diff --git a/spoke/setup-spoke.sh b/spoke/setup-spoke.sh index 88aeda1..55c8a76 100644 --- a/spoke/setup-spoke.sh +++ b/spoke/setup-spoke.sh @@ -125,41 +125,6 @@ fi SSHD_CONF="/etc/ssh/sshd_config" -header "Password Authentication" -read -rp "Disable password auth for $SPOKE_USER and use keys only? [Y/n]: " DISABLE_PASS -DISABLE_PASS="${DISABLE_PASS:-y}" -if [[ "${DISABLE_PASS,,}" == "y" ]]; then - if [ ! -s "$SSH_DIR/authorized_keys" ]; then - warn "No keys found in $SSH_DIR/authorized_keys — skipping password auth disable to avoid lockout." - else - if grep -q "^PasswordAuthentication" "$SSHD_CONF"; then - sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONF" - else - echo "PasswordAuthentication no" >> "$SSHD_CONF" - fi - if grep -q "^PubkeyAuthentication" "$SSHD_CONF"; then - sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONF" - else - echo "PubkeyAuthentication yes" >> "$SSHD_CONF" - fi - info "Password authentication disabled for $SPOKE_USER." - echo "" - warn "Restarting SSH will apply the new settings." - warn "If you are connected via SSH, your session may drop." - warn "Make sure you can reconnect using your key before continuing." - read -rp "Press ENTER to restart SSH or CTRL+C to abort..." - if systemctl restart ssh 2>/dev/null; then - info "SSH restarted." - elif systemctl restart sshd 2>/dev/null; then - info "SSH restarted." - else - warn "Could not restart SSH — please restart it manually." - fi - fi -else - info "Password authentication left enabled." -fi - header "Hostname Setup" CURRENT_HOSTNAME=$(hostname) echo -e "Current hostname: ${YELLOW}$CURRENT_HOSTNAME${NC}" @@ -224,6 +189,41 @@ case "$KEY_CHOICE" in ;; esac +header "Password Authentication" +read -rp "Disable password auth for $SPOKE_USER and use keys only? [Y/n]: " DISABLE_PASS +DISABLE_PASS="${DISABLE_PASS:-y}" +if [[ "${DISABLE_PASS,,}" == "y" ]]; then + if [ ! -f "$KEY_PATH" ]; then + warn "No key found at $KEY_PATH — skipping password auth disable to avoid lockout." + else + if grep -q "^PasswordAuthentication" "$SSHD_CONF"; then + sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" "$SSHD_CONF" + else + echo "PasswordAuthentication no" >> "$SSHD_CONF" + fi + if grep -q "^PubkeyAuthentication" "$SSHD_CONF"; then + sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" "$SSHD_CONF" + else + echo "PubkeyAuthentication yes" >> "$SSHD_CONF" + fi + info "Password authentication disabled for $SPOKE_USER." + echo "" + warn "Restarting SSH will apply the new settings." + warn "If you are connected via SSH, your session may drop." + warn "Make sure you can reconnect using your key before continuing." + read -rp "Press ENTER to restart SSH or CTRL+C to abort..." + if systemctl restart ssh 2>/dev/null; then + info "SSH restarted." + elif systemctl restart sshd 2>/dev/null; then + info "SSH restarted." + else + warn "Could not restart SSH — please restart it manually." + fi + fi +else + info "Password authentication left enabled." +fi + info "Scanning hub host key..." sudo -u "$SPOKE_USER" touch "$SSH_DIR/known_hosts" chown "$SPOKE_USER":"$SPOKE_USER" "$SSH_DIR/known_hosts"