#!/bin/sh
# Check SSH security configuration

echo "[*] Checking SSH security configuration..."

# Check host keys
echo "[*] Host keys:"
if [ -f /etc/ssh/ssh_host_rsa_key ]; then
    RSA_SIZE=$(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '{print $1}')
    echo "  RSA: $RSA_SIZE bits"
else
    echo "  RSA: NOT FOUND"
fi

if [ -f /etc/ssh/ssh_host_ed25519_key ]; then
    ED25519_SIZE=$(ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key | awk '{print $1}')
    echo "  Ed25519: $ED25519_SIZE bits"
else
    echo "  Ed25519: NOT FOUND"
fi

# Check configuration
echo "[*] Configuration:"
if grep -q "HostKey /etc/ssh/ssh_host_rsa_key" /etc/ssh/sshd_config; then
    echo "  RSA host key: ENABLED"
else
    echo "  RSA host key: DISABLED"
fi

if grep -q "HostKey /etc/ssh/ssh_host_ed25519_key" /etc/ssh/sshd_config; then
    echo "  Ed25519 host key: ENABLED"
else
    echo "  Ed25519 host key: DISABLED"
fi

# Check algorithms
echo "[*] Algorithms:"
if grep -q "KexAlgorithms.*curve25519-sha256" /etc/ssh/sshd_config; then
    echo "  KexAlgorithms: SECURE"
else
    echo "  KexAlgorithms: INSECURE"
fi

if grep -q "Ciphers.*chacha20-poly1305" /etc/ssh/sshd_config; then
    echo "  Ciphers: SECURE"
else
    echo "  Ciphers: INSECURE"
fi

if grep -q "MACs.*hmac-sha2-256-etm" /etc/ssh/sshd_config; then
    echo "  MACs: SECURE"
else
    echo "  MACs: INSECURE"
fi

echo "[*] Check completed"