@echo off setlocal EnableDelayedExpansion REM ============================================================ REM Phase 7.x SSH-Fix AllowGroups REM REM Diagnose hat ergeben: sshd_config hat REM AllowGroups administrators "openssh users" REM Diese Zeile blockt jeden Login (lowercase "administrators" REM wird nicht zur lokalen "Administrators"-Gruppe aufgeloest). REM REM Dieses Script: REM - macht Backup der sshd_config REM - kommentiert die AllowGroups-Zeile aus REM - schreibt darunter eine korrekte Version mit REM Administrators (Gross-A) + Built-in SID REM - startet sshd neu REM - sendet Diff + Status an Agent REM REM Rechtsklick -> "Als Administrator ausfuehren" (UAC: Ja) REM ============================================================ set "OUTFILE=%USERPROFILE%\Desktop\PHASE7X_SSH_FIX.txt" set "AGENT_HOST=bridge.xxbillion.ai" set "SSHCFG=C:\ProgramData\ssh\sshd_config" set "BACKUP=C:\ProgramData\ssh\sshd_config.bak.phase7x" echo. > "%OUTFILE%" echo ============================================ >> "%OUTFILE%" echo Phase 7.x SSH-Fix AllowGroups >> "%OUTFILE%" echo Datum: %DATE% %TIME% >> "%OUTFILE%" echo Host : %COMPUTERNAME% >> "%OUTFILE%" echo ============================================ >> "%OUTFILE%" echo. >> "%OUTFILE%" echo --- 1. Backup sshd_config --- >> "%OUTFILE%" if not exist "%BACKUP%" ( copy /Y "%SSHCFG%" "%BACKUP%" >> "%OUTFILE%" 2>&1 ) else ( echo Backup bereits vorhanden: %BACKUP% >> "%OUTFILE%" ) echo. >> "%OUTFILE%" echo --- 2. AllowGroups-Zeile auskommentieren (per PowerShell, atomar) --- >> "%OUTFILE%" powershell -NoProfile -ExecutionPolicy Bypass -Command "$cfg = '%SSHCFG%'; $lines = Get-Content $cfg; $patched = @(); $alreadyFixed = $false; foreach ($l in $lines) { if ($l -match '^\s*AllowGroups\s+') { $patched += '# PHASE7X-DISABLED: ' + $l; $patched += 'AllowGroups Administrators \"openssh users\"'; $alreadyFixed = $true } else { $patched += $l } }; if (-not $alreadyFixed) { Write-Output 'WARNUNG: keine AllowGroups-Zeile gefunden zum Patchen' } else { Set-Content -Path $cfg -Value $patched -Encoding UTF8; Write-Output 'OK -- AllowGroups gepatcht (alte Zeile auskommentiert, neue Zeile mit Gross-A geschrieben)' }" >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo --- 3. Diff zur Backup-Version --- >> "%OUTFILE%" powershell -NoProfile -Command "$old = Get-Content '%BACKUP%' | Where-Object { $_ -match 'AllowGroups' }; $new = Get-Content '%SSHCFG%' | Where-Object { $_ -match 'AllowGroups' }; Write-Output 'VORHER:'; $old | ForEach-Object { Write-Output (' ' + $_) }; Write-Output 'NACHHER:'; $new | ForEach-Object { Write-Output (' ' + $_) }" >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo --- 4. sshd neu starten --- >> "%OUTFILE%" net stop sshd >> "%OUTFILE%" 2>&1 net start sshd >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo --- 5. Loopback-Test (sshd akzeptiert jetzt Connects?) --- >> "%OUTFILE%" timeout /t 2 /nobreak >nul ssh -o BatchMode=yes -o ConnectTimeout=4 -o StrictHostKeyChecking=no -i C:\Users\Administrator\.ssh\adb_tunnel_id_ed25519 Administrator@localhost "echo LOOPBACK-OK" >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo --- 6. OpenSSH Event-Log letzte 5 Eintraege --- >> "%OUTFILE%" powershell -NoProfile -Command "Get-WinEvent -LogName 'OpenSSH/Operational' -MaxEvents 5 -ErrorAction SilentlyContinue | ForEach-Object { Write-Output ('[' + $_.TimeCreated.ToString('HH:mm:ss') + '] ' + $_.Message) }" >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo ============================================ >> "%OUTFILE%" echo ENDE - sshd ist neu gestartet. Tunnel war kaputt, jetzt neu starten: >> "%OUTFILE%" echo Doppelklick PHASE7X_REVERSE_TUNNEL.cmd >> "%OUTFILE%" echo ============================================ >> "%OUTFILE%" type "%OUTFILE%" echo. echo --- Auto-Send an Agent --- powershell -NoProfile -ExecutionPolicy Bypass -Command "try { $b = Get-Content -Raw -Encoding UTF8 -Path '%OUTFILE%'; $r = Invoke-RestMethod -Method POST -Uri 'https://%AGENT_HOST%/submit' -ContentType 'text/plain; charset=utf-8' -Body $b -TimeoutSec 15; Write-Host ('OK -- Agent hat es: id=' + $r.id) -ForegroundColor Green } catch { Write-Host ('FEHLER Auto-Send: ' + $_.Exception.Message) -ForegroundColor Red }" echo. echo Jetzt PHASE7X_REVERSE_TUNNEL.cmd doppelklicken (Tunnel war beim sshd-Restart down). pause