add SSH key permission checks with auto-fix to hub and spoke scripts

2026-04-16 12:58:06 -07:00
parent a79b1c59b8
commit 08799f0f7f
2 changed files with 60 additions and 0 deletions
--- a/spoke/setup-spoke.sh
+++ b/spoke/setup-spoke.sh
@@ -34,6 +34,31 @@ retry_or_abort() {
    done
 }

+check_permissions() {
+    local file="$1"
+    local label="$2"
+    if [ ! -f "$file" ]; then
+        warn "Permission check: $label not found at $file"
+        return
+    fi
+    local perms
+    perms=$(stat -c "%a" "$file" 2>/dev/null || stat -f "%OLp" "$file" 2>/dev/null)
+    if [ -z "$perms" ]; then
+        warn "Could not read permissions for $label ($file)"
+        return
+    fi
+    local world="${perms: -1}"
+    local group="${perms: -2:1}"
+    if [ "$world" != "0" ] || [ "$group" != "0" ]; then
+        warn "UNSAFE PERMISSIONS on $label ($file): $perms — should be 600 or 400"
+        warn "Fixing permissions automatically..."
+        chmod 600 "$file"
+        info "Permissions fixed: $file is now 600"
+    else
+        info "Permissions OK: $label ($file) = $perms"
+    fi
+}
+
 info()   { echo -e "${GREEN}[+]${NC} $*"; }
 warn()   { echo -e "${YELLOW}[!]${NC} $*"; }
 die()    { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
@@ -224,6 +249,11 @@ else
    info "Password authentication left enabled."
 fi

+info "Checking SSH key permissions..."
+check_permissions "$KEY_PATH" "spoke SSH private key"
+[ -f "$KEY_PATH.pub" ] && check_permissions "$KEY_PATH.pub" "spoke SSH public key" || true
+check_permissions "$SSH_DIR/known_hosts" "known_hosts" || true
+
 info "Scanning hub host key..."
 sudo -u "$SPOKE_USER" touch "$SSH_DIR/known_hosts"
 chown "$SPOKE_USER":"$SPOKE_USER" "$SSH_DIR/known_hosts"