From d72fa1a71257030575229ecbc5b8a5c07d3110ca Mon Sep 17 00:00:00 2001 From: fatalerrors Date: Wed, 1 Apr 2026 17:21:54 +0200 Subject: [PATCH] hardening --- profile.d/ssh.sh | 101 ++++++++++++++++++++++------------------------- 1 file changed, 48 insertions(+), 53 deletions(-) diff --git a/profile.d/ssh.sh b/profile.d/ssh.sh index 0164f95..a4e174f 100644 --- a/profile.d/ssh.sh +++ b/profile.d/ssh.sh @@ -59,50 +59,53 @@ rmhost() ;; *) disp E "Invalid options, use \"rmhost --help\" to display usage." - break + return 1 ;; esac done - # Validation: Ensure at least one argument remains - if [[ $# -eq 0 ]]; then + [[ $# -eq 0 ]] && { disp E "Missing argument. Use 'rmhost --help' for usage." return 1 - fi + } + + command -v ssh-keygen >/dev/null 2>&1 || { + disp E "ssh-keygen is not installed." + return 127 + } for target in "$@"; do - local hst=$target - isipv4 "$hst" >/dev/null - local v4=$? - isipv6 "$hst" >/dev/null - local v6=$? + local hst="$target" + local ip="" + local v4=1 + local v6=1 + + isipv4 "$hst" >/dev/null 2>&1; v4=$? + isipv6 "$hst" >/dev/null 2>&1; v6=$? if [[ $v4 -eq 0 || $v6 -eq 0 ]]; then - local ip=$hst - unset hst + ip="$hst" + hst="" fi - unset v4 v6 - if [[ ! $ip && $hst ]]; then - if ! ip=$(host "$hst" 2>/dev/null | awk '/has address/ {print $NF; exit}'); then - disp E "Impossible to extract IP from hostname." && - return 1 + if [[ -z ${ip:-} && -n ${hst:-} ]]; then + if command -v host >/dev/null 2>&1; then + ip=$(host "$hst" 2>/dev/null | awk '/has address/ {print $NF; exit}') + [[ -z ${ip:-} ]] && \ + disp W "Could not resolve IP for '$hst'; removing hostname only." + else + disp W "'host' is not installed; removing hostname only for '$hst'." fi - [[ -z $ip ]] && { - disp E "Impossible to extract IP from hostname." - return 1; - } fi - if [[ $hst ]]; then - disp I "Removing host $hst from ssh known_host..." - ssh-keygen -R $hst >/dev/null + if [[ -n ${hst:-} ]]; then + disp I "Removing host $hst from ssh known_hosts..." + ssh-keygen -R "$hst" >/dev/null fi - if [[ $ip ]]; then - disp I "Removing IP $ip from ssh known_host..." - ssh-keygen -R $ip >/dev/null + if [[ -n ${ip:-} ]]; then + disp I "Removing IP $ip from ssh known_hosts..." + ssh-keygen -R "$ip" >/dev/null fi - unset hst ip done } export -f rmhost @@ -114,41 +117,33 @@ export -f rmhost # Usage: ssr ssr() { - local PARSED - PARSED=$(getopt -o h --long help -n 'ssr' -- "$@") - if [[ $? -ne 0 ]]; then return 1; fi - eval set -- "$PARSED" - - while true; do - case "$1" in - -h|--help) - printf "ssr: SSH into a server as root.\n\n" - printf "Usage: ssr [ssh_options...]\n\n" - printf "Options:\n" - printf "\t-h, --help\t\tDisplay this help screen\n" - return 0 - ;; - --) - shift - break - ;; - *) - disp E "Invalid options, use \"ssr --help\" to display usage." - return 1 - ;; - esac - done + case "${1:-}" in + -h|--help) + printf "ssr: SSH into a server as root.\n\n" + printf "Usage: ssr [ssh_options...]\n\n" + printf "Notes:\n" + printf " The first argument is the target server.\n" + printf " All remaining arguments are passed directly to ssh.\n\n" + printf "Examples:\n" + printf " ssr srv01\n" + printf " ssr srv01 -p 2222\n" + printf " ssr srv01 -i ~/.ssh/id_ed25519 -J bastion\n" + return 0 + ;; + esac command -v ssh >/dev/null 2>&1 || { disp E "ssh is not installed." return 127 } - [[ ! $1 ]] && { + + [[ $# -eq 0 || -z ${1:-} ]] && { disp E "Please specify the server you want to log in." return 1 } - local srv=$1 && shift + local srv=$1 + shift ssh -Y root@"$srv" "$@" }