fatalerrors/profile
1
0
Fork 0
Code Issues Pull Requests Projects Releases 9 Wiki Activity
Files
8fe11776cb30397e3b5d8c2357dd391784b4ccf5
profile/profile.d/ssh.sh
fatalerrors 8fe11776cb add --all-users to rmhost, hardening
2026-04-01 17:54:23 +02:00

196 lines
6.6 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# ------------------------------------------------------------------------------
# Copyright (c) 2013-2026 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
# Protected by the BSD3 license. Please read bellow for details.
#
# * Redistribution and use in source and binary forms,
# * with or without modification, are permitted provided
# * that the following conditions are met:
# *
# * Redistributions of source code must retain the above
# * copyright notice, this list of conditions and the
# * following disclaimer.
# *
# * Redistributions in binary form must reproduce the above
# * copyright notice, this list of conditions and the following
# * disclaimer in the documentation and/or other materials
# * provided with the distribution.
# *
# * Neither the name of the copyright holder nor the names
# * of any other contributors may be used to endorse or
# * promote products derived from this software without
# * specific prior written permission.
# *
# * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
# * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
# * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
# * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# * OF SUCH DAMAGE.
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# Remove host entries (name and IP) from ~/.ssh/known_hosts for the active user
# Usage: rmhost <hostname|ip> [hostname2|ip2 [...]]
rmhost()
{
local PARSED
local all_users=0
local -a known_hosts_files=()
PARSED=$(getopt -o ha --long help,all-users -n 'rmhost' -- "$@")
if [[ $? -ne 0 ]]; then return 1; fi
eval set -- "$PARSED"
while true; do
case "$1" in
-h|--help)
printf "rmhost: Remove host/IP from known_hosts files.\n\n"
printf "Usage: rmhost [--all-users] <hostname|ip> [hostname2|ip2 ...]\n\n"
printf "Options:\n"
printf " -a, --all-users Remove entries from all local users when run as root\n"
printf " -h, --help Display this help screen\n"
return 0
;;
-a|--all-users)
all_users=1
shift
;;
--)
shift
break
;;
*)
disp E "Invalid options, use \"rmhost --help\" to display usage."
return 1
;;
esac
done
[[ $# -eq 0 ]] && {
disp E "Missing argument. Use 'rmhost --help' for usage."
return 1
}
command -v ssh-keygen >/dev/null 2>&1 || {
disp E "ssh-keygen is not installed."
return 127
}
if (( all_users )); then
[[ ${EUID:-$(id -u)} -eq 0 ]] || {
disp E "Option --all-users is only available when run as root."
return 1
}
while IFS=: read -r _ _ _ _ _ home _; do
[[ -n $home && -f $home/.ssh/known_hosts ]] || continue
known_hosts_files+=("$home/.ssh/known_hosts")
done < /etc/passwd
[[ -f /etc/ssh/ssh_known_hosts ]] && \
known_hosts_files+=("/etc/ssh/ssh_known_hosts")
[[ ${#known_hosts_files[@]} -gt 0 ]] || {
disp W "No known_hosts files found for local users."
return 0
}
else
known_hosts_files=("${HOME}/.ssh/known_hosts")
fi
for target in "$@"; do
local hst="$target"
local ip=""
local v4=1
local v6=1
isipv4 "$hst" >/dev/null 2>&1; v4=$?
isipv6 "$hst" >/dev/null 2>&1; v6=$?
if [[ $v4 -eq 0 || $v6 -eq 0 ]]; then
ip="$hst"
hst=""
fi
if [[ -z ${ip:-} && -n ${hst:-} ]]; then
if command -v host >/dev/null 2>&1; then
ip=$(host "$hst" 2>/dev/null |
awk '/has address|has IPv6 address/ {print $NF; exit}')
elif command -v getent >/dev/null 2>&1; then
ip=$(getent ahosts "$hst" 2>/dev/null | awk 'NR == 1 {print $1; exit}')
else
disp W "No resolver tool found; removing hostname only for '$hst'."
fi
[[ -z ${ip:-} ]] && \
disp W "Could not resolve IP for '$hst'; removing hostname only."
fi
local known_hosts_file=""
for known_hosts_file in "${known_hosts_files[@]}"; do
if [[ -n ${hst:-} ]]; then
disp I "Removing host $hst from $known_hosts_file..."
if ! ssh-keygen -R "$hst" -f "$known_hosts_file" >/dev/null 2>&1; then
disp W "No known_hosts entry found for '$hst' in '$known_hosts_file'."
fi
fi
if [[ -n ${ip:-} ]]; then
disp I "Removing IP $ip from $known_hosts_file..."
if ! ssh-keygen -R "$ip" -f "$known_hosts_file" >/dev/null 2>&1; then
disp W "No known_hosts entry found for '$ip' in '$known_hosts_file'."
fi
fi
done
done
}
export -f rmhost
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# Login root via SSH on the given machine
# Usage: ssr <server [ssh options]>
ssr()
{
case "${1:-}" in
-h|--help)
printf "ssr: SSH into a server as root.\n\n"
printf "Usage: ssr <server> [ssh_options...]\n\n"
printf "Notes:\n"
printf " The first argument is the target server.\n"
printf " All remaining arguments are passed directly to ssh.\n\n"
printf "Examples:\n"
printf " ssr srv01\n"
printf " ssr srv01 -p 2222\n"
printf " ssr srv01 -i ~/.ssh/id_ed25519 -J bastion\n"
return 0
;;
esac
command -v ssh >/dev/null 2>&1 || {
disp E "ssh is not installed."
return 127
}
[[ $# -eq 0 || -z ${1:-} ]] && {
disp E "Please specify the server you want to log in."
return 1
}
local srv=$1
shift
ssh -Y root@"$srv" "$@"
}
export -f ssr
# ------------------------------------------------------------------------------
# EOF
Reference in New Issue View Git Blame Copy Permalink