#!/usr/bin/env bash
# SSH-focused audit (hypervisor or guest).
set -u

echo "=== host ==="
hostname -f 2>/dev/null || hostname

echo "=== sshd effective config ==="
if command -v sshd >/dev/null 2>&1; then
  sshd -T 2>/dev/null | grep -E '^(port|permitrootlogin|passwordauthentication|pubkeyauthentication|permitemptypasswords|maxauthtries|x11forwarding|allowtcpforwarding|gatewayports|permittunnel|usepam|kbdinteractiveauthentication) ' || true
else
  echo "sshd binary missing"
fi

echo "=== sshd_config (non-comment) ==="
grep -E '^(Port|PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|PermitEmptyPasswords|MaxAuthTries|AllowUsers|AllowGroups|X11Forwarding) ' /etc/ssh/sshd_config 2>/dev/null || true

echo "=== authorized_keys (root) ==="
if [ -f /root/.ssh/authorized_keys ]; then
  wc -l /root/.ssh/authorized_keys
  awk '{print $NF}' /root/.ssh/authorized_keys 2>/dev/null | sed 's/^/  key: /'
else
  echo "no /root/.ssh/authorized_keys"
fi

echo "=== recent ssh auth failures (today) ==="
journalctl -u ssh -u sshd --since today 2>/dev/null | grep -iE 'Failed|Invalid|refused' | tail -5 || grep -iE 'Failed|Invalid' /var/log/auth.log 2>/dev/null | tail -5 || echo "no logs"