A single shell script to generate SSH keys, deploy them to remote hosts, and harden the local SSH daemon. Zero dependencies beyond bash and coreutils.
- keygen: Generates a strong Ed25519 key pair with 100 key derivation rounds
- deploy: Copies your public key to a remote host via SSH pipe
- harden: Locks down sshd_config (disables password auth, restricts root login, sets modern algorithms)
- status: Shows a quick summary of SSH configuration, keys, and backups
- rollback: Restores sshd_config from the most recent backup
- dry-run: Preview every change before committing to it
- custom port: Optionally relocate the SSH listening port during hardening
No pip packages, no Node, no extra dependencies. Just Bash.
Tested on Debian, Ubuntu, Fedora, RHEL/Rocky/Alma, and Arch. Any Linux system with OpenSSH and systemd works.
Clone and make it executable:
git clone https://github.com/cappy-dev/ssh-quick-setup.git
cd ssh-quick-setup
chmod +x ssh-quick-setup.sh./ssh-quick-setup.sh keygen --comment "homelab"This creates ~/.ssh/id_ed25519 (private) and ~/.ssh/id_ed25519.pub (public). Ed25519 keys are shorter, faster, and at least as secure as RSA 3072.
./ssh-quick-setup.sh deploy 192.168.1.50 --user adminThis copies your public key to admin@192.168.1.50 so you can log in without a password.
sudo ./ssh-quick-setup.sh hardenThis makes the following changes to /etc/ssh/sshd_config:
PasswordAuthentication no(key-based auth required)PermitRootLogin prohibit-password(root can use keys, not passwords)PubkeyAuthentication yesChallengeResponseAuthentication noX11Forwarding no- Modern
KexAlgorithms(Curve25519 and SHA-512 groups) - Modern
Ciphers(ChaCha20-Poly1305 and AES-GCM) - Modern
MACs(HMAC-SHA-2 and UMAC in ETM mode)
./ssh-quick-setup.sh statusPrints the effective values of every security-relevant directive, lists your SSH keys, and counts backups.
./ssh-quick-setup.sh keygen [options]
./ssh-quick-setup.sh deploy HOST [options]
./ssh-quick-setup.sh harden [options]
./ssh-quick-setup.sh status
./ssh-quick-setup.sh rollback [options]
./ssh-quick-setup.sh help--key FILE: Use a specific private key file (default~/.ssh/id_ed25519)--port PORT: Bind SSH to a non-standard port during hardening--comment TEXT: Comment string for the generated key--user USER: Remote username for deploy (default: current user)--dry-run: Print every action without executing anything--yes, -y: Skip all confirmation prompts--help, -h: Show help text
./ssh-quick-setup.sh keygen --comment "me@laptop"./ssh-quick-setup.sh deploy web.example.com --user deploy --key ~/.ssh/id_deploysudo ./ssh-quick-setup.sh harden --port 2222Update your firewall after changing the port:
sudo ufw allow 2222/tcp
sudo firewall-cmd --add-port=2222/tcp --permanent && sudo firewall-cmd --reloadsudo ./ssh-quick-setup.sh harden --dry-runEvery change prints as a [DRY] line and nothing is modified.
sudo ./ssh-quick-setup.sh rollbackRestores the most recent backup from /etc/ssh/backups/ and reloads sshd.
./ssh-quick-setup.sh deploy 10.0.0.5 --user deploy --yes- Automatic backup: Before hardening, the script copies
sshd_configto/etc/ssh/backups/sshd_config.<timestamp>.bak - Syntax validation: After editing, the script runs
sshd -tto check config syntax. If it fails, the original config is restored immediately - Your session stays open: The script reloads the service instead of restarting, so your active SSH session is never dropped
- Dry-run everywhere: Every command respects
--dry-run, so you can inspect the full plan beforehand
After hardening:
- Password authentication is disabled. You must use SSH keys.
- Root login requires keys. Password login is blocked.
- Only modern key exchange and cipher algorithms are allowed.
- X11 forwarding is disabled by default.
- Keep your current session open when testing changes.
- If you lose access, run
rollbackto restore the previous config.
MIT