#!/bin/bash # # EZSCALE Support SSH Key Manager # Adds, removes, or checks the EZSCALE staff support key on a server. # # Usage: # curl -fsSL https://support.ezscale.cloud/access.sh | bash # curl -fsSL https://support.ezscale.cloud/access.sh | bash -s -- [add|remove|check] # curl -fsSL https://support.ezscale.cloud/access.sh | bash -s -- --user [add|remove|check] set -euo pipefail RED="\e[1;31m" GREEN="\e[1;32m" YELLOW="\e[1;33m" CYAN="\e[1;36m" ENDCOLOR="\e[0m" KEY_URL="https://support.ezscale.cloud/key" KEY_ID="support@ezscale.cloud" EXPECTED_FINGERPRINT="SHA256:mPt2+Yoo1uQWiwWxSlKZXgN48psO5ezE2rj7Icf4Gos" SUDOERS_FILE="/etc/sudoers.d/ezscale-support" TARGET_USER="" # Parse --user flag before the action parse_args() { while [[ $# -gt 0 ]]; do case "$1" in --user) if [[ -z "${2:-}" ]]; then echo -e "\n${RED}Error: --user requires a username.${ENDCOLOR}\n" exit 1 fi TARGET_USER="$2" shift 2 ;; *) ACTION="$1" shift ;; esac done } ACTION="add" parse_args "$@" # Resolve target user's home directory if [[ -n "$TARGET_USER" ]]; then TARGET_HOME=$(eval echo "~${TARGET_USER}" 2>/dev/null) if [[ ! -d "$TARGET_HOME" ]]; then echo -e "\n${RED}Error: User '${TARGET_USER}' does not exist or has no home directory.${ENDCOLOR}\n" exit 1 fi AUTH_KEYS="${TARGET_HOME}/.ssh/authorized_keys" else TARGET_HOME="${HOME}" TARGET_USER=$(whoami) AUTH_KEYS="${HOME}/.ssh/authorized_keys" fi usage() { echo "" echo "EZSCALE Support SSH Key Manager" echo "" echo "Usage: access.sh [options] [action]" echo "" echo "Actions:" echo " add Install the EZSCALE support SSH key (default)" echo " remove Remove the EZSCALE support SSH key" echo " check Check if the EZSCALE support SSH key is installed" echo "" echo "Options:" echo " --user Target a specific user (default: current user)" echo " -h, --help Show this help message" echo "" echo "Examples:" echo " curl -fsSL https://support.ezscale.cloud/access.sh | bash" echo " curl -fsSL https://support.ezscale.cloud/access.sh | bash -s -- remove" echo " curl -fsSL https://support.ezscale.cloud/access.sh | bash -s -- --user www-data add" echo "" exit 0 } download_key() { local key="" if command -v curl &>/dev/null; then key=$(curl -fsSL "$KEY_URL" 2>/dev/null) elif command -v wget &>/dev/null; then key=$(wget -qO- "$KEY_URL" 2>/dev/null) else echo -e "\n${RED}Error: Neither curl nor wget is available. Please install one and try again.${ENDCOLOR}\n" exit 1 fi if [[ -z "$key" ]]; then echo -e "\n${RED}Error: Failed to download the support key. Check your internet connection.${ENDCOLOR}\n" exit 1 fi echo "$key" } verify_fingerprint() { local key="$1" local tmpfile tmpfile=$(mktemp) echo "$key" > "$tmpfile" local fingerprint fingerprint=$(ssh-keygen -lf "$tmpfile" 2>/dev/null | awk '{print $2}') rm -f "$tmpfile" if [[ -z "$fingerprint" ]]; then echo -e "${RED}Error: Could not compute key fingerprint. Is ssh-keygen available?${ENDCOLOR}\n" exit 1 fi if [[ "$fingerprint" != "$EXPECTED_FINGERPRINT" ]]; then echo -e "${RED}Error: Key fingerprint mismatch!${ENDCOLOR}" echo -e " Expected: ${CYAN}${EXPECTED_FINGERPRINT}${ENDCOLOR}" echo -e " Got: ${CYAN}${fingerprint}${ENDCOLOR}" echo -e "${RED}The key may have been tampered with. Aborting.${ENDCOLOR}\n" exit 1 fi echo -e " Fingerprint: ${CYAN}${fingerprint}${ENDCOLOR} ${GREEN}✓${ENDCOLOR}" } check_sshd_config() { local sshd_config="/etc/ssh/sshd_config" local warnings=0 if [[ ! -r "$sshd_config" ]]; then return fi # Check PubkeyAuthentication local pubkey_auth pubkey_auth=$(grep -i "^PubkeyAuthentication" "$sshd_config" 2>/dev/null | tail -1 | awk '{print tolower($2)}' || true) if [[ "$pubkey_auth" == "no" ]]; then echo -e " ${YELLOW}Warning: PubkeyAuthentication is disabled in sshd_config.${ENDCOLOR}" echo -e " ${YELLOW} The key will be installed but SSH key login will not work until this is enabled.