144 lines
5.6 KiB
PowerShell
144 lines
5.6 KiB
PowerShell
# ============================================================================
|
|
# 00 — Enable OpenSSH Server trên Windows Server
|
|
# USAGE:
|
|
# 1. RDP vào VPS (103.124.94.58:3389)
|
|
# 2. Mở PowerShell AS ADMINISTRATOR
|
|
# 3. Copy-paste TOÀN BỘ file này vào PowerShell rồi Enter
|
|
# 4. Chờ ~1 phút, script sẽ print "DONE" khi xong
|
|
# 5. Báo lại cho dev để test SSH
|
|
#
|
|
# Script idempotent — chạy nhiều lần OK.
|
|
# ============================================================================
|
|
|
|
#Requires -RunAsAdministrator
|
|
|
|
$ErrorActionPreference = 'Stop'
|
|
$ProgressPreference = 'SilentlyContinue'
|
|
|
|
Write-Host ""
|
|
Write-Host "=========================================================" -ForegroundColor Cyan
|
|
Write-Host " DYD — Enable OpenSSH Server on Windows" -ForegroundColor Cyan
|
|
Write-Host "=========================================================" -ForegroundColor Cyan
|
|
|
|
# --- 1. Install OpenSSH Server capability ---
|
|
Write-Host ""
|
|
Write-Host "[1/6] Install OpenSSH.Server capability ..." -ForegroundColor Yellow
|
|
$cap = Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH.Server*'
|
|
if ($cap.State -ne 'Installed') {
|
|
Add-WindowsCapability -Online -Name $cap.Name | Out-Null
|
|
Write-Host " [OK] Installed" -ForegroundColor Green
|
|
}
|
|
else {
|
|
Write-Host " [OK] Already installed" -ForegroundColor Green
|
|
}
|
|
|
|
# --- 2. Start sshd + auto-start ---
|
|
Write-Host ""
|
|
Write-Host "[2/6] Start sshd service ..." -ForegroundColor Yellow
|
|
Start-Service sshd
|
|
Set-Service -Name sshd -StartupType Automatic
|
|
# Start ssh-agent too (tùy, cho key management)
|
|
Set-Service -Name ssh-agent -StartupType Automatic
|
|
Start-Service ssh-agent -ErrorAction SilentlyContinue
|
|
Write-Host " [OK] sshd running, auto-start enabled" -ForegroundColor Green
|
|
|
|
# --- 3. Firewall rule port 22 ---
|
|
Write-Host ""
|
|
Write-Host "[3/6] Firewall rule port 22 ..." -ForegroundColor Yellow
|
|
$rule = Get-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -ErrorAction SilentlyContinue
|
|
if (-not $rule) {
|
|
New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' `
|
|
-DisplayName 'OpenSSH SSH Server (sshd)' `
|
|
-Enabled True -Direction Inbound -Protocol TCP -Action Allow `
|
|
-LocalPort 22 | Out-Null
|
|
Write-Host " [OK] Firewall rule created" -ForegroundColor Green
|
|
}
|
|
else {
|
|
Enable-NetFirewallRule -Name 'OpenSSH-Server-In-TCP'
|
|
Write-Host " [OK] Firewall rule enabled" -ForegroundColor Green
|
|
}
|
|
|
|
# --- 4. Set DefaultShell = PowerShell (thay cho cmd) ---
|
|
Write-Host ""
|
|
Write-Host "[4/6] Set DefaultShell = PowerShell ..." -ForegroundColor Yellow
|
|
New-ItemProperty -Path 'HKLM:\SOFTWARE\OpenSSH' `
|
|
-Name DefaultShell `
|
|
-Value 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' `
|
|
-PropertyType String -Force | Out-Null
|
|
Write-Host " [OK] DefaultShell set to PowerShell" -ForegroundColor Green
|
|
|
|
# --- 5. Add dev machine public key to authorized_keys ---
|
