#!/bin/bash NF="\e[0m" FB="\e[1m" CG="\e[38;5;40m" CR="\e[38;5;9m" CY="\033[38;5;226m" USER=$(getent passwd 1000 | cut -d: -f1) PC=$(uname -n | awk '{print $1}') guardband() { if [ $? -ne 0 ]; then echo -e "${CR}Script Exited with an Error.${NF}" exit 1 fi } verifycdn(){ CDN="https://cdn.franscorack.com" echo -e "${CY}Verifying CDN availability...${NF}" if ! wget --spider "$CDN" 2>/dev/null; then echo -e "${CR}Error: Cannot reach CDN for checksum verification - ${FB}Are you connected on the Internet ? / Is the CDN down ?${NF}" echo -e "${CR}Key-renewal script can only be ran if $CDN is reachable. Script Halted. ${NF}" return 1 else echo -e "${CG}CDN available for checksum downloads - ${FB}Proceeding...${NF}" serversidePUB=$(wget https://cdn.franscorack.com/chksum/sshprov/pub -q -O -) serversidePRIV=$(wget https://cdn.franscorack.com/chksum/sshprov/priv -q -O -) sleep 2 fi } rootcheck(){ if [ -f /root/.ssh/id_ed25519 ]; then rootPRIV=$(sha256sum /root/.ssh/id_ed25519 | awk '{print $1}') else rootPRIV=0 fi if [ -f /root/.ssh/authorized_keys ]; then rootPUB=$(sha256sum /root/.ssh/authorized_keys | awk '{print $1}') else rootPUB=0 fi echo Root User Check: if [ "$rootPRIV" = "$serversidePRIV" ] then echo -e "${CG}Private Keys Checksum against Server - ${FB}OK${NF} ${CG}- No action needed${NF}" chmod 700 /root/.ssh chmod 600 /root/.ssh/id_ed25519 else echo -e "${CR}Private Keys Checksum against Server - ${FB}MISMATCH${NF} ${CR}- Provisioning... ${NF}" sleep 2 if [ -f /root/.ssh/id_ed25519 ]; then rm /root/.ssh/id_ed25519 fi cp --no-preserve=mode,ownership /.SSH/automated/priv/servers/id_ed25519 /root/.ssh/id_ed25519 echo -e ${CY}'key data from server -> local store'${NF} chmod 700 /root/.ssh chmod 600 /root/.ssh/id_ed25519 echo -e ${CY}'chmod -> local store'${NF} systemctl restart sshd echo -e ${CY}'sshd restart'${NF} sleep 3 rootPRIV2=$(sha256sum /root/.ssh/id_ed25519 | awk '{print $1}') if [ "$rootPRIV2" = "$serversidePRIV" ] then echo -e "${CG}${FB}CHECKSUM OK - PROVISION SUCCESS${NF}" else echo -e "${CR}${FB}CHECKSUM MISMATCH - MANUAL INTERVENTION REQUIRED${NF}" return 1 fi fi if [ "$rootPUB" = "$serversidePUB" ] then echo -e "${CG}Public Keys Checksum against Server - ${FB}OK${NF} ${CG}- No action needed${NF}" chmod 700 /root/.ssh chmod 600 /root/.ssh/authorized_keys else echo -e "${CR}Public Keys Checksum against Server - ${FB}MISMATCH${NF} ${CR}- Provisioning... ${NF}" sleep 2 if [ -f /root/.ssh/authorized_keys ]; then rm /root/.ssh/authorized_keys fi cp --no-preserve=mode,ownership /.SSH/automated/pub/servers/id_ed25519.pub /root/.ssh/authorized_keys echo -e ${CY}'key data from server -> local store'${NF} chmod 700 /root/.ssh chmod 600 /root/.ssh/authorized_keys echo -e ${CY}'chmod -> local store'${NF} systemctl restart sshd echo -e ${CY}'sshd restart'${NF} sleep 3 rootPUB2=$(sha256sum /root/.ssh/authorized_keys | awk '{print $1}') if [ "$rootPUB2" = "$serversidePUB" ] then echo -e "${CG}${FB}CHECKSUM OK - PROVISION SUCCESS${NF}" else echo -e "${CR}${FB}CHECKSUM MISMATCH - MANUAL INTERVENTION