Cradicle Explorer
alpha-delta-context
/ ssh-fix.sh
ssh-fix.sh
  1  #!/bin/bash
  2  # SSH Key Authentication Troubleshooter & Repair Script
  3  # Run this ON THE REMOTE SERVER as the devops user
  4  
  5  set -e
  6  
  7  USER="devops"
  8  HOME_DIR="/home/$USER"
  9  SSH_DIR="$HOME_DIR/.ssh"
 10  AUTH_KEYS="$SSH_DIR/authorized_keys"
 11  PUBLIC_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKi/l+n2yRG4nDhqS8grB9xhypsuHGhzRKx1GUd7QCX adnet-ci@local"
 12  
 13  echo "=== SSH Key Authentication Troubleshooter ==="
 14  echo "Target user: $USER"
 15  echo "SSH dir: $SSH_DIR"
 16  echo ""
 17  
 18  # Check if running as correct user or root
 19  if [[ "$EUID" -eq 0 ]]; then
 20      echo "[INFO] Running as root - will fix ownership"
 21      RUN_AS_ROOT=1
 22  elif [[ "$(whoami)" == "$USER" ]]; then
 23      echo "[INFO] Running as $USER"
 24      RUN_AS_ROOT=0
 25  else
 26      echo "[ERROR] Run this script as root or $USER"
 27      exit 1
 28  fi
 29  
 30  echo ""
 31  echo "=== Step 1: Check/Create .ssh directory ==="
 32  if [[ ! -d "$SSH_DIR" ]]; then
 33      echo "[FIX] Creating $SSH_DIR"
 34      mkdir -p "$SSH_DIR"
 35  else
 36      echo "[OK] Directory exists"
 37  fi
 38  
 39  echo ""
 40  echo "=== Step 2: Check/Create authorized_keys ==="
 41  if [[ ! -f "$AUTH_KEYS" ]]; then
 42      echo "[FIX] Creating $AUTH_KEYS"
 43      touch "$AUTH_KEYS"
 44  else
 45      echo "[OK] File exists"
 46  fi
 47  
 48  echo ""
 49  echo "=== Step 3: Check if key is present ==="
 50  if grep -q "adnet-ci@local" "$AUTH_KEYS" 2>/dev/null; then
 51      echo "[OK] Key found in authorized_keys"
 52  else
 53      echo "[FIX] Adding key to authorized_keys"
 54      echo "$PUBLIC_KEY" >> "$AUTH_KEYS"
 55      echo "[OK] Key added"
 56  fi
 57  
 58  echo ""
 59  echo "=== Step 4: Fix permissions ==="
 60  echo "Setting $SSH_DIR to 700..."
 61  chmod 700 "$SSH_DIR"
 62  echo "Setting $AUTH_KEYS to 600..."
 63  chmod 600 "$AUTH_KEYS"
 64  echo "[OK] Permissions fixed"
 65  
 66  echo ""
 67  echo "=== Step 5: Fix ownership ==="
 68  if [[ "$RUN_AS_ROOT" -eq 1 ]]; then
 69      echo "Setting ownership to $USER:$USER..."
 70      chown -R "$USER:$USER" "$SSH_DIR"
 71      echo "[OK] Ownership fixed"
 72  else
 73      OWNER=$(stat -c '%U' "$SSH_DIR")
 74      if [[ "$OWNER" != "$USER" ]]; then
 75          echo "[WARN] Ownership is $OWNER, should be $USER"
 76          echo "[WARN] Run this script as root to fix ownership"
 77      else
 78          echo "[OK] Ownership correct"
 79      fi
 80  fi
 81  
 82  echo ""
 83  echo "=== Step 6: SELinux context (if applicable) ==="
 84  if command -v restorecon &> /dev/null; then
 85      echo "Restoring SELinux contexts..."
 86      restorecon -Rv "$SSH_DIR" 2>/dev/null || true
 87      echo "[OK] SELinux contexts restored"
 88  else
 89      echo "[SKIP] SELinux not installed"
 90  fi
 91  
 92  echo ""
 93  echo "=== Step 7: Check sshd_config ==="
 94  SSHD_CONFIG="/etc/ssh/sshd_config"
 95  if [[ -f "$SSHD_CONFIG" ]]; then
 96      echo "Checking critical settings..."
 97  
 98      # Check PubkeyAuthentication
 99      if grep -qE "^\s*PubkeyAuthentication\s+no" "$SSHD_CONFIG"; then
100          echo "[ERROR] PubkeyAuthentication is disabled!"
101          echo "        Fix: sudo sed -i 's/^PubkeyAuthentication no/PubkeyAuthentication yes/' $SSHD_CONFIG"
102      else
103          echo "[OK] PubkeyAuthentication not disabled"
104      fi
105  
106      # Check AuthorizedKeysFile
107      AKF=$(grep -E "^\s*AuthorizedKeysFile" "$SSHD_CONFIG" | head -1)
108      if [[ -n "$AKF" ]]; then
109          echo "[INFO] AuthorizedKeysFile setting: $AKF"
110      else
111          echo "[OK] AuthorizedKeysFile using default"
112      fi
113  
114      # Check StrictModes
115      if grep -qE "^\s*StrictModes\s+yes" "$SSHD_CONFIG"; then
116          echo "[INFO] StrictModes enabled (permissions must be correct)"
117      fi
118  else
119      echo "[WARN] Cannot read $SSHD_CONFIG"
120  fi
121  
122  echo ""
123  echo "=== Step 8: Verify final state ==="
124  echo ""
125  echo "Directory listing:"
126  ls -la "$SSH_DIR"
127  echo ""
128  echo "authorized_keys contents:"
129  cat "$AUTH_KEYS"
130  echo ""
131  
132  echo ""
133  echo "=== Step 9: Check auth log for clues ==="
134  if [[ -f /var/log/auth.log ]]; then
135      echo "Recent SSH auth failures:"
136      grep -i "sshd.*$USER" /var/log/auth.log 2>/dev/null | tail -5 || echo "(no recent entries)"
137  elif [[ -f /var/log/secure ]]; then
138      echo "Recent SSH auth failures:"
139      grep -i "sshd.*$USER" /var/log/secure 2>/dev/null | tail -5 || echo "(no recent entries)"
140  else
141      echo "[SKIP] No auth log found"
142  fi
143  
144  echo ""
145  echo "=== Summary ==="
146  echo "If issues persist, try:"
147  echo "  1. Restart sshd: sudo systemctl restart sshd"
148  echo "  2. Test locally: ssh -v $USER@localhost"
149  echo "  3. Check: sudo sshd -T | grep -i pubkey"
150  echo ""
151  echo "Test from client with: ssh devops@65.108.155.133"
152  echo ""
153  echo "=== Done ==="