hanxianzhai/reinstall
1
0
Fork 0
mirror of https://github.com/bin456789/reinstall.git synced 2026-05-21 05:27:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

core: 必要时才修改 ssh 配置

Browse Source
This commit is contained in:
bin456789
2026-05-11 00:22:07 +08:00
parent 65c3085416
commit d95c492596
1 changed files with 75 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
trans.sh
View File

@ -1783,6 +1783,7 @@ install_nixos() {
if is_need_set_ssh_keys; then if is_need_set_ssh_keys; then
nix_ssh_keys_or_PermitRootLogin=" nix_ssh_keys_or_PermitRootLogin="
services.openssh.settings.PasswordAuthentication = false;
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
$(del_comment_lines </configs/ssh_keys | del_empty_lines | quote_line | add_space 2) $(del_comment_lines </configs/ssh_keys | del_empty_lines | quote_line | add_space 2)
]; ];
@ -2029,10 +2030,10 @@ basic_init() {
# 公钥/密码 # 公钥/密码
if is_need_set_ssh_keys; then if is_need_set_ssh_keys; then
set_ssh_keys_and_del_password $os_dir set_ssh_keys_and_del_password $os_dir
change_ssh_conf_for_root_key_login $os_dir
else else
change_root_password $os_dir change_root_password $os_dir
allow_root_password_login $os_dir change_ssh_conf_for_root_password_login $os_dir
allow_password_login $os_dir
fi fi
# 下载 fix-eth-name.service # 下载 fix-eth-name.service
@ -4082,30 +4083,50 @@ set_ssh_keys_and_del_password() {
chroot $os_dir passwd -d root chroot $os_dir passwd -d root
} }
# 除了 alpine 都会用到 change_ssh_conf_if_different() {
change_ssh_conf() { local os_dir=$1
os_dir=$1 local key=$2
key=$2 local value=$3
value=$3 local sub_conf=$4
sub_conf=$4 if [ -z "$sub_conf" ]; then
sub_conf=$(echo "01-$key.conf" | to_lower)
fi
if line="^$key .*" && grep -Exq "$line" $os_dir/etc/ssh/sshd_config 2>/dev/null; then # 有些发行版自带了某些配置,例如
# 如果 sshd_config 存在此 key非注释状态则替换 # ubuntu:
# cat /etc/ssh/sshd_config.d/60-cloudimg-settings.conf | grep -i PasswordAuthentication
# PasswordAuthentication no
# gentoo:
# cat /etc/ssh/sshd_config.d/9999999gentoo-pam.conf | grep -i PasswordAuthentication
# PasswordAuthentication no
# 0. 如果已经有这个配置,则不修改,避免不必要的改动
if chroot "$os_dir" sshd -G | grep -Fxiq "$key $value"; then
return
fi
if line="^$key .*" && grep -Exiq "$line" $os_dir/etc/ssh/sshd_config 2>/dev/null; then
# 1. 如果 sshd_config 存在此 key非注释状态则替换
sed -Ei "s/$line/$key $value/" $os_dir/etc/ssh/sshd_config sed -Ei "s/$line/$key $value/" $os_dir/etc/ssh/sshd_config
elif include_line='^Include.*/etc/ssh/sshd_config.d' && elif include_line='^Include .*/etc/ssh/sshd_config.d' &&
# 2. 如果 sshd_config 设置了读取 sshd_config.d
# 则写入到 sshd_config.d/01-xxx.conf
# arch 没有 /etc/ssh/sshd_config.d/ 文件夹 # arch 没有 /etc/ssh/sshd_config.d/ 文件夹
# opensuse tumbleweed 没有 /etc/ssh/sshd_config # opensuse tumbleweed 没有 /etc/ssh/sshd_config
# 有 /etc/ssh/sshd_config.d/ 文件夹 # 有 /etc/ssh/sshd_config.d/ 文件夹
# 有 /usr/etc/ssh/sshd_config # 有 /usr/etc/ssh/sshd_config
{ grep -q "$include_line" $os_dir/etc/ssh/sshd_config || { grep -iq "$include_line" $os_dir/etc/ssh/sshd_config ||
grep -q "$include_line" $os_dir/usr/etc/ssh/sshd_config; } 2>/dev/null; then grep -iq "$include_line" $os_dir/usr/etc/ssh/sshd_config; } 2>/dev/null; then
mkdir -p $os_dir/etc/ssh/sshd_config.d/ mkdir -p $os_dir/etc/ssh/sshd_config.d/
echo "$key $value" >"$os_dir/etc/ssh/sshd_config.d/$sub_conf" echo "$key $value" >"$os_dir/etc/ssh/sshd_config.d/$sub_conf"
else else
# 如果 sshd_config 存在此 key (无论是否已注释),则替换,包括删除注释 # 3. 写入 sshd_config
# 否则追加 # 如果 sshd_config 存在此 key (无论是否已注释),则替换,包括删除注释
# 否则追加
line="^[# ]*$key .*" line="^[# ]*$key .*"
if grep -Exq "$line" $os_dir/etc/ssh/sshd_config; then if grep -Exiq "$line" $os_dir/etc/ssh/sshd_config; then