REQUIRED${NF}" return 1 fi fi } admincheck(){ if [ -f /home/$USER/.ssh/id_ed25519 ]; then adminPRIV=$(sha256sum /home/$USER/.ssh/id_ed25519 | awk '{print $1}') else adminPRIV=0 fi if [ -f /home/$USER/.ssh/authorized_keys ]; then adminPUB=$(sha256sum /home/$USER/.ssh/authorized_keys | awk '{print $1}') else adminPUB=0 fi echo Admin User Check: if [ "$adminPRIV" = "$serversidePRIV" ] then echo -e "${CG}Private Keys Checksum against Server - ${FB}OK${NF} ${CG}- No action needed${NF}" chmod 700 /home/$USER/.ssh chmod 600 /home/$USER/.ssh/id_ed25519 chown $USER -R /home/$USER/.ssh else echo -e "${CR}Private Keys Checksum against Server - ${FB}MISMATCH${NF} ${CR}- Provisioning... ${NF}" sleep 2 if [ -f /home/$USER/.ssh/id_ed25519 ]; then rm /home/$USER/.ssh/id_ed25519 fi cp --no-preserve=mode,ownership /.SSH/automated/priv/servers/id_ed25519 /home/$USER/.ssh/id_ed25519 echo -e ${CY}'key data from server -> local store'${NF} chmod 700 /home/$USER/.ssh chmod 600 /home/$USER/.ssh/id_ed25519 chown $USER -R /home/$USER/.ssh echo -e ${CY}'chmod -> local store'${NF} systemctl restart sshd echo -e ${CY}'sshd restart'${NF} sleep 3 adminPRIV2=$(sha256sum /home/$USER/.ssh/id_ed25519 | awk '{print $1}') if [ "$adminPRIV2" = "$serversidePRIV" ] then echo -e "${CG}${FB}CHECKSUM OK - PROVISION SUCCESS${NF}" else echo -e "${CR}${FB}CHECKSUM MISMATCH - MANUAL INTERVENTION REQUIRED${NF}" return 1 fi fi if [ "$adminPUB" = "$serversidePUB" ] then echo -e "${CG}Public Keys Checksum against Server - ${FB}OK${NF} ${CG}- No action needed${NF}" chmod 700 /home/$USER/.ssh chmod 600 /home/$USER/.ssh/authorized_keys chown $USER -R /home/$USER/.ssh else echo -e "${CR}Public Keys Checksum against Server - ${FB}MISMATCH${NF} ${CR}- Provisioning... ${NF}" sleep 2 if [ -f /home/$USER/.ssh/authorized_keys ]; then rm /home/$USER/.ssh/authorized_keys fi cp --no-preserve=mode,ownership /.SSH/automated/pub/servers/id_ed25519.pub /home/$USER/.ssh/authorized_keys echo -e ${CY}'key data from server -> local store'${NF} chmod 700 /home/$USER/.ssh chmod 600 /home/$USER/.ssh/authorized_keys chown $USER -R /home/$USER/.ssh echo -e ${CY}'chmod -> local store'${NF} systemctl restart sshd echo -e ${CY}'sshd restart'${NF} sleep 3 adminPUB2=$(sha256sum /home/$USER/.ssh/authorized_keys | awk '{print $1}') if [ "$adminPUB2" = "$serversidePUB" ] then echo -e "${CG}${FB}CHECKSUM OK - PROVISION SUCCESS${NF}" else echo -e "${CR}${FB}CHECKSUM MISMATCH - MANUAL INTERVENTION REQUIRED${NF}" return 1 fi fi } if [ "$UID" -ne 0 ]; then echo -e "${CR}This script must be run as root.${NF}" exit 1 fi echo -e ${CY}Warning: running this script resets known_hosts file. Abort this script using CTRL+C if you want to avoid that.${NF} sleep 3 if [ -f /home/$USER/.ssh/known_hosts ]; then rm /home/$USER/.ssh/known_hosts fi if [ -f /root/.ssh/known_hosts ]; then rm /root/.ssh/known_hosts fi if [ "$PC" = "pve01" ] then verifycdn guardband rootcheck guardband else verifycdn guardband rootcheck guardband admincheck guardband fi sleep 2 echo -e "${CG}Script execution completed.${NF}"