Untitled

#!/bin/bash
set -e
if [ "$(id -u)" -ne 0 ]; then echo "Lance avec sudo"; exit 1; fi
REAL_USER="${SUDO_USER:-$(logname 2>/dev/null || echo isen)}"
echo "User cible : $REAL_USER"
echo "=== 1.1 Paquets ==="
apt-get update -qq
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq \
  libpam-google-authenticator libpam-pwquality libpam-modules qrencode
echo "=== 1.2 Backup ==="
BACKUP_DIR="/etc/pam.d.backup-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BACKUP_DIR"
for f in \
  /etc/pam.d/sshd \
  /etc/pam.d/su \
  /etc/pam.d/sudo \
  /etc/pam.d/login \
  /etc/pam.d/common-password \
  /etc/ssh/sshd_config \
  /etc/login.defs ; do
  cp -p "$f" "$BACKUP_DIR/" 2>/dev/null || true
done
echo "Backup : $BACKUP_DIR"
echo "=== 1.3 pwquality.conf ==="
cat > /etc/security/pwquality.conf <<'EOF'
minlen = 12
minclass = 3
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
maxrepeat = 3
maxsequence = 3
difok = 5
enforce_for_root
EOF
echo "=== 1.4 common-password ==="
cat > /etc/pam.d/common-password <<'EOF'
password requisite pam_pwquality.so retry=3
password required  pam_pwhistory.so remember=5 use_authtok
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
password requisite pam_deny.so
password required  pam_permit.so
EOF
echo "=== 1.5 login.defs + chage ==="
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS\t90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS\t1/' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE\t7/' /etc/login.defs
chage -M 90 -m 1 -W 7 "$REAL_USER"
echo "=== 1.6 PAM TOTP ==="
LINE='auth required pam_google_authenticator.so nullok'
for f in /etc/pam.d/sshd /etc/pam.d/su /etc/pam.d/sudo /etc/pam.d/login; do
  if ! grep -q pam_google_authenticator "$f" 2>/dev/null; then
    echo "$LINE" >> "$f"
    echo "  $f : ajoute"
  else
    echo "  $f : deja la"
  fi
done
echo "=== 1.7 sshd_config ==="
sed -i 's/^#*KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#*UsePAM.*/UsePAM yes/' /etc/ssh/sshd_config
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
grep -q '^AuthenticationMethods' /etc/ssh/sshd_config \
  || echo 'AuthenticationMethods keyboard-interactive' >> /etc/ssh/sshd_config
grep -q '^PermitRootLogin' /etc/ssh/sshd_config \
  || echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
echo "=== 1.8 Lock root ==="
if sudo -u "$REAL_USER" -n true 2>/dev/null; then
  passwd -l root
  echo "  root verrouille"
else
  echo "  sudo NOPASSWD pas OK pour $REAL_USER. Root NON locke."
fi
echo "=== 1.9 Reload sshd ==="
sshd -t && systemctl reload ssh
echo ""
echo "=========================================="
echo "TESTS"
echo "=========================================="
echo ""
echo "--- chage -l $REAL_USER ---"
chage -l "$REAL_USER"
echo ""
echo "--- passwd -S root (doit etre L) ---"
passwd -S root
echo ""
echo "--- sshd_config ---"
grep -E "^(KbdInteractive|UsePAM|AuthenticationMethods|PermitRootLogin)" /etc/ssh/sshd_config
echo ""
echo "--- PAM sshd ---"
grep -E "google_auth|common-auth|faillock" /etc/pam.d/sshd
echo ""
echo "--- Faillock ---"
faillock --user "$REAL_USER" | head -10
echo ""
echo "--- TOTP file ---"
ls -la "/home/$REAL_USER/.google_authenticator" 2>&1
echo ""
echo "--- Heure ---"
date
timedatectl | grep -E "Local time|NTP" | sed 's/^[[:space:]]*//'
echo ""
echo "--- pwscore ---"
for mdp in "12345678" "Tp2026Cyber!"; do
  echo "[$mdp]"
  echo "$mdp" | pwscore
done
echo ""
echo "--- sshd actif ? ---"
systemctl is-active ssh
echo ""
echo "FIN. Backup : $BACKUP_DIR"
echo ""
echo "Tests interactifs :"
echo "  ssh $REAL_USER@localhost    # password + verification code"
echo "  sudo -k && sudo whoami      # idem"
echo "  su -                        # doit echouer (root locked)"