ScriptsCollections/SSH-Rotate-Keys
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add settings block to ssh public key in auth file, ReadMe file update

Browse Source
This commit is contained in:
Clemens Schwaighofer
2024-05-20 10:03:57 +09:00
parent 65a235b152
commit 043a16f397
3 changed files with 64 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bin/remove-old-ssh-keys.sh
View File

@@ -131,6 +131,8 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
fi
# flags: (not used at the moment)
flags=$(echo "${line}" | cut -d "," -f 3);
# auth key settings (in front of auth key)
settings=$(echo "${line}" | cut -d "," -f 4);
# ssh key names
SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub";

21
bin/rotate-ssh-keys.sh
View File

@@ -127,6 +127,7 @@ SSH="ssh -a -x";
add_ssh_key() {
AUTH_KEY_FILE="${1}";
PUB_KEY_FILE="${2}";
AUTH_KEY_SETTINGS="${3}";
RMV_CHATTR_I="chattr -i"
ADD_CHATTR_I="chattr +i"
RMV_CHMOD_UW="chmod u-w"
@@ -138,13 +139,20 @@ add_ssh_key() {
# into a var as that would go through a pipe and not be visible
# so we get the pub key file name and read it here
pub_key=$(cat "${PUB_KEY_FILE}");
# if we have auth key settings, prefix them to the pub key
# Note that the check key "pub_key" ignores any prefixes, but we add with settings prefix
if [ ! -z "${AUTH_KEY_SETTINGS}" ]; then
pub_key_write="${AUTH_KEY_SETTINGS} ${pub_key}";
else
pub_key_write="${pub_key}";
fi
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
if [ -f "${AUTH_KEY_FILE}" ] && ! grep "${pub_key}" "${AUTH_KEY_FILE}" >> /dev/null; then
${RMV_CHATTR_I} "${AUTH_KEY_FILE}";
${ADD_CHMOD_UW} "${AUTH_KEY_FILE}";
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] ||
echo >> "${AUTH_KEY_FILE}" || exit 1; } &&
echo "${pub_key}" >> "${AUTH_KEY_FILE}" || exit 1;
echo "${pub_key_write}" >> "${AUTH_KEY_FILE}" || exit 1;
${RMV_CHMOD_UW} "${AUTH_KEY_FILE}";
${ADD_CHATTR_I} "${AUTH_KEY_FILE}";
fi;
@@ -165,11 +173,12 @@ install_ssh_key() {
USERNAME="${2}";
PUB_KEY_FILE="${3}";
AUTH_KEY_FILE="${4}";
AUTH_KEY_SETTINGS="${5}";
echo "[.] Add to auth file: ${AUTH_KEY_FILE}";
if [ ${DRY_RUN} -eq 0 ]; then
${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}")"
${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}" "${AUTH_KEY_SETTINGS}")"
else
echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\")\"";
echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\" \"${AUTH_KEY_SETTINGS}\")\"";
fi
}
@@ -206,6 +215,8 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
# flags: (not used at the moment)
# Possible: U (add to .ssh/authorized_keys)
flags=$(echo "${line}" | cut -d "," -f 3);
# auth key settings (in front of auth key)
auth_key_settings=$(echo "${line}" | cut -d "," -f 4);
# name for the SSH key files
SSH_KEY_FILE="${hostname}_${username}.pem";
SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub";
@@ -276,10 +287,10 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
# deploy public key to server
if [[ ${ADMIN_USERS[@]} =~ $username ]]; then
# - master admin file
install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master";
install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master" "${auth_key_settings}";
fi
# - admin ssh config auth file
install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}"
install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}" "${auth_key_settings}";
if [ ${NEW_KEY_CREATED} -eq 1 ]; then
# - copy local PEM file to archive folder
if [ -f "${PEM_SERVER}${SSH_KEY_FILE}" ]; then