GeoNetAgent, LDAPWeb, server-audit, server-connection
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

35 lines
1.7 KiB

#!/bin/bash
# Reset root authorized_keys — run on mailserver VM
set -e
chmod 700 /root
mkdir -p /root/.ssh
chmod 700 /root/.ssh
install -m 600 -o root -g root /tmp/geonet_mailcow_key.pub /root/.ssh/authorized_keys
cp -a /root/.ssh/authorized_keys /root/.ssh/authorized_keys2
chmod 600 /root/.ssh/authorized_keys2
sed -i 's/\r$//' /root/.ssh/authorized_keys /root/.ssh/authorized_keys2
rm -f /tmp/geonet_mailcow_key.pub
echo '--- path permissions (namei) ---'
namei -l /root/.ssh/authorized_keys 2>/dev/null || ls -ld / /root /root/.ssh /root/.ssh/authorized_keys
echo '--- hexdump (first line) ---'
hexdump -C /root/.ssh/authorized_keys | head -3
echo '--- key fingerprint ---'
ssh-keygen -lf /root/.ssh/authorized_keys
echo '--- sshd effective (root) ---'
sshd -T -C user=root,host=127.0.0.1,addr=127.0.0.1 2>/dev/null | grep -iE 'pubkey|authorizedkeys|permitroot|strictmodes' || true
echo '--- reload ssh ---'
systemctl reload ssh 2>/dev/null || systemctl reload sshd 2>/dev/null || service ssh reload 2>/dev/null || true
echo '--- local pubkey self-test ---'
TEST=/tmp/geonet_sshd_selftest
rm -f "$TEST" "$TEST.pub"
ssh-keygen -t ed25519 -f "$TEST" -N "" -q
grep -qF "$(cat "$TEST.pub")" /root/.ssh/authorized_keys || cat "$TEST.pub" >> /root/.ssh/authorized_keys
if ssh -i "$TEST" -o BatchMode=yes -o StrictHostKeyChecking=no -o PreferredAuthentications=publickey root@127.0.0.1 "echo LOCAL_KEY_OK" 2>/dev/null; then
echo "LOCAL_KEY_OK: sshd accepts pubkey for root"
grep -vF "$(cat "$TEST.pub")" /root/.ssh/authorized_keys > /root/.ssh/authorized_keys.tmp || true
mv /root/.ssh/authorized_keys.tmp /root/.ssh/authorized_keys
else
echo "LOCAL_KEY_FAIL: sshd rejects ALL pubkey for root — check /etc/ssh/sshd_config"
fi
rm -f "$TEST" "$TEST.pub"
echo RESET_OK