#!/usr/bin/env bash # Verify key-based SSH from this machine to all Proxmox management targets (read-only by default). # Optionally install your pubkey with ssh-copy-id (you will be prompted for password once per host). # # Usage (repo root): # bash scripts/security/ensure-proxmox-ssh-access.sh # bash scripts/security/ensure-proxmox-ssh-access.sh --fqdn # bash scripts/security/ensure-proxmox-ssh-access.sh --copy # ssh-copy-id to each target (interactive) # # Env: SSH_USER (default: PROXMOX_SSH_USER from ip-addresses or root) # SSH_KEY (default: ~/.ssh/id_ed25519.pub or id_rsa.pub) set -uo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" # shellcheck source=/dev/null source "$PROJECT_ROOT/config/ip-addresses.conf" SSH_USER="${SSH_USER:-${PROXMOX_SSH_USER:-root}}" SSH_OPTS=(-o BatchMode=yes -o ConnectTimeout=12 -o StrictHostKeyChecking=accept-new) USE_FQDN=0 DO_COPY=0 for a in "$@"; do case "$a" in --fqdn) USE_FQDN=1 ;; --copy) DO_COPY=1 ;; -h | --help) sed -n '1,20p' "$0" exit 0 ;; esac done PUB="${SSH_KEY:-}" if [[ -z "$PUB" ]]; then [[ -f "${HOME}/.ssh/id_ed25519.pub" ]] && PUB="${HOME}/.ssh/id_ed25519.pub" [[ -z "$PUB" && -f "${HOME}/.ssh/id_rsa.pub" ]] && PUB="${HOME}/.ssh/id_rsa.pub" fi targets=() if [[ "$USE_FQDN" -eq 1 ]]; then targets=( "${PROXMOX_FQDN_ML110}" "${PROXMOX_FQDN_R630_01}" "${PROXMOX_FQDN_R630_02}" "${PROXMOX_FQDN_R630_03}" "${PROXMOX_FQDN_R630_04}" ) echo "=== Proxmox SSH check (by FQDN *.sankofa.nexus) ===" else targets=( "${PROXMOX_HOST_ML110}" "${PROXMOX_HOST_R630_01}" "${PROXMOX_HOST_R630_02}" "${PROXMOX_HOST_R630_03}" "${PROXMOX_HOST_R630_04}" ) echo "=== Proxmox SSH check (by management IP) ===" fi fail=0 for t in "${targets[@]}"; do printf '%-28s ' "$t" if [[ "$USE_FQDN" -eq 1 ]] && ! getent ahosts "$t" &>/dev/null; then echo "SKIP (DNS unresolved — add UDM/local DNS or /etc/hosts; see scripts/verify/check-proxmox-mgmt-fqdn.sh --print-hosts)" fail=1 continue fi _tmp="$(mktemp)" if ssh "${SSH_OPTS[@]}" "${SSH_USER}@${t}" "hostname -f 2>/dev/null || hostname" &>"$_tmp"; then echo "OK ($(tr -d '\r\n' <"$_tmp"))" else echo "FAIL" sed 's/^/ /' "$_tmp" | head -3 fail=1 fi rm -f "$_tmp" done if [[ "$DO_COPY" -eq 1 ]]; then if [[ -z "$PUB" || ! -f "$PUB" ]]; then echo "[ERROR] No public key found; set SSH_KEY=path/to/id_*.pub" exit 1 fi echo "" echo "=== ssh-copy-id (interactive; password per host) ===" for t in "${targets[@]}"; do if [[ "$USE_FQDN" -eq 1 ]] && ! getent ahosts "$t" &>/dev/null; then echo "[SKIP] $t (unresolved)" continue fi echo "--- $t ---" ssh-copy-id -i "$PUB" -o StrictHostKeyChecking=accept-new "${SSH_USER}@${t}" || true done fi exit "$fail"