melMass/ssh_check.sh

## ssh_check.sh
#!/bin/bash

# ANSI color codes
bold_red='\033[1;31m'
bold_green='\033[1;32m'
bold_yellow='\033[1;33m'
reset='\033[0m'

# Function to check if a file has correct permissions and ownership
check_file_permissions() {
    local expected_permissions=$1
    local expected_owner=$2
    shift 2
    local files=("$@")

    for file in "${files[@]}"; do
        if [[ -e "$file" ]]; then
            permissions=$(stat -f "%A" "$file")
            owner=$(stat -f "%Su" "$file")

            if [[ "$permissions" == "$expected_permissions" && "$owner" == "$expected_owner" ]]; then
                echo -e "${bold_green}✔ $file has correct permissions and ownership.${reset}"
            else
                echo -e "${bold_red}✘ $file has incorrect permissions and/or ownership:${reset}"
                echo -e "${bold_red}  Expected permissions: $expected_permissions${reset}"
                echo -e "${bold_red}  Expected owner: $expected_owner${reset}"
                echo -e "${bold_red}  Actual permissions: $permissions${reset}"
                echo -e "${bold_red}  Actual owner: $owner${reset}"
                if [[ "$FIX" == "true" ]]; then
                    fix_file_permissions "$file" "$expected_permissions" "$expected_owner"
                else
                    echo -e "${bold_yellow}To attempt fixing the issue, run the script with the 'fix' subcommand:${reset}"
                    echo -e "${bold_yellow}./ssh_check.sh fix${reset}"
                fi
            fi
        else
            echo -e "${bold_red}✘ $file not found.${reset}"
        fi
    done
}

# Function to attempt to fix file permissions and ownership
fix_file_permissions() {
    local file=$1
    local expected_permissions=$2
    local expected_owner=$3

    echo -e "${bold_yellow}Attempting to fix permissions and ownership for $file ...${reset}"
    sudo chown "$expected_owner" "$file"
    sudo chmod "$expected_permissions" "$file"
    echo -e "${bold_green}Permissions and ownership for $file have been fixed.${reset}"
}

# Function to check if the public key is included in the authorized_keys file
check_public_key() {
    local public_key_path=$1
    local public_key=$(ssh-keygen -y -f "$public_key_path" 2>/dev/null)
    if grep -q "$public_key" ~/.ssh/authorized_keys; then
        echo -e "${bold_green}✔ Public key is included in the authorized_keys file.${reset}"
    else
        echo -e "${bold_red}✘ Public key is missing from the authorized_keys file.${reset}"
    fi
}

# Function to check if the SSH configuration allows password and/or public key authentication
check_ssh_config() {
    local password_auth=$(grep -E "^PasswordAuthentication" /etc/ssh/sshd_config | awk '{print $2}')
    local permit_root_login=$(grep -E "^PermitRootLogin" /etc/ssh/sshd_config | awk '{print $2}')

    if [[ "$password_auth" == "yes" && "$permit_root_login" =~ ^(yes|without-password)$ ]]; then
        echo -e "${bold_green}✔ SSH configuration allows password and/or public key authentication.${reset}"
    else
        echo -e "${bold_red}✘ SSH configuration might not allow password and/or public key authentication.${reset}"
        echo -e "${bold_red}  PasswordAuthentication: $password_auth${reset}"
        echo -e "${bold_red}  PermitRootLogin: $permit_root_login${reset}"
    fi
}

# Function to check for deprecated key algorithms in SSH configuration
check_deprecated_keys() {
    local deprecated_keys=$(grep -E "^PubkeyAcceptedKeyTypes" /etc/ssh/sshd_config | grep -E "ssh-dss")
    if [[ -z "$deprecated_keys" ]]; then
        echo -e "${bold_green}✔ No deprecated key algorithms found in SSH configuration.${reset}"
    else
        echo -e "${bold_red}✘ Deprecated key algorithms found in SSH configuration:${reset}"
        echo -e "${bold_red}$deprecated_keys${reset}"
    fi
}

# Check SSH files and configurations based on https://docs.digitalocean.com/support/how-to-troubleshoot-ssh-authentication-issues/
main() {
    echo "=== Checking SSH Setup ==="
    check_file_permissions 700 "$(whoami)" ~/.ssh/*
    check_public_key ~/.ssh/id_rsa
    check_ssh_config
    check_deprecated_keys
}

# - subcommands
if [[ $# -gt 0 ]]; then
    subcommand=$1
    shift
    case "$subcommand" in
        fix)
            FIX="true" main
            ;;
        *)
            echo "Unknown subcommand: $subcommand"
            ;;
    esac
else
    main
fi
	#!/bin/bash

