From be1d4a57cb18ee4d80748a6a208ef197c1381144 Mon Sep 17 00:00:00 2001 From: starry <115192496+sky22333@users.noreply.github.com> Date: Thu, 27 Nov 2025 15:59:14 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=8A=9F=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 从 URL 下载公钥(-url 参数) - 完整 Alpine 支持(OpenRC / BusyBox / 无 systemctl 环境) - 可选禁用密码登录(-disable-pass 参数) - 完整兼容 systemd / service / openrc / init.d --- dev/ssh-pub.sh | 139 +++++++++++++++++++++++++++++-------------------- 1 file changed, 82 insertions(+), 57 deletions(-) diff --git a/dev/ssh-pub.sh b/dev/ssh-pub.sh index 0cc96ab..1787ff7 100644 --- a/dev/ssh-pub.sh +++ b/dev/ssh-pub.sh @@ -1,32 +1,40 @@ #!/bin/bash -# SSH公钥批量配置脚本 -# 用法: ./ssh-pub.sh -pub "your-public-key" - set -euo pipefail -# 默认配置 DEFAULT_PORT=22 SSH_PUB_KEY="" SSH_PORT="$DEFAULT_PORT" +SSH_PUB_URL="" +DISABLE_PASS=0 -# 参数解析 usage() { - echo "用法: $0 -pub \"公钥内容\" [-port 端口号]" - echo "示例: $0 -pub \"ssh-ed25519 AAAAC3Nza..................\" -port 2222" + echo "用法: $0 -pub \"公钥内容\" [-url 公钥URL] [-port 端口] [-disable-pass]" + echo "示例:" + echo " $0 -pub \"ssh-ed25519 AAAAC3N...\" -port 2222" + echo " $0 -url \"https://example.com/id_ed25519.pub\"" exit 1 } +# 参数解析 while [[ $# -gt 0 ]]; do case $1 in -pub) SSH_PUB_KEY="$2" shift 2 ;; + -url) + SSH_PUB_URL="$2" + shift 2 + ;; -port) SSH_PORT="$2" shift 2 ;; + -disable-pass) + DISABLE_PASS=1 + shift 1 + ;; -h|--help) usage ;; @@ -37,21 +45,28 @@ while [[ $# -gt 0 ]]; do esac done -# 检查必需参数 +if [[ -n "$SSH_PUB_URL" ]]; then + echo "从 URL 下载公钥: $SSH_PUB_URL" + SSH_PUB_KEY=$(curl -fsSL "$SSH_PUB_URL" || true) + + if [[ -z "$SSH_PUB_KEY" ]]; then + echo "错误: 无法从 URL 获取公钥" + exit 1 + fi +fi + if [[ -z "$SSH_PUB_KEY" ]]; then - echo "错误: 必须指定公钥 (-pub)" + echo "错误: 必须提供公钥 (-pub 或 -url)" usage fi -# 权限检查 if [[ $EUID -ne 0 ]]; then - echo "需要root权限,正在提升..." + echo "需要 root 权限,正在提升..." exec sudo "$0" "$@" fi -echo "开始配置SSH..." +echo "开始配置 SSH..." -# SSH配置文件路径检测 SSHD_CONFIG="" for config in /etc/ssh/sshd_config /etc/sshd_config; do if [[ -f "$config" ]]; then @@ -61,96 +76,106 @@ for config in /etc/ssh/sshd_config /etc/sshd_config; do done if [[ -z "$SSHD_CONFIG" ]]; then - echo "错误: 未找到SSH配置文件" + echo "错误: 未找到 sshd_config" exit 1 fi -# 备份原配置 -cp "$SSHD_CONFIG" "${SSHD_CONFIG}.backup.$(date +%s)" +# 备份 +backup="$SSHD_CONFIG.backup.$(date +%s)" +cp "$SSHD_CONFIG" "$backup" +echo "已备份到: $backup" -# 配置SSH configure_ssh() { - # 允许root登录 if grep -q "^PermitRootLogin" "$SSHD_CONFIG"; then sed -i 's/^PermitRootLogin.*/PermitRootLogin yes/' "$SSHD_CONFIG" else echo "PermitRootLogin yes" >> "$SSHD_CONFIG" fi - - # 设置端口 + if grep -q "^Port" "$SSHD_CONFIG"; then sed -i "s/^Port.