#!/bin/sh
# Security check script for OpenSSH configuration

set -e

echo "[*] Checking SSH security configuration..."

# Check if sshd_config has secure settings
if grep -q "KexAlgorithms.*curve25519-sha256" /etc/ssh/sshd_config; then
    echo "[+] KexAlgorithms: OK"
else
    echo "[!] KexAlgorithms: WARNING - insecure algorithms may be enabled"
fi

if grep -q "Ciphers.*chacha20-poly1305" /etc/ssh/sshd_config; then
    echo "[+] Ciphers: OK"
else
    echo "[!] Ciphers: WARNING - weak ciphers may be enabled"
fi

if grep -q "MACs.*hmac-sha2-256-etm" /etc/ssh/sshd_config; then
    echo "[+] MACs: OK"
else
    echo "[!] MACs: WARNING - weak MACs may be enabled"
fi

# Check host key sizes
if [ -f /etc/ssh/ssh_host_rsa_key ]; then
    RSA_SIZE=$(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '{print $1}')
    if [ "$RSA_SIZE" -ge 4096 ]; then
        echo "[+] RSA host key: $RSA_SIZE bits (OK)"
    else
        echo "[!] RSA host key: $RSA_SIZE bits (WEAK - should be >= 4096)"
    fi
fi

if [ -f /etc/ssh/ssh_host_ed25519_key ]; then
    ED25519_SIZE=$(ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key | awk '{print $1}')
    if [ "$ED25519_SIZE" -ge 256 ]; then
        echo "[+] Ed25519 host key: $ED25519_SIZE bits (OK)"
    else
        echo "[!] Ed25519 host key: $ED25519_SIZE bits (WEAK - should be >= 256)"
    fi
fi

# Check for disabled weak algorithms
if grep -q "USE_SNTRUP761X25519.*1" /etc/ssh/sshd_config 2>/dev/null; then
    echo "[!] sntrup761: WARNING - weak algorithm enabled"
else
    echo "[+] sntrup761: Disabled (OK)"
fi

if grep -q "USE_MLKEM768X25519.*1" /etc/ssh/sshd_config 2>/dev/null; then
    echo "[!] mlkem768: WARNING - weak algorithm enabled"
else
    echo "[+] mlkem768: Disabled (OK)"
fi

echo "[*] Security check completed"