|
Write-Host ""
|
|
Write-Host "[5/6] Add dev public key ..." -ForegroundColor Yellow
|
|
|
|
# === PUBLIC KEY ĐÃ EMBED — KHÔNG commit private key ===
|
|
$PublicKey = 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/SmlEVa41JmeIAwQOtEkdzUo1BLPJbJ+oDqDYm1ywQ dyd-vps-deploy-20260415'
|
|
|
|
# For Administrator account, dùng C:\ProgramData\ssh\administrators_authorized_keys
|
|
# (KHÔNG dùng ~/.ssh/authorized_keys)
|
|
$authFile = 'C:\ProgramData\ssh\administrators_authorized_keys'
|
|
|
|
# Ensure directory exists
|
|
$authDir = Split-Path $authFile
|
|
if (-not (Test-Path $authDir)) {
|
|
New-Item -ItemType Directory -Path $authDir -Force | Out-Null
|
|
}
|
|
|
|
# Append key nếu chưa có (idempotent)
|
|
$existing = if (Test-Path $authFile) { Get-Content $authFile -Raw } else { '' }
|
|
if ($existing -notmatch [regex]::Escape($PublicKey)) {
|
|
Add-Content -Path $authFile -Value $PublicKey -Encoding UTF8
|
|
Write-Host " [OK] Public key added" -ForegroundColor Green
|
|
}
|
|
else {
|
|
Write-Host " [OK] Public key already present" -ForegroundColor Green
|
|
}
|
|
|
|
# Fix permission — QUAN TRỌNG, sai permission = SSH silently reject key
|
|
# Chỉ Administrators + SYSTEM được đọc
|
|
icacls $authFile /inheritance:r | Out-Null
|
|
icacls $authFile /grant 'Administrators:F' /grant 'SYSTEM:F' | Out-Null
|
|
Write-Host " [OK] Permission locked (Admin + SYSTEM only)" -ForegroundColor Green
|
|
|
|
# --- 6. Verify ---
|
|
Write-Host ""
|
|
Write-Host "[6/6] Verify ..." -ForegroundColor Yellow
|
|
|
|
$sshd = Get-Service sshd
|
|
if ($sshd.Status -eq 'Running') {
|
|
Write-Host " [OK] sshd: Running" -ForegroundColor Green
|
|
}
|
|
else {
|
|
Write-Host " [FAIL] sshd: $($sshd.Status)" -ForegroundColor Red
|
|
}
|
|
|
|
# Test listener
|
|
$listening = Get-NetTCPConnection -LocalPort 22 -State Listen -ErrorAction SilentlyContinue
|
|
if ($listening) {
|
|
Write-Host " [OK] Port 22: listening on $($listening[0].LocalAddress)" -ForegroundColor Green
|
|
}
|
|
else {
|
|
Write-Host " [WARN] Port 22: not listening (may need restart)" -ForegroundColor Yellow
|
|
}
|
|
|
|
# Test firewall
|
|
$fw = Get-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -ErrorAction SilentlyContinue
|
|
if ($fw -and $fw.Enabled -eq 'True') {
|
|
Write-Host " [OK] Firewall: allowed" -ForegroundColor Green
|
|
}
|
|
|
|
# --- DONE ---
|
|
Write-Host ""
|
|
Write-Host "=========================================================" -ForegroundColor Green
|
|
Write-Host " DONE — SSH server ready" -ForegroundColor Green
|
|
Write-Host "=========================================================" -ForegroundColor Green
|
|
Write-Host ""
|
|
Write-Host "Dev machine can now connect:"
|
|
Write-Host " ssh -i ~/.ssh/dyd_vps Administrator@103.124.94.58" -ForegroundColor Yellow
|
|
Write-Host ""
|
|
Write-Host "Test từ máy dev:"
|
|
Write-Host " ssh -i ~/.ssh/dyd_vps Administrator@103.124.94.58 hostname" -ForegroundColor Yellow
|
|
Write-Host ""
|
|
Write-Host "[!] Nếu đổi ý muốn disable SSH sau, chạy:"
|
|
Write-Host " Stop-Service sshd; Set-Service sshd -StartupType Disabled"
|