${ENDCOLOR}" warnings=$((warnings + 1)) fi # Check PermitRootLogin (only relevant if installing for root) if [[ "$TARGET_USER" == "root" ]]; then local permit_root permit_root=$(grep -i "^PermitRootLogin" "$sshd_config" 2>/dev/null | tail -1 | awk '{print tolower($2)}' || true) if [[ "$permit_root" == "no" ]]; then echo -e " ${YELLOW}Warning: PermitRootLogin is set to 'no' in sshd_config.${ENDCOLOR}" echo -e " ${YELLOW} Root SSH access is fully disabled. Key login will not work.${ENDCOLOR}" warnings=$((warnings + 1)) elif [[ "$permit_root" == "forced-commands-only" ]]; then echo -e " ${YELLOW}Warning: PermitRootLogin is set to 'forced-commands-only' in sshd_config.${ENDCOLOR}" echo -e " ${YELLOW} Interactive root SSH sessions will not work.${ENDCOLOR}" warnings=$((warnings + 1)) fi fi if [[ $warnings -gt 0 ]]; then echo "" fi } check_sudo() { # Only relevant for non-root users if [[ "$TARGET_USER" == "root" ]]; then return fi if ! command -v sudo &>/dev/null; then echo -e " ${YELLOW}Warning: sudo is not installed. EZSCALE support will not be able to run privileged commands.${ENDCOLOR}" return fi # Check if user already has sudo access if sudo -l -U "$TARGET_USER" 2>/dev/null | grep -q "(ALL"; then echo -e " Sudo: ${GREEN}enabled${ENDCOLOR}" else echo -e " Sudo: ${YELLOW}not configured${ENDCOLOR}" fi } grant_sudo() { # Only relevant for non-root users if [[ "$TARGET_USER" == "root" ]]; then return fi if ! command -v sudo &>/dev/null; then echo -e " ${YELLOW}Skipping sudo setup — sudo is not installed.${ENDCOLOR}" return fi # Don't overwrite if already exists if [[ -f "$SUDOERS_FILE" ]]; then echo -e " Sudo: ${GREEN}already configured${ENDCOLOR}" return fi echo "${TARGET_USER} ALL=(ALL) NOPASSWD: ALL" > "$SUDOERS_FILE" chmod 440 "$SUDOERS_FILE" # Validate sudoers syntax if visudo -cf "$SUDOERS_FILE" &>/dev/null; then echo -e " Sudo: ${GREEN}granted (passwordless)${ENDCOLOR}" else rm -f "$SUDOERS_FILE" echo -e " ${RED}Error: Failed to configure sudo — invalid syntax. Removed.${ENDCOLOR}" fi } revoke_sudo() { if [[ -f "$SUDOERS_FILE" ]]; then rm -f "$SUDOERS_FILE" echo -e " Sudo: ${GREEN}revoked${ENDCOLOR}" fi } key_installed() { [[ -f "$AUTH_KEYS" ]] && grep -q "$KEY_ID" "$AUTH_KEYS" } backup_authorized_keys() { if [[ -f "$AUTH_KEYS" ]]; then cp "$AUTH_KEYS" "${AUTH_KEYS}.bak" fi } set_ownership() { if [[ -n "$TARGET_USER" ]]; then local target_group target_group=$(id -gn "$TARGET_USER" 2>/dev/null || echo "$TARGET_USER") chown -R "${TARGET_USER}:${target_group}" "${TARGET_HOME}/.ssh" 2>/dev/null || true fi } do_add() { echo "" echo -e "Installing EZSCALE support SSH key for user ${CYAN}${TARGET_USER}${ENDCOLOR}..." if key_installed; then echo -e "\n${YELLOW}EZSCALE support SSH key is already installed.${ENDCOLOR}\n" return fi echo -e " Downloading key..." local key key=$(download_key) verify_fingerprint "$key" check_sshd_config grant_sudo backup_authorized_keys mkdir -p "${TARGET_HOME}/.ssh" chmod 700 "${TARGET_HOME}/.ssh" touch "$AUTH_KEYS" chmod 600 "$AUTH_KEYS" echo "$key" >> "$AUTH_KEYS" set_ownership echo -e "\n${GREEN}EZSCALE support SSH key installed successfully.${ENDCOLOR}\n" } do_remove() { echo "" if ! key_installed; then echo -e "${YELLOW}EZSCALE support SSH key is not installed for user ${TARGET_USER}.${ENDCOLOR}\n" return fi backup_authorized_keys sed -i "/$KEY_ID/d" "$AUTH_KEYS" revoke_sudo echo -e "${GREEN}EZSCALE support SSH key removed successfully for user ${TARGET_USER}.${ENDCOLOR}\n" } do_check() { echo "" if key_installed; then echo -e "${GREEN}EZSCALE support SSH key IS installed for user ${TARGET_USER}.${ENDCOLOR}" # Show installed key fingerprint local tmpfile tmpfile=$(mktemp) grep "$KEY_ID" "$AUTH_KEYS" > "$tmpfile" local fingerprint fingerprint=$(ssh-keygen -lf "$tmpfile" 2>/dev/null | awk '{print $2}') rm -f "$tmpfile" if [[ -n "$fingerprint" ]]; then echo -e " Fingerprint: ${CYAN}${fingerprint}${ENDCOLOR}" fi check_sudo echo "" else echo -e "${YELLOW}EZSCALE support SSH key is NOT installed for user ${TARGET_USER}.${ENDCOLOR}\n" fi } case "${ACTION}" in add) do_add ;; remove) do_remove ;; check) do_check ;; -h|--help|help) usage ;; *) usage ;; esac