From 3d366cd74a6e16aab84c72c01dfb1570d7798065 Mon Sep 17 00:00:00 2001 From: Justin Oros Date: Thu, 16 Apr 2026 10:42:04 -0700 Subject: [PATCH] add disable password auth prompt with SSH restart warning to hub and spoke scripts --- hub/setup-hub.sh | 35 +++++++++++++++++++++++++++++++++++ spoke/setup-spoke.sh | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/hub/setup-hub.sh b/hub/setup-hub.sh index 7f83d88..4c8dbdf 100644 --- a/hub/setup-hub.sh +++ b/hub/setup-hub.sh @@ -131,6 +131,41 @@ else fi info "SSH server restarted." +header "Password Authentication" +read -rp "Disable password auth for $HUB_USER and use keys only? [Y/n]: " DISABLE_PASS +DISABLE_PASS="${DISABLE_PASS:-y}" +if [[ "${DISABLE_PASS,,}" == "y" ]]; then + if [ ! -s "$SSH_DIR/authorized_keys" ]; then + warn "No keys found in $SSH_DIR/authorized_keys — skipping password auth disable to avoid lockout." + else + if grep -q "^PasswordAuthentication" "$SSHD_CONF"; then + sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONF" + else + echo "PasswordAuthentication no" >> "$SSHD_CONF" + fi + if grep -q "^PubkeyAuthentication" "$SSHD_CONF"; then + sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONF" + else + echo "PubkeyAuthentication yes" >> "$SSHD_CONF" + fi + info "Password authentication disabled for $HUB_USER." + echo "" + warn "Restarting SSH will apply the new settings." + warn "If you are connected via SSH, your session may drop." + warn "Make sure you can reconnect using your key before continuing." + read -rp "Press ENTER to restart SSH or CTRL+C to abort..." + if systemctl restart ssh 2>/dev/null; then + info "SSH restarted." + elif systemctl restart sshd 2>/dev/null; then + info "SSH restarted." + else + warn "Could not restart SSH — please restart it manually." + fi + fi +else + info "Password authentication left enabled." +fi + header "FUSE Configuration" FUSE_CONF="/etc/fuse.conf" if [ -f "$FUSE_CONF" ]; then diff --git a/spoke/setup-spoke.sh b/spoke/setup-spoke.sh index bc27596..b76fa59 100644 --- a/spoke/setup-spoke.sh +++ b/spoke/setup-spoke.sh @@ -123,6 +123,41 @@ else warn "Could not enable SSH service — please start it manually." fi +header "Password Authentication" +read -rp "Disable password auth for $SPOKE_USER and use keys only? [Y/n]: " DISABLE_PASS +DISABLE_PASS="${{DISABLE_PASS:-y}}" +if [[ "${{DISABLE_PASS,,}}" == "y" ]]; then + if [ ! -s "$SSH_DIR/authorized_keys" ]; then + warn "No keys found in $SSH_DIR/authorized_keys — skipping password auth disable to avoid lockout." + else + if grep -q "^PasswordAuthentication" "$SSHD_CONF"; then + sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONF" + else + echo "PasswordAuthentication no" >> "$SSHD_CONF" + fi + if grep -q "^PubkeyAuthentication" "$SSHD_CONF"; then + sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONF" + else + echo "PubkeyAuthentication yes" >> "$SSHD_CONF" + fi + info "Password authentication disabled for $SPOKE_USER." + echo "" + warn "Restarting SSH will apply the new settings." + warn "If you are connected via SSH, your session may drop." + warn "Make sure you can reconnect using your key before continuing." + read -rp "Press ENTER to restart SSH or CTRL+C to abort..." + if systemctl restart ssh 2>/dev/null; then + info "SSH restarted." + elif systemctl restart sshd 2>/dev/null; then + info "SSH restarted." + else + warn "Could not restart SSH — please restart it manually." + fi + fi +else + info "Password authentication left enabled." +fi + header "Hostname Setup" CURRENT_HOSTNAME=$(hostname) echo -e "Current hostname: ${YELLOW}$CURRENT_HOSTNAME${NC}"