diff --git a/ReadMe.md b/ReadMe.md index 7484c22..51d9ad2 100644 --- a/ReadMe.md +++ b/ReadMe.md @@ -10,20 +10,64 @@ Then remove old key Store ssh key name for current period +## Settings files + +### `settings.ini` + +```ini +[Settings] +key_age=90 +server_list=server_list.csv +# if start with ~/ it will be replaced with $HOME +server_pem_folder=~/folder/to/admin/pems/ +server_pem_archive_folder=~/tolder/for/archive/pems/ +``` + +- key_age is in days, default is 90 +- server_lust is the file name where the servers and info is stored +- server_pem_folder is the location for the PEM files, eg in a ~/.ssh/ sub folder +- server_pem_archive_folder is thge location for the archive files, a sub folder will be created there + +### server_list fiel + +This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated + +- Sever: server name as to which to connect to +- Username: the username to use to connect +- Flag: currently not used +- Auth Key Settings: Optional settings block for the public key entry in the auth file + ## Scripts -### rotate-ssh-keys.sh +### `rotate-ssh-keys.sh` Will create a new key and deploy on the server and move the PEM part to the local SSH folder -### remove-old-ssh-keys.sh +Must have -g flag set to run + +### `remove-old-ssh-keys.sh` Will check in the previous ssh public key folder and remove this entry from the remote server +Must have -g flag set to run + ### Options +For both rotate and remove ssh key + - -h override single host name - -u override user name for a host - -f force key change +- -c force create new key even if old key exists - -n dry run +- -g flag for actual change call + +### `test-ssh-keys.sh` + +Test access to the server and print information + +Options are + +- -h override single host name +- -u override user name for a host diff --git a/bin/remove-old-ssh-keys.sh b/bin/remove-old-ssh-keys.sh index a6381f6..3bbd894 100755 --- a/bin/remove-old-ssh-keys.sh +++ b/bin/remove-old-ssh-keys.sh @@ -131,6 +131,8 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do fi # flags: (not used at the moment) flags=$(echo "${line}" | cut -d "," -f 3); + # auth key settings (in front of auth key) + settings=$(echo "${line}" | cut -d "," -f 4); # ssh key names SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub"; diff --git a/bin/rotate-ssh-keys.sh b/bin/rotate-ssh-keys.sh index 6da07bd..2fa6306 100755 --- a/bin/rotate-ssh-keys.sh +++ b/bin/rotate-ssh-keys.sh @@ -127,6 +127,7 @@ SSH="ssh -a -x"; add_ssh_key() { AUTH_KEY_FILE="${1}"; PUB_KEY_FILE="${2}"; + AUTH_KEY_SETTINGS="${3}"; RMV_CHATTR_I="chattr -i" ADD_CHATTR_I="chattr +i" RMV_CHMOD_UW="chmod u-w" @@ -138,13 +139,20 @@ add_ssh_key() { # into a var as that would go through a pipe and not be visible # so we get the pub key file name and read it here pub_key=$(cat "${PUB_KEY_FILE}"); + # if we have auth key settings, prefix them to the pub key + # Note that the check key "pub_key" ignores any prefixes, but we add with settings prefix + if [ ! -z "${AUTH_KEY_SETTINGS}" ]; then + pub_key_write="${AUTH_KEY_SETTINGS} ${pub_key}"; + else + pub_key_write="${pub_key}"; + fi INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF if [ -f "${AUTH_KEY_FILE}" ] && ! grep "${pub_key}" "${AUTH_KEY_FILE}" >> /dev/null; then ${RMV_CHATTR_I} "${AUTH_KEY_FILE}"; ${ADD_CHMOD_UW} "${AUTH_KEY_FILE}"; { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> "${AUTH_KEY_FILE}" || exit 1; } && - echo "${pub_key}" >> "${AUTH_KEY_FILE}" || exit 1; + echo "${pub_key_write}" >> "${AUTH_KEY_FILE}" || exit 1; ${RMV_CHMOD_UW} "${AUTH_KEY_FILE}"; ${ADD_CHATTR_I} "${AUTH_KEY_FILE}"; fi; @@ -165,11 +173,12 @@ install_ssh_key() { USERNAME="${2}"; PUB_KEY_FILE="${3}"; AUTH_KEY_FILE="${4}"; + AUTH_KEY_SETTINGS="${5}"; echo "[.] Add to auth file: ${AUTH_KEY_FILE}"; if [ ${DRY_RUN} -eq 0 ]; then - ${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}")" + ${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}" "${AUTH_KEY_SETTINGS}")" else - echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\")\""; + echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\" \"${AUTH_KEY_SETTINGS}\")\""; fi } @@ -206,6 +215,8 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do # flags: (not used at the moment) # Possible: U (add to .ssh/authorized_keys) flags=$(echo "${line}" | cut -d "," -f 3); + # auth key settings (in front of auth key) + auth_key_settings=$(echo "${line}" | cut -d "," -f 4); # name for the SSH key files SSH_KEY_FILE="${hostname}_${username}.pem"; SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub"; @@ -276,10 +287,10 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do # deploy public key to server if [[ ${ADMIN_USERS[@]} =~ $username ]]; then # - master admin file - install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master"; + install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master" "${auth_key_settings}"; fi # - admin ssh config auth file - install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}" + install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}" "${auth_key_settings}"; if [ ${NEW_KEY_CREATED} -eq 1 ]; then # - copy local PEM file to archive folder if [ -f "${PEM_SERVER}${SSH_KEY_FILE}" ]; then