SSH Prohibit Password: Because friends don't let friends ssh with passwords
https://webinstall.dev/ssh-prohibit-password| Installer Source| Releases (json) (tab)
SSH Prohibit Password: Because friends don't let friends ssh with passwords
https://webinstall.dev/ssh-prohibit-password| Installer Source| Releases (json) (tab)
Will check if your system This will check if your Modern SSH deployments are key-only and don't allow root login. However, there's a lot of legacy systems out there.
ssh-harden will
/home/*/.ssh/authorized_keys is non-empty/etc/sudoers.d is not emptysudoer for a given user and grouproot loginUSAGE
ssh-harden [username] [sudo-group]
EXAMPLES
sudo ssh-harden
sudo ssh-harden app
sudo ssh-harden "$(id -n -u)" wheel
sudo sh -c 'grep "^\w\+ ALL=" /etc/sudoers.d/*'
Quick 'n' Easy
sudo sh -c "grep -E '^(ssh|ec)' /home/*/.ssh/authorized_keys" |
cut -d' ' -f3 |
sort -u
Detailed
my_authorized=''
for my_file in /home/*/.ssh/authorized_keys; do
# if no files match the glob becomes a literal string
if test "${my_file}" = '/home/*/.ssh/authorized_keys'; then
break
fi
echo "${my_file} authorizes:"
if ! grep -q -E '^(ssh|ec)' "${my_file}"; then
echo " (none, empty file)"
continue
fi
grep '^(ssh|ec)' "${my_file}" | cut -d' ' -f3 | while read -r my_comment; do
echo " ${my_comment}"
done
my_authorized='true'
done
if test -z "${my_authorized}"; then
echo >&2 ""
echo >&2 "ERROR"
echo >&2 " No authorized remote users found."
echo >&2 ""
exit 1
fi
echo "app ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/app
How to copy allowed keys from root to the new user:
mkdir -p /home/app/.ssh/
chmod 0700 /home/app/.ssh/
cat "$HOME/.ssh/authorized_keys" >> /home/app/.ssh/authorized_keys
chmod 0600 /home/app/.ssh/authorized_keys
chown -R app:app /home/app/.ssh/