#!/bin/sh
# Apply security patches to host SSH configuration

set -e

echo "[*] Applying SSH security patches to host..."

# Backup original config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S)

# Uncomment HostKey lines
sed -i 's/^#HostKey/HostKey/' /etc/ssh/sshd_config

# Remove ecdsa key line (we don't have this key)
sed -i '/ssh_host_ecdsa_key/d' /etc/ssh/sshd_config

# Add security settings after HostKey lines
sed -i '/HostKey \/etc\/ssh\/ssh_host_ed25519_key/a\
\
# Security hardening - restrict algorithms to secure ones only\
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512\
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com\
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\
HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512\
PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-256,rsa-sha2-512\
' /etc/ssh/sshd_config

echo "[+] SSH configuration updated"
echo "[*] Restarting sshd service..."

systemctl restart sshd

echo "[+] SSH service restarted"
echo "[*] Run ssh-audit to verify security"