	# ANSI color codes
	bold_red='\033[1;31m'
	bold_green='\033[1;32m'
	bold_yellow='\033[1;33m'
	reset='\033[0m'

	# Function to check if a file has correct permissions and ownership
	check_file_permissions() {
	local expected_permissions=$1
	local expected_owner=$2
	shift 2
	local files=("$@")

	for file in "${files[@]}"; do
	if [[ -e "$file" ]]; then
	permissions=$(stat -f "%A" "$file")
	owner=$(stat -f "%Su" "$file")

	if [[ "$permissions" == "$expected_permissions" && "$owner" == "$expected_owner" ]]; then
	echo -e "${bold_green}✔ $file has correct permissions and ownership.${reset}"
	else
	echo -e "${bold_red}✘ $file has incorrect permissions and/or ownership:${reset}"
	echo -e "${bold_red} Expected permissions: $expected_permissions${reset}"
	echo -e "${bold_red} Expected owner: $expected_owner${reset}"
	echo -e "${bold_red} Actual permissions: $permissions${reset}"
	echo -e "${bold_red} Actual owner: $owner${reset}"
	if [[ "$FIX" == "true" ]]; then
	fix_file_permissions "$file" "$expected_permissions" "$expected_owner"
	else
	echo -e "${bold_yellow}To attempt fixing the issue, run the script with the 'fix' subcommand:${reset}"
	echo -e "${bold_yellow}./ssh_check.sh fix${reset}"
	fi
	fi
	else
	echo -e "${bold_red}✘ $file not found.${reset}"
	fi
	done
	}

	# Function to attempt to fix file permissions and ownership
	fix_file_permissions() {
	local file=$1
	local expected_permissions=$2
	local expected_owner=$3

	echo -e "${bold_yellow}Attempting to fix permissions and ownership for $file ...${reset}"
	sudo chown "$expected_owner" "$file"
	sudo chmod "$expected_permissions" "$file"
	echo -e "${bold_green}Permissions and ownership for $file have been fixed.${reset}"
	}

	# Function to check if the public key is included in the authorized_keys file
	check_public_key() {
	local public_key_path=$1
	local public_key=$(ssh-keygen -y -f "$public_key_path" 2>/dev/null)
	if grep -q "$public_key" ~/.ssh/authorized_keys; then
	echo -e "${bold_green}✔ Public key is included in the authorized_keys file.${reset}"
	else
	echo -e "${bold_red}✘ Public key is missing from the authorized_keys file.${reset}"
	fi
	}

	# Function to check if the SSH configuration allows password and/or public key authentication
	check_ssh_config() {
	local password_auth=$(grep -E "^PasswordAuthentication" /etc/ssh/sshd_config \| awk '{print $2}')
	local permit_root_login=$(grep -E "^PermitRootLogin" /etc/ssh/sshd_config \| awk '{print $2}')

	if [[ "$password_auth" == "yes" && "$permit_root_login" =~ ^(yes\|without-password)$ ]]; then
	echo -e "${bold_green}✔ SSH configuration allows password and/or public key authentication.${reset}"
	else
	echo -e "${bold_red}✘ SSH configuration might not allow password and/or public key authentication.${reset}"
	echo -e "${bold_red} PasswordAuthentication: $password_auth${reset}"
	echo -e "${bold_red} PermitRootLogin: $permit_root_login${reset}"
	fi
	}

	# Function to check for deprecated key algorithms in SSH configuration
	check_deprecated_keys() {
	local deprecated_keys=$(grep -E "^PubkeyAcceptedKeyTypes" /etc/ssh/sshd_config \| grep -E "ssh-dss")
	if [[ -z "$deprecated_keys" ]]; then
	echo -e "${bold_green}✔ No deprecated key algorithms found in SSH configuration.${reset}"
	else
	echo -e "${bold_red}✘ Deprecated key algorithms found in SSH configuration:${reset}"
	echo -e "${bold_red}$deprecated_keys${reset}"
	fi
	}

	# Check SSH files and configurations based on https://docs.digitalocean.com/support/how-to-troubleshoot-ssh-authentication-issues/
	main() {
	echo "=== Checking SSH Setup ==="
	check_file_permissions 700 "$(whoami)" ~/.ssh/*
	check_public_key ~/.ssh/id_rsa
	check_ssh_config
	check_deprecated_keys
	}

	# - subcommands
	if [[ $# -gt 0 ]]; then
	subcommand=$1
	shift
	case "$subcommand" in
	fix)
	FIX="true" main
	;;
	*)
	echo "Unknown subcommand: $subcommand"
	;;
	esac
	else
	main
	fi