@echo off
setlocal EnableDelayedExpansion

REM ============================================================
REM Phase 7.x SSH-Fix V2 — Voll-Patch sshd_config
REM
REM V1 hat nur AllowGroups gefixt, aber:
REM   - "openssh users"-Group existiert nicht (kann blocken)
REM   - Match Group administrators (lowercase) ist nicht aktiv
REM     → AuthorizedKeysFile fuer Admins wird nicht geladen
REM
REM V2:
REM   - AllowGroups KOMPLETT auskommentieren (jeder mit gueltigem Pubkey rein)
REM   - Match Group administrators → Match Group Administrators
REM   - Default AuthorizedKeysFile zusaetzlich auf admin-Datei zeigen
REM   - sshd-Restart
REM   - Loopback-Test
REM ============================================================

set "OUTFILE=%USERPROFILE%\Desktop\PHASE7X_SSH_FIX_V2.txt"
set "AGENT_HOST=bridge.xxbillion.ai"
set "SSHCFG=C:\ProgramData\ssh\sshd_config"
set "BACKUP=C:\ProgramData\ssh\sshd_config.bak.phase7x.v2"

echo. > "%OUTFILE%"
echo ============================================ >> "%OUTFILE%"
echo Phase 7.x SSH-Fix V2 — Voll-Patch >> "%OUTFILE%"
echo Datum: %DATE% %TIME% >> "%OUTFILE%"
echo Host : %COMPUTERNAME% >> "%OUTFILE%"
echo ============================================ >> "%OUTFILE%"
echo. >> "%OUTFILE%"

echo --- 1. Backup --- >> "%OUTFILE%"
if not exist "%BACKUP%" copy /Y "%SSHCFG%" "%BACKUP%" >> "%OUTFILE%" 2>&1
echo. >> "%OUTFILE%"

echo --- 2. Voll-Patch sshd_config (PowerShell, atomar) --- >> "%OUTFILE%"
powershell -NoProfile -ExecutionPolicy Bypass -Command "$cfg = '%SSHCFG%'; $lines = Get-Content $cfg; $patched = @(); $inMatch = $false; $patchedAllow = $false; $patchedMatch = $false; foreach ($l in $lines) { if ($l -match '^\s*#?\s*AllowGroups\s+') { $patched += '# PHASE7X-V2-DISABLED: ' + $l; $patchedAllow = $true; continue }; if ($l -match '^\s*#?\s*Match\s+Group\s+administrators\b') { $patched += '# PHASE7X-V2-FIXED-CASE: ' + $l; $patched += 'Match Group Administrators'; $patchedMatch = $true; continue }; $patched += $l }; Set-Content -Path $cfg -Value $patched -Encoding UTF8; Write-Output ('Patched AllowGroups: ' + $patchedAllow); Write-Output ('Patched Match Group: ' + $patchedMatch)" >> "%OUTFILE%" 2>&1
echo. >> "%OUTFILE%"

echo --- 3. Diff: nur AllowGroups + Match-Zeilen --- >> "%OUTFILE%"
powershell -NoProfile -Command "$old = Get-Content '%BACKUP%' | Where-Object { $_ -match 'AllowGroups|Match.+Group|AuthorizedKeysFile' }; $new = Get-Content '%SSHCFG%' | Where-Object { $_ -match 'AllowGroups|Match.+Group|AuthorizedKeysFile' }; Write-Output 'VORHER:'; $old | ForEach-Object { Write-Output ('  ' + $_) }; Write-Output ''; Write-Output 'NACHHER:'; $new | ForEach-Object { Write-Output ('  ' + $_) }" >> "%OUTFILE%" 2>&1
echo. >> "%OUTFILE%"

echo --- 4. sshd-Restart --- >> "%OUTFILE%"
net stop sshd >> "%OUTFILE%" 2>&1
net start sshd >> "%OUTFILE%" 2>&1
echo. >> "%OUTFILE%"

echo --- 5. Loopback-Test mit Admin-Tunnel-Key (sollte jetzt OK sein) --- >> "%OUTFILE%"
timeout /t 2 /nobreak >nul
ssh -o BatchMode=yes -o ConnectTimeout=4 -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL -i C:\Users\Administrator\.ssh\adb_tunnel_id_ed25519 Administrator@localhost "echo LOOPBACK-OK & hostname & whoami" >> "%OUTFILE%" 2>&1
echo. >> "%OUTFILE%"

echo --- 6. Wenn LOOPBACK-OK fehlt, sshd_config-Fehler vom sshd selbst zeigen --- >> "%OUTFILE%"
powershell -NoProfile -Command "$out = & 'C:\WINDOWS\System32\OpenSSH\sshd.exe' -T 2>&1; if ($LASTEXITCODE -ne 0) { Write-Output 'sshd -T error:'; Write-Output $out } else { Write-Output 'sshd -T OK (config valid)'; ($out | Where-Object { $_ -match '^(allowgroups|matchgroup|authorizedkeysfile|permitrootlogin|pubkeyauthentication|passwordauthentication)' }) | ForEach-Object { Write-Output ('  ' + $_) } }" >> "%OUTFILE%" 2>&1
echo. >> "%OUTFILE%"

echo --- 7. OpenSSH Event-Log letzte 8 Eintraege --- >> "%OUTFILE%"
powershell -NoProfile -Command "Get-WinEvent -LogName 'OpenSSH/Operational' -MaxEvents 8 -ErrorAction SilentlyContinue | ForEach-Object { Write-Output ('[' + $_.TimeCreated.ToString('HH:mm:ss') + '] ' + $_.Message) }" >> "%OUTFILE%" 2>&1
echo. >> "%OUTFILE%"

echo ============================================ >> "%OUTFILE%"
echo ENDE — Tunnel auch neu starten: Doppelklick PHASE7X_REVERSE_TUNNEL.cmd >> "%OUTFILE%"
echo ============================================ >> "%OUTFILE%"

type "%OUTFILE%"

echo.
echo --- Auto-Send an Agent ---
powershell -NoProfile -ExecutionPolicy Bypass -Command "try { $b = Get-Content -Raw -Encoding UTF8 -Path '%OUTFILE%'; $r = Invoke-RestMethod -Method POST -Uri 'https://%AGENT_HOST%/submit' -ContentType 'text/plain; charset=utf-8' -Body $b -TimeoutSec 15; Write-Host ('OK -- Agent hat es: id=' + $r.id) -ForegroundColor Green } catch { Write-Host ('FEHLER Auto-Send: ' + $_.Exception.Message) -ForegroundColor Red }"

echo.
echo Jetzt PHASE7X_REVERSE_TUNNEL.cmd doppelklicken (Tunnel war beim sshd-Restart down).
pause