commit de13437b471c0e5d2bb7f131cd5386b25c8d5792 Author: Andrés Felipe Marulanda Hernández Date: Tue Feb 25 15:49:18 2025 +0000 Add ssh_key_checks diff --git a/ssh_key_checks b/ssh_key_checks new file mode 100644 index 0000000..0734e4f --- /dev/null +++ b/ssh_key_checks @@ -0,0 +1,76 @@ +#!/bin/bash +# se debe ejecutar con usuario root por el tema de persmisos del archivo authorized_keys + +# Obtener configuración de authorized_keys desde sshd_config +AUTH_KEYS_PATH=$(grep -E "^\s*AuthorizedKeysFile" /etc/ssh/sshd_config | awk '{print $2}') + +# Si no está definido, usar el valor por defecto +if [[ -z "$AUTH_KEYS_PATH" ]]; then + AUTH_KEYS_PATH=".ssh/authorized_keys" +fi + +echo "Ruta configurada para authorized_keys: $AUTH_KEYS_PATH" +echo "------------------------------------------------------------" +printf "%-20s %-40s %-10s %-15s %-10s\n" "Usuario" "Ruta authorized_keys" "Permisos" "SSH Habilitado" "Llaves" +echo "------------------------------------------------------------" + +# Obtener usuarios permitidos y denegados en sshd_config +ALLOW_USERS=$(grep -E "^\s*AllowUsers" /etc/ssh/sshd_config | awk '{$1=""; print $0}') +DENY_USERS=$(grep -E "^\s*DenyUsers" /etc/ssh/sshd_config | awk '{$1=""; print $0}') +ALLOW_GROUPS=$(grep -E "^\s*AllowGroups" /etc/ssh/sshd_config | awk '{$1=""; print $0}') +DENY_GROUPS=$(grep -E "^\s*DenyGroups" /etc/ssh/sshd_config | awk '{$1=""; print $0}') + +# Leer usuarios del sistema +while IFS=: read -r username _ _ _ _ homedir _; do + # Omitir usuarios sin home válido o con home en lugares extraños + if [[ ! -d "$homedir" || "$homedir" =~ ^(/bin|/sbin|/usr|/var|/proc|/sys|/dev|/run|/nonexistent) ]]; then + continue + fi + + # Determinar la ruta real de authorized_keys + user_keys_path="$homedir/$AUTH_KEYS_PATH" + + # Verificar si el archivo existe + if [[ -f "$user_keys_path" ]]; then + permisos=$(stat -c "%a" "$user_keys_path") + num_llaves=$(grep -c "ssh-" "$user_keys_path") + else + permisos="No existe" + num_llaves=0 + fi + + # Determinar si el usuario puede hacer SSH + ssh_habilitado="Sí" + + if [[ -n "$ALLOW_USERS" && ! "$ALLOW_USERS" =~ "$username" ]]; then + ssh_habilitado="No" + fi + if [[ -n "$DENY_USERS" && "$DENY_USERS" =~ "$username" ]]; then + ssh_habilitado="No" + fi + + # Si hay restricciones por grupo + user_groups=$(id -Gn "$username") + if [[ -n "$ALLOW_GROUPS" ]]; then + ssh_habilitado="No" + for group in $user_groups; do + if [[ "$ALLOW_GROUPS" =~ "$group" ]]; then + ssh_habilitado="Sí" + break + fi + done + fi + if [[ -n "$DENY_GROUPS" ]]; then + for group in $user_groups; do + if [[ "$DENY_GROUPS" =~ "$group" ]]; then + ssh_habilitado="No" + fi + done + fi + + # Mostrar en pantalla + printf "%-20s %-40s %-10s %-15s %-10s\n" "$username" "$user_keys_path" "$permisos" "$ssh_habilitado" "$num_llaves" + +done < /etc/passwd + +echo "------------------------------------------------------------" \ No newline at end of file