Created
January 22, 2024 07:50
-
-
Save tertek/364b29b60f14644807398eea1c47c80b to your computer and use it in GitHub Desktop.
Initial Setup Script for a VPS running Linux Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -euo pipefail | |
| ######################## | |
| ### SCRIPT VARIABLES ### | |
| ######################## | |
| # Name of the user to create and grant sudo privileges | |
| USERNAME=sammy | |
| # Whether to copy over the root user's `authorized_keys` file to the new sudo | |
| # user. | |
| COPY_AUTHORIZED_KEYS_FROM_ROOT=true | |
| # Additional public keys to add to the new sudo user | |
| # OTHER_PUBLIC_KEYS_TO_ADD=( | |
| # "ssh-rsa AAAAB..." | |
| # "ssh-rsa AAAAB..." | |
| # ) | |
| OTHER_PUBLIC_KEYS_TO_ADD=( | |
| ) | |
| #################### | |
| ### SCRIPT LOGIC ### | |
| #################### | |
| # Add sudo user and grant privileges | |
| useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}" | |
| # Check whether the root account has a real password set | |
| encrypted_root_pw="$(grep root /etc/shadow | cut --delimiter=: --fields=2)" | |
| if [ "${encrypted_root_pw}" != "*" ]; then | |
| # Transfer auto-generated root password to user if present | |
| # and lock the root account to password-based access | |
| echo "${USERNAME}:${encrypted_root_pw}" | chpasswd --encrypted | |
| passwd --lock root | |
| else | |
| # Delete invalid password for user if using keys so that a new password | |
| # can be set without providing a previous value | |
| passwd --delete "${USERNAME}" | |
| fi | |
| # Expire the sudo user's password immediately to force a change | |
| chage --lastday 0 "${USERNAME}" | |
| # Create SSH directory for sudo user | |
| home_directory="$(eval echo ~${USERNAME})" | |
| mkdir --parents "${home_directory}/.ssh" | |
| # Copy `authorized_keys` file from root if requested | |
| if [ "${COPY_AUTHORIZED_KEYS_FROM_ROOT}" = true ]; then | |
| cp /root/.ssh/authorized_keys "${home_directory}/.ssh" | |
| fi | |
| # Add additional provided public keys | |
| for pub_key in "${OTHER_PUBLIC_KEYS_TO_ADD[@]}"; do | |
| echo "${pub_key}" >> "${home_directory}/.ssh/authorized_keys" | |
| done | |
| # Adjust SSH configuration ownership and permissions | |
| chmod 0700 "${home_directory}/.ssh" | |
| chmod 0600 "${home_directory}/.ssh/authorized_keys" | |
| chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh" | |
| # Disable root SSH login with password | |
| sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config | |
| if sshd -t -q; then | |
| systemctl restart sshd | |
| fi | |
| # Add exception for SSH and then enable UFW firewall | |
| ufw allow OpenSSH | |
| ufw --force enable |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment