setup-hub.sh: fix sed delimiter for PasswordAuthentication/PubkeyAuthentication, guard authorized_keys creation, setup-spoke.sh: fix sed delimiter, validate spoke name charset, make find_free_port vars local, offboard-spoke.sh: validate spoke name charset, setup-network.sh: replace brittle SSID grep with python3 regex

2026-04-18 14:39:01 -07:00
parent 128b41ede9
commit 63197799b8
2 changed files with 10 additions and 7 deletions
--- a/hub/offboard-spoke.sh
+++ b/hub/offboard-spoke.sh
@@ -58,6 +58,7 @@ echo ""

 read -rp "Spoke name to offboard: " SPOKE_NAME
 [ -n "$SPOKE_NAME" ] || die "Spoke name cannot be empty"
+[[ "$SPOKE_NAME" =~ ^[a-zA-Z0-9._-]+$ ]] || die "Invalid spoke name — use only letters, numbers, dots, underscores, hyphens."

 SPOKE_LINE=$(grep "^$SPOKE_NAME " "$REGISTRY" 2>/dev/null || true)
 [ -n "$SPOKE_LINE" ] || die "Spoke '$SPOKE_NAME' not found in registry."
--- a/spoke/setup-spoke.sh
+++ b/spoke/setup-spoke.sh
@@ -176,6 +176,7 @@ CURRENT_HOSTNAME=$(hostname)
 echo -e "Current hostname: ${YELLOW}$CURRENT_HOSTNAME${NC}"
 read -rp "Enter a hostname for this spoke (e.g. rocky, gouda, camembert): " SPOKE_NAME
 SPOKE_NAME="${SPOKE_NAME:-$CURRENT_HOSTNAME}"
+[[ "$SPOKE_NAME" =~ ^[a-zA-Z0-9._-]+$ ]] || die "Spoke name '$SPOKE_NAME' contains invalid characters. Use only letters, numbers, dots, underscores, hyphens."
 hostnamectl set-hostname "$SPOKE_NAME"
 echo "$SPOKE_NAME" > /etc/hostname
 info "Hostname set to: $SPOKE_NAME"
@@ -243,12 +244,12 @@ if [[ "${DISABLE_PASS,,}" == "y" ]]; then
        warn "No key found at $KEY_PATH — skipping password auth disable to avoid lockout."
    else
        if grep -q "^PasswordAuthentication" "$SSHD_CONF"; then
-            sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONF"
+            sed -i "s|^PasswordAuthentication.*|PasswordAuthentication no|" "$SSHD_CONF"
        else
            echo "PasswordAuthentication no" >> "$SSHD_CONF"
        fi
        if grep -q "^PubkeyAuthentication" "$SSHD_CONF"; then
-            sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONF"
+            sed -i "s|^PubkeyAuthentication.*|PubkeyAuthentication yes|" "$SSHD_CONF"
        else
            echo "PubkeyAuthentication yes" >> "$SSHD_CONF"
        fi
@@ -297,13 +298,14 @@ info "Scanning for a free port on $HUB_HOST starting from $START_PORT..."

 find_free_port() {
    local start="$1"
-    for PORT in $(seq "$start" $((start + 99))); do
-        RESULT=$(sudo -u "$SPOKE_USER" ssh -i "$KEY_PATH" "$HUB_USER@$HUB_HOST" "ss -tlnp | grep :$PORT" 2>/dev/null || true)
-        if [ -z "$RESULT" ]; then
-            echo "$PORT"
+    local port result
+    for port in $(seq "$start" $((start + 99))); do
+        result=$(sudo -u "$SPOKE_USER" ssh -i "$KEY_PATH" "$HUB_USER@$HUB_HOST" "ss -tlnp | grep :$port" 2>/dev/null || true)
+        if [ -z "$result" ]; then
+            echo "$port"
            return 0
        fi
-        warn "Port $PORT is in use, trying next..."
+        warn "Port $port is in use, trying next..."
    done
    return 1
 }