fix(entry.sh): Enhance SSH client configuration management and patch …

…existing config if outdated
fhem · Jan 10, 2025 · 40cd485 · 40cd485
1 parent fbd7e80
commit 40cd485
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/src/entry.sh b/src/entry.sh
@@ -54,14 +54,35 @@ generate_ssh_keys() {
 }
 
 harden_ssh_client() {
+  echo "Harden ssh client configuration for user alexa-fhem..."
   if [ ! -f ${ALEXAFHEM_DIR}/.ssh/config ]; then
+    echo "  - Create a new ssh config file..."
     printf "%s\n" \
            "IdentityFile ~/.ssh/id_ed25519" \
            "IdentityFile ~/.ssh/id_rsa" \
            "PubkeyAcceptedKeyTypes +ssh-rsa" \
            "MACs hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" \
            "KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256" \
            "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com" > "${ALEXAFHEM_DIR}"/.ssh/config
+  else
+    echo "  - Existing ssh config file found. Checking if it needs patching..."
+    if ! grep -q "IdentityFile ~/.ssh/id_rsa" "${ALEXAFHEM_DIR}/.ssh/config" || \
+       ! grep -q "PubkeyAcceptedKeyTypes +ssh-rsa" "${ALEXAFHEM_DIR}/.ssh/config" || \
+       ! grep -q "MACs hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" "${ALEXAFHEM_DIR}/.ssh/config" || \
+       ! grep -q "KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256" "${ALEXAFHEM_DIR}/.ssh/config" || \
+       ! grep -q "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com" "${ALEXAFHEM_DIR}/.ssh/config"; then
+      echo "  - Patching ssh config file..."
+      mv "${ALEXAFHEM_DIR}/.ssh/config" "${ALEXAFHEM_DIR}/.ssh/config.old"
+      printf "%s\n" \
+             "IdentityFile ~/.ssh/id_ed25519" \
+             "IdentityFile ~/.ssh/id_rsa" \
+             "PubkeyAcceptedKeyTypes +ssh-rsa" \
+             "MACs hmac-sha2-256,hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" \
+             "KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256" \
+             "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com" > "${ALEXAFHEM_DIR}/.ssh/config"
+    else
+      echo "  - Existing ssh config file is up to date."
+    fi
   fi
 }