*/Port $SSH_PORT/" "$SSHD_CONFIG" else echo "Port $SSH_PORT" >> "$SSHD_CONFIG" fi - - # 确保密钥认证开启 + if ! grep -q "^PubkeyAuthentication yes" "$SSHD_CONFIG"; then echo "PubkeyAuthentication yes" >> "$SSHD_CONFIG" fi + + if [[ $DISABLE_PASS -eq 1 ]]; then + if grep -q "^PasswordAuthentication" "$SSHD_CONFIG"; then + sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' "$SSHD_CONFIG" + else + echo "PasswordAuthentication no" >> "$SSHD_CONFIG" + fi + echo "已禁用密码登录" + fi } -# 设置SSH密钥 setup_ssh_key() { mkdir -p /root/.ssh chmod 700 /root/.ssh - - # 写入公钥,避免重复 + if ! grep -Fxq "$SSH_PUB_KEY" /root/.ssh/authorized_keys 2>/dev/null; then echo "$SSH_PUB_KEY" >> /root/.ssh/authorized_keys fi - + chmod 600 /root/.ssh/authorized_keys chown -R root:root /root/.ssh } -# 重启SSH服务 - 兼容多种系统 restart_ssh() { - local ssh_service="" - - # 检测SSH服务名称 - for service in sshd ssh; do - if systemctl list-unit-files --type=service 2>/dev/null | grep -q "^${service}.service"; then - ssh_service="$service" - break + + for svc in sshd ssh; do + if command -v systemctl >/dev/null 2>&1; then + if systemctl list-unit-files | grep -q "^${svc}.service"; then + if systemctl restart "$svc" 2>/dev/null; then + echo "SSH 服务已重启 (systemctl)" + return 0 + fi + fi fi done - - if [[ -n "$ssh_service" ]]; then - if systemctl restart "$ssh_service" 2>/dev/null; then - echo "SSH服务已重启 (systemctl)" + + for cmd in "service ssh restart" "service sshd restart"; do + if $cmd 2>/dev/null; then + echo "SSH 服务已重启 (service)" + return 0 + fi + done + + for cmd in "/etc/init.d/ssh restart" "/etc/init.d/sshd restart"; do + if $cmd 2>/dev/null; then + echo "SSH 服务已重启 (init.d)" + return 0 + fi + done + + if command -v rc-service >/dev/null 2>&1; then + if rc-service sshd restart 2>/dev/null; then + echo "SSH 服务已重启 (OpenRC)" return 0 fi fi - - # 回退到传统方式 - for cmd in "service ssh restart" "service sshd restart" "/etc/init.d/ssh restart" "/etc/init.d/sshd restart"; do - if $cmd 2>/dev/null; then - echo "SSH服务已重启 (传统方式)" - return 0 - fi - done - - echo "警告: 无法自动重启SSH服务,请手动重启" + + echo "警告: 无法自动重启 SSH,请手动重启" return 1 } -# 执行配置 configure_ssh setup_ssh_key -# 验证配置 if sshd -t 2>/dev/null; then - echo "SSH配置验证通过" + echo "SSH 配置验证通过" restart_ssh else - echo "错误: SSH配置有误,正在恢复备份..." - cp "${SSHD_CONFIG}.backup."* "$SSHD_CONFIG" 2>/dev/null || true + echo "错误: SSH 配置有误,正在恢复备份..." + cp "$backup" "$SSHD_CONFIG" exit 1 fi -# 显示结果 echo -e "\n配置完成:" -echo "Root登录: 已启用" -echo "SSH端口: $SSH_PORT" -echo "公钥已添加到: /root/.ssh/authorized_keys" +echo "root 登录: 已启用" +echo "SSH 端口: $SSH_PORT" +echo "公钥已写入: /root/.ssh/authorized_keys" +[[ $DISABLE_PASS -eq 1 ]] && echo "密码登录: 已禁用"