sed -Ei "s/$line/$key $value/" $os_dir/etc/ssh/sshd_config sed -Ei "s/$line/$key $value/" $os_dir/etc/ssh/sshd_config
else else
echo "$key $value" >>$os_dir/etc/ssh/sshd_config echo "$key $value" >>$os_dir/etc/ssh/sshd_config
@ -4113,32 +4134,40 @@ change_ssh_conf() {
fi fi
} }
allow_password_login() { change_ssh_conf_for_root_key_login() {
os_dir=$1 local os_dir=$1
change_ssh_conf "$os_dir" PasswordAuthentication yes 01-PasswordAuthentication.conf
# 目前脚本只用 root ,不需要设置这个
# change_ssh_conf_if_different "$os_dir" PasswordAuthentication no
# 这个也不需要设置,默认就是 prohibit-password
# change_ssh_conf_if_different "$os_dir" PermitRootLogin prohibit-password
} }
allow_root_password_login() { change_ssh_conf_for_root_password_login() {
os_dir=$1 local os_dir=$1
# opensuse 16/tumbleweed 安装 openssh-server-config-rootlogin # opensuse 16/tumbleweed 安装 openssh-server-config-rootlogin
# 会生成 /usr/etc/ssh/sshd_config.d/50-permit-root-login.conf # 会生成 /usr/etc/ssh/sshd_config.d/50-permit-root-login.conf
# 但是如果用户删除了此文件,包有更新的话,可能会重新创建这个文件? # 但是如果用户删除了此文件,包有更新的话,可能会重新创建这个文件?
# 因此先不用这个方法 # 因此先不用这个方法
if false && [ -f $os_dir/etc/os-release ] && if false &&
grep -iq opensuse $os_dir/etc/os-release && [ -f $os_dir/etc/os-release ] &&
! grep -iq 15.6 $os_dir/etc/os-release; then grep -iq opensuse $os_dir/etc/os-release; then
chroot $os_dir zypper install -y openssh-server-config-rootlogin chroot $os_dir zypper install -y openssh-server-config-rootlogin
else
change_ssh_conf "$os_dir" PermitRootLogin yes 01-permitrootlogin.conf
fi fi
# PasswordAuthentication 默认是 yes
# 但某些发行版会在 sshd_config.d 里设置 PasswordAuthentication no
change_ssh_conf_if_different "$os_dir" PasswordAuthentication yes
change_ssh_conf_if_different "$os_dir" PermitRootLogin yes
} }
change_ssh_port() { change_ssh_port() {
os_dir=$1 local os_dir=$1
ssh_port=$2 local ssh_port=$2
change_ssh_conf "$os_dir" Port "$ssh_port" 01-change-ssh-port.conf change_ssh_conf_if_different "$os_dir" Port "$ssh_port"
} }
change_root_password() { change_root_password() {
@ -4595,7 +4624,11 @@ install_fnos() {
# ssh root 登录,测试用 # ssh root 登录,测试用
if false; then if false; then
allow_root_password_login $os_dir if is_need_set_ssh_keys; then
change_ssh_conf_for_root_key_login $os_dir
else
change_ssh_conf_for_root_password_login $os_dir
fi
chroot $os_dir systemctl enable ssh chroot $os_dir systemctl enable ssh
fi fi
@ -5035,11 +5068,15 @@ EOF
fi fi
# 自带的 60-cloudimg-settings.conf 禁止了 PasswordAuthentication # 自带的 60-cloudimg-settings.conf 禁止了 PasswordAuthentication
file=$os_dir/etc/ssh/sshd_config.d/60-cloudimg-settings.conf # 可删除可不删除,因为现在会先读取有效 sshd 配置再修改 sshd 配置
if [ -f $file ]; then # 如果要删除 60-cloudimg-settings.conf 则要在 change_ssh_conf_if_different 之前删除
sed -i '/^PasswordAuthentication/d' $file if false; then
if [ -z "$(cat $file)" ]; then file=$os_dir/etc/ssh/sshd_config.d/60-cloudimg-settings.conf
rm -f $file if [ -f $file ]; then
sed -i '/^PasswordAuthentication/d' $file
if [ -z "$(cat $file)" ]; then
rm -f $file
fi
fi fi
fi fi
@ -7814,7 +7851,7 @@ mount / -o remount,size=100%
sync_time || true sync_time || true
# 安装 ssh 并更改端口 # 安装 ssh 并更改端口
apk add openssh apk add openssh-server
if is_need_change_ssh_port; then if is_need_change_ssh_port; then
change_ssh_port / $ssh_port change_ssh_port / $ssh_port
fi fi
@ -7822,6 +7859,8 @@ fi
# 设置密码,添加开机启动 + 开启 ssh 服务 # 设置密码,添加开机启动 + 开启 ssh 服务
if is_need_set_ssh_keys; then if is_need_set_ssh_keys; then
set_ssh_keys_and_del_password / set_ssh_keys_and_del_password /
# 目前脚本只用 root不需要设置这个
# change_ssh_conf_if_different / PasswordAuthentication no
printf '\n' | setup-sshd printf '\n' | setup-sshd
else else
change_root_password / change_root_password /