From a07fd6c70ec0f44f8d515daca6344772410af59b Mon Sep 17 00:00:00 2001
From: dingenbohs <dingenbohs@proficio.com>
Date: Wed, 29 Oct 2025 22:21:27 +0000
Subject: [PATCH] Update 'k3os-ipconfig.sh'

---
 k3os-ipconfig.sh | 130 +++++++++++++++++++++++++++++------------------
 1 file changed, 80 insertions(+), 50 deletions(-)

diff --git a/k3os-ipconfig.sh b/k3os-ipconfig.sh
index 92c0e89..a9148e4 100644
--- a/k3os-ipconfig.sh
+++ b/k3os-ipconfig.sh
@@ -1,60 +1,90 @@
 #!/bin/bash
 
-# --- k3OS Automated Static IP Configuration Script ---
+# Define constants
+SSH_CONFIG_FILE="/etc/ssh/sshd_config"
+AUTH_LINE="PasswordAuthentication"
 
-# Check if the script is run as root
-if [ "$EUID" -ne 0 ]; then
-  echo "Please run this script with sudo."
-  exit 1
-fi
+# --- Function to check the current state ---
+get_current_state() {
+    # Using -E for extended regular expressions instead of -P for broader compatibility
+    
+    # 1. Use grep to find the line, including commented lines
+    # 2. Use sed to remove leading/trailing whitespace and the setting name
+    # 3. Use tr to convert to lowercase for reliable comparison
+    CURRENT_STATE=$(grep -iE "^\s*#?\s*${AUTH_LINE}\s+" "$SSH_CONFIG_FILE" 2>/dev/null | \
+                    sed -E "s/^\s*#?\s*${AUTH_LINE}\s*//" | \
+                    tr '[:upper:]' '[:lower:]' | \
+                    head -n 1)
+
+    # If the line is not found, or is commented out/blank, default to 'no' (SSH default security)
+    if [[ -z "$CURRENT_STATE" || "$CURRENT_STATE" == "no" ]]; then
+        echo "no"
+    elif [[ "$CURRENT_STATE" == "yes" ]]; then
+        echo "yes"
+    else
+        # Handle cases where the setting is missing or invalid. Check for an explicit 'no'.
+        if grep -qE "^\s*${AUTH_LINE}\s+no" "$SSH_CONFIG_FILE" 2>/dev/null; then
+            echo "no"
+        else
+            echo "no" # Defaulting to the most secure setting if not explicitly 'yes'
+        fi
+    fi
+}
 
-echo "--- Static IP Configuration for k3OS ---"
+# --- Main Toggler Logic ---
 
-# --- 1. Automatically Detect Network Interface ---
-# The primary interface is typically the one associated with the default gateway.
-IFACE=$(ip route | grep default | awk '{print $5}' | head -n 1)
+current=$(get_current_state)
 
-if [ -z "$IFACE" ]; then
-  echo "Error: Could not automatically detect a primary network interface."
-  echo "Please identify the correct interface name (e.g., eth0, enp0s3) and run the script again."
-  exit 1
+if [ "$current" == "yes" ]; then
+    NEW_STATE="no"
+    ACTION="DISABLE"
+    WARNING="WARNING: This will DISABLE password authentication and only allow SSH keys!"
+elif [ "$current" == "no" ]; then
+    NEW_STATE="yes"
+    ACTION="ENABLE"
+    WARNING="DANGER: This will ENABLE password authentication, increasing brute-force risk!"
+else
+    echo "Error: Could not determine current state of $AUTH_LINE."
+    exit 1
 fi
 
-echo "Automatically detected primary interface: $IFACE"
-echo ""
-
-# --- 2. Prompt for IP Details ---
-read -p "Enter the Static IPv4 Address (e.g., 192.168.1.100): " IP_ADDR
-read -p "Enter the Netmask (e.g., 255.255.255.0): " NETMASK
-read -p "Enter the Gateway IP Address (e.g., 192.168.1.1): " GATEWAY
-read -p "Enter the Nameserver (e.g., 1.1.1.1 8.8.8.8): " NAMESERVERS
-
-# --- 3. Format ConnMan IPv4 String ---
-# ConnMan's IPv4 format: <IP>/<NETMASK_LONG>/<GATEWAY>
-IPV4_CONFIG="${IP_ADDR}/${NETMASK}/${GATEWAY}"
-
-# --- 4. Generate and Write Configuration File ---
-CONFIG_FILE="/var/lib/connman/default.config"
-
-# Create the file content
-CONNMAN_CONFIG="[service_${IFACE}]
-Type=ethernet
-IPv4=${IPV4_CONFIG}
-IPv6=off
-Nameservers=${NAMESERVERS}"
-
-echo ""
-echo "--- Generated Configuration ---"
-echo "$CONNMAN_CONFIG"
-echo "-------------------------------"
-
-# Write to the file
-echo "$CONNMAN_CONFIG" | sudo tee "$CONFIG_FILE" > /dev/null
-
-if [ $? -eq 0 ]; then
-  echo "Successfully wrote static IP configuration for **$IFACE** to $CONFIG_FILE"
-  echo "You must now **reboot** the system for the changes to take effect."
-  echo "   (Run: 'sudo reboot')"
+echo "---"
+echo "Current state of ${AUTH_LINE} is: **$current**"
+echo "$WARNING"
+read -r -p "Do you want to $ACTION password authentication? (y/N): " response
+
+if [[ "$response" =~ ^([yY])$ ]]; then
+    echo "Applying changes..."
+    
+    # Use 'sed' for safe, idempotent change with a backup
+    # 1. Substitute any existing line with the new one.
+    sudo sed -i.bak -E "s/^\s*#?\s*${AUTH_LINE}\s+(yes|no)/${AUTH_LINE} ${NEW_STATE}/" "$SSH_CONFIG_FILE"
+    
+    # 2. If the line was missing or not matched (a rare edge case), ensure it is added
+    if ! grep -qE "^\s*${AUTH_LINE}\s+${NEW_STATE}" "$SSH_CONFIG_FILE" 2>/dev/null; then
+        echo "${AUTH_LINE} ${NEW_STATE}" | sudo tee -a "$SSH_CONFIG_FILE" > /dev/null
+    fi
+
+    # Restart the SSH service
+    echo "Restarting sshd to apply the new configuration..."
+    if command -v systemctl &> /dev/null; then
+        sudo systemctl restart sshd || sudo systemctl restart ssh
+    elif [ -f /etc/init.d/sshd ]; then
+        sudo /etc/init.d/sshd restart
+    else
+        echo "Error: Could not find a command to restart the SSH service. Please restart it manually."
+        exit 1
+    fi
+    
+    # Final verification
+    new_current=$(get_current_state)
+    echo "Verification: New state of ${AUTH_LINE} is: **$new_current**"
+    if [ "$new_current" == "$NEW_STATE" ]; then
+        echo "SUCCESS: Configuration changed and service restarted."
+    else
+        echo "FAILURE: Configuration change failed to verify."
+    fi
+
 else
-  echo "Error writing to $CONFIG_FILE."
+    echo "Action cancelled by user."
 fi
\ No newline at end of file