Refactor SSH service checks and error handling

2025-12-29 16:14:59 +00:00 · 2025-10-13 16:39:04 +01:00
parent d12d50d5be
commit e1bef0b150
1 changed files with 18 additions and 9 deletions
--- a/du_setup.sh
+++ b/du_setup.sh
@@ -750,6 +750,7 @@ cleanup_and_exit() {
            print_error "Rollback failed. SSH may not be accessible. Please check 'systemctl status $SSH_SERVICE' and 'journalctl -u $SSH_SERVICE'."
        fi
    fi
+    trap - ERR
    exit $exit_code
 }

@@ -762,6 +763,7 @@ configure_ssh() {
    # Ensure openssh-server is installed
    if ! dpkg -l openssh-server | grep -q ^ii; then
        print_error "openssh-server package is not installed."
+        trap - ERR
        return 1
    fi

@@ -775,6 +777,7 @@ configure_ssh() {
        SSH_SERVICE="sshd.service"
    else
        print_error "No SSH service or daemon detected."
+        trap - ERR
        return 1
    fi
    print_info "Using SSH service: $SSH_SERVICE"
@@ -799,6 +802,7 @@ configure_ssh() {
        # Verify the key was added
        if [[ ! -s "$AUTH_KEYS" ]]; then
            print_error "Failed to create authorized_keys file."
+            trap - ERR
            return 1
        fi
        chmod 600 "$AUTH_KEYS"; chown -R "$USERNAME:$USERNAME" "$SSH_DIR"
@@ -808,15 +812,16 @@ configure_ssh() {

    print_warning "SSH Key Authentication Required for Next Steps!"
    echo -e "${CYAN}Test SSH access from a SEPARATE terminal now:${NC}"
-    if [[ "$SERVER_IP_V4" != "unknown" ]]; then
+    if [[ -n "$SERVER_IP_V4" && "$SERVER_IP_V4" != "unknown" ]]; then
        echo -e "${CYAN}  Using IPv4: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V4${NC}"
    fi
-    if [[ "$SERVER_IP_V6" != "not available" ]]; then
+    if [[ -n "$SERVER_IP_V6" && "$SERVER_IP_V6" != "not available" ]]; then
        echo -e "${CYAN}  Using IPv6: ssh -p $CURRENT_SSH_PORT $USERNAME@$SERVER_IP_V6${NC}"
    fi

    if ! confirm "Can you successfully log in using your SSH key?"; then
        print_error "SSH key authentication is mandatory to proceed."
+        trap - ERR
        return 1
    fi

@@ -858,12 +863,13 @@ EOF
        print_info "This may be due to existing configuration files on the system."
        if ! confirm "Continue despite configuration warnings?"; then
            print_error "Aborting SSH configuration."
-            rm /etc/ssh/sshd_config.d/99-hardening.conf
-            rm /etc/issue.net
-            rm -rf /etc/systemd/system/ssh.socket.d
-            rm -rf /etc/systemd/system/ssh.service.d
-            rm -rf /etc/systemd/system/sshd.service.d
+            rm -f /etc/ssh/sshd_config.d/99-hardening.conf
+            rm -f /etc/issue.net
+            rm -f /etc/systemd/system/ssh.socket.d/override.conf
+            rm -f /etc/systemd/system/ssh.service.d/override.conf
+            rm -f /etc/systemd/system/sshd.service.d/override.conf
            systemctl daemon-reload
+            trap - ERR
            return 1
        fi
    fi
@@ -873,6 +879,7 @@ EOF
    sleep 5
    if ! ss -tuln | grep -q ":$SSH_PORT"; then
        print_error "SSH not listening on port $SSH_PORT after restart!"
+        trap - ERR
        return 1
    fi
    print_success "SSH service restarted on port $SSH_PORT."
@@ -882,16 +889,17 @@ EOF
    sleep 2
    if ssh -p "$SSH_PORT" -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 root@localhost true 2>/dev/null; then
        print_error "Root SSH login is still possible! Check configuration."
+        trap - ERR
        return 1
    else
        print_success "Confirmed: Root SSH login is disabled."
    fi

    print_warning "CRITICAL: Test new SSH connection in a SEPARATE terminal NOW!"
-    if [[ "$SERVER_IP_V4" != "unknown" ]]; then
+    if [[ -n "$SERVER_IP_V4" && "$SERVER_IP_V4" != "unknown" ]]; then
        print_info "Use IPv4: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V4"
    fi
-    if [[ "$SERVER_IP_V6" != "not available" ]]; then
+    if [[ -n "$SERVER_IP_V6" && "$SERVER_IP_V6" != "not available" ]]; then
        print_info "Use IPv6: ssh -p $SSH_PORT $USERNAME@$SERVER_IP_V6"
    fi

@@ -915,6 +923,7 @@ EOF
                else
                    print_success "Rollback successful. SSH restored on original port $PREVIOUS_SSH_PORT."
                fi
+                trap - ERR
                return 1
            fi
        fi