From 43d46206650d66b6c4c417211bcc4b5afd65d33e Mon Sep 17 00:00:00 2001 From: chunzhi Date: Wed, 30 Apr 2025 10:38:37 -0400 Subject: [PATCH] =?UTF-8?q?=E4=B8=8A=E4=BC=A0=E6=96=87=E4=BB=B6=E8=87=B3?= =?UTF-8?q?=20/?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- setup-cloudflare-ssh-access.sh | 42 ++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/setup-cloudflare-ssh-access.sh b/setup-cloudflare-ssh-access.sh index 6702cf5..153c5dc 100644 --- a/setup-cloudflare-ssh-access.sh +++ b/setup-cloudflare-ssh-access.sh @@ -18,10 +18,8 @@ TUNNEL_ID="" CREDENTIAL_FILE="" HOSTNAME="" SSO_USERNAME="" -ACCOUNT_ID="" -API_TOKEN="" +CA_PUB_KEY="" TUNNEL_TOKEN="" -CA_PUB_FILE="" INSTALL_METHOD="config" # 默认使用配置文件方式 # 检查是否为root用户 @@ -46,7 +44,7 @@ print_usage() { echo -e " 3. 对于config方式: Tunnel ID 和凭证文件路径" echo -e " 4. 访问SSH的域名 (例如: terminal.mydomain.com)" echo -e " 5. 与SSO登录匹配的本地用户名" - echo -e " 6. Cloudflare SSH证书文件路径" + echo -e " 6. Cloudflare SSH证书公钥(从Zero Trust控制台获取)" echo } @@ -133,21 +131,25 @@ read_input() { exit 1 fi - # 获取SSH CA证书文件 - echo -e "${YELLOW}请输入Cloudflare SSH证书文件的路径:${NC}" - echo -e "这是从Cloudflare Zero Trust控制台获取的SSH CA公钥文件" - echo -e "在Zero Trust控制台 > Access > Service Auth > SSH 中找到并下载" - read -p "> " CA_PUB_FILE - if [ -z "$CA_PUB_FILE" ]; then - echo -e "${RED}错误: 证书文件路径不能为空${NC}" + # 获取SSH CA公钥 + echo -e "${YELLOW}请输入Cloudflare SSH证书公钥:${NC}" + echo -e "在Zero Trust控制台 > Access > Service Auth > SSH 中找到并复制" + echo -e "格式如: ecdsa-sha2-nistp256 AAAA... open-ssh-ca@cloudflareaccess.org" + read -p "> " CA_PUB_KEY + if [ -z "$CA_PUB_KEY" ]; then + echo -e "${RED}错误: 证书公钥不能为空${NC}" exit 1 fi - # 检查证书文件是否存在 - if [ ! -f "$CA_PUB_FILE" ]; then - echo -e "${RED}错误: 证书文件 $CA_PUB_FILE 不存在!${NC}" - echo -e "${RED}请确保文件路径正确。${NC}" - exit 1 + # 验证公钥格式 + if [[ ! "$CA_PUB_KEY" =~ ^ecdsa-sha2-nistp256[[:space:]] ]]; then + echo -e "${YELLOW}警告: 公钥格式似乎不正确,应以'ecdsa-sha2-nistp256'开头${NC}" + echo -e "${YELLOW}确定要继续吗? [y/N]${NC}" + read -p "> " confirm_key + if [[ ! "$confirm_key" =~ ^[Yy]$ ]]; then + echo -e "${RED}操作已取消${NC}" + exit 1 + fi fi # 显示摘要并确认 @@ -165,7 +167,7 @@ read_input() { echo -e "域名: $HOSTNAME" echo -e "用户名: $SSO_USERNAME" - echo -e "SSH证书文件: $CA_PUB_FILE" + echo -e "SSH证书公钥: ${CA_PUB_KEY:0:30}..." echo -e "${GREEN}=====================================================${NC}" echo -e "${YELLOW}是否确认继续? [y/N]${NC}" @@ -304,11 +306,11 @@ setup_short_lived_cert() { echo -e "${YELLOW}正在配置SSH使用Cloudflare短期证书...${NC}" - # 复制证书文件到SSH配置目录 - cp "$CA_PUB_FILE" /etc/ssh/cloudflare-ca.pub + # 将公钥保存到SSH配置目录 + echo "$CA_PUB_KEY" > /etc/ssh/cloudflare-ca.pub chmod 644 /etc/ssh/cloudflare-ca.pub - echo -e "${GREEN}证书已复制至 /etc/ssh/cloudflare-ca.pub${NC}" + echo -e "${GREEN}证书公钥已保存至 /etc/ssh/cloudflare-ca.pub${NC}" # 更新SSH配置 grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config || echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config