorized_keys echo '--- hexdump (first line) ---' hexdump -C /root/.ssh/authorized_keys | head -3 echo '--- key fingerprint ---' ssh-keygen -lf /root/.ssh/authorized_keys echo '--- sshd effective (root) ---' sshd -T -C user=root,host=127.0.0.1,addr=127.0.0.1 2>/dev/null | grep -iE 'pubkey|authorizedkeys|permitroot|strictmodes' || true echo '--- reload ssh ---' systemctl reload ssh 2>/dev/null || systemctl reload sshd 2>/dev/null || service ssh reload 2>/dev/null || true echo '--- local pubkey self-test ---' TEST=/tmp/geonet_sshd_selftest rm -f "$TEST" "$TEST.pub" ssh-keygen -t ed25519 -f "$TEST" -N "" -q grep -qF "$(cat "$TEST.pub")" /root/.ssh/authorized_keys || cat "$TEST.pub" >> /root/.ssh/authorized_keys if ssh -i "$TEST" -o BatchMode=yes -o StrictHostKeyChecking=no -o PreferredAuthentications=publickey root@127.0.0.1 "echo LOCAL_KEY_OK" 2>/dev/null; then echo "LOCAL_KEY_OK: sshd accepts pubkey for root" grep -vF "$(cat "$TEST.pub")" /root/.ssh/authorized_keys > /root/.ssh/authorized_keys.tmp || true mv /root/.ssh/authorized_keys.tmp /root/.ssh/authorized_keys else echo "LOCAL_KEY_FAIL: sshd rejects ALL pubkey for root — check /etc/ssh/sshd_config" fi rm -f "$TEST" "$TEST.pub" echo RESET_OK