Add settings block to ssh public key in auth file, ReadMe file update
This commit is contained in:
48
ReadMe.md
48
ReadMe.md
@@ -10,20 +10,64 @@ Then remove old key
|
|||||||
|
|
||||||
Store ssh key name for current period
|
Store ssh key name for current period
|
||||||
|
|
||||||
|
## Settings files
|
||||||
|
|
||||||
|
### `settings.ini`
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[Settings]
|
||||||
|
key_age=90
|
||||||
|
server_list=server_list.csv
|
||||||
|
# if start with ~/ it will be replaced with $HOME
|
||||||
|
server_pem_folder=~/folder/to/admin/pems/
|
||||||
|
server_pem_archive_folder=~/tolder/for/archive/pems/
|
||||||
|
```
|
||||||
|
|
||||||
|
- key_age is in days, default is 90
|
||||||
|
- server_lust is the file name where the servers and info is stored
|
||||||
|
- server_pem_folder is the location for the PEM files, eg in a ~/.ssh/ sub folder
|
||||||
|
- server_pem_archive_folder is thge location for the archive files, a sub folder will be created there
|
||||||
|
|
||||||
|
### server_list fiel
|
||||||
|
|
||||||
|
This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated
|
||||||
|
|
||||||
|
- Sever: server name as to which to connect to
|
||||||
|
- Username: the username to use to connect
|
||||||
|
- Flag: currently not used
|
||||||
|
- Auth Key Settings: Optional settings block for the public key entry in the auth file
|
||||||
|
|
||||||
## Scripts
|
## Scripts
|
||||||
|
|
||||||
### rotate-ssh-keys.sh
|
### `rotate-ssh-keys.sh`
|
||||||
|
|
||||||
Will create a new key and deploy on the server and move the PEM part to the
|
Will create a new key and deploy on the server and move the PEM part to the
|
||||||
local SSH folder
|
local SSH folder
|
||||||
|
|
||||||
### remove-old-ssh-keys.sh
|
Must have -g flag set to run
|
||||||
|
|
||||||
|
### `remove-old-ssh-keys.sh`
|
||||||
|
|
||||||
Will check in the previous ssh public key folder and remove this entry from the remote server
|
Will check in the previous ssh public key folder and remove this entry from the remote server
|
||||||
|
|
||||||
|
Must have -g flag set to run
|
||||||
|
|
||||||
### Options
|
### Options
|
||||||
|
|
||||||
|
For both rotate and remove ssh key
|
||||||
|
|
||||||
- -h override single host name
|
- -h override single host name
|
||||||
- -u override user name for a host
|
- -u override user name for a host
|
||||||
- -f force key change
|
- -f force key change
|
||||||
|
- -c force create new key even if old key exists
|
||||||
- -n dry run
|
- -n dry run
|
||||||
|
- -g flag for actual change call
|
||||||
|
|
||||||
|
### `test-ssh-keys.sh`
|
||||||
|
|
||||||
|
Test access to the server and print information
|
||||||
|
|
||||||
|
Options are
|
||||||
|
|
||||||
|
- -h override single host name
|
||||||
|
- -u override user name for a host
|
||||||
|
|||||||
@@ -131,6 +131,8 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
|
|||||||
fi
|
fi
|
||||||
# flags: (not used at the moment)
|
# flags: (not used at the moment)
|
||||||
flags=$(echo "${line}" | cut -d "," -f 3);
|
flags=$(echo "${line}" | cut -d "," -f 3);
|
||||||
|
# auth key settings (in front of auth key)
|
||||||
|
settings=$(echo "${line}" | cut -d "," -f 4);
|
||||||
# ssh key names
|
# ssh key names
|
||||||
SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub";
|
SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub";
|
||||||
|
|
||||||
|
|||||||
@@ -127,6 +127,7 @@ SSH="ssh -a -x";
|
|||||||
add_ssh_key() {
|
add_ssh_key() {
|
||||||
AUTH_KEY_FILE="${1}";
|
AUTH_KEY_FILE="${1}";
|
||||||
PUB_KEY_FILE="${2}";
|
PUB_KEY_FILE="${2}";
|
||||||
|
AUTH_KEY_SETTINGS="${3}";
|
||||||
RMV_CHATTR_I="chattr -i"
|
RMV_CHATTR_I="chattr -i"
|
||||||
ADD_CHATTR_I="chattr +i"
|
ADD_CHATTR_I="chattr +i"
|
||||||
RMV_CHMOD_UW="chmod u-w"
|
RMV_CHMOD_UW="chmod u-w"
|
||||||
@@ -138,13 +139,20 @@ add_ssh_key() {
|
|||||||
# into a var as that would go through a pipe and not be visible
|
# into a var as that would go through a pipe and not be visible
|
||||||
# so we get the pub key file name and read it here
|
# so we get the pub key file name and read it here
|
||||||
pub_key=$(cat "${PUB_KEY_FILE}");
|
pub_key=$(cat "${PUB_KEY_FILE}");
|
||||||
|
# if we have auth key settings, prefix them to the pub key
|
||||||
|
# Note that the check key "pub_key" ignores any prefixes, but we add with settings prefix
|
||||||
|
if [ ! -z "${AUTH_KEY_SETTINGS}" ]; then
|
||||||
|
pub_key_write="${AUTH_KEY_SETTINGS} ${pub_key}";
|
||||||
|
else
|
||||||
|
pub_key_write="${pub_key}";
|
||||||
|
fi
|
||||||
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
||||||
if [ -f "${AUTH_KEY_FILE}" ] && ! grep "${pub_key}" "${AUTH_KEY_FILE}" >> /dev/null; then
|
if [ -f "${AUTH_KEY_FILE}" ] && ! grep "${pub_key}" "${AUTH_KEY_FILE}" >> /dev/null; then
|
||||||
${RMV_CHATTR_I} "${AUTH_KEY_FILE}";
|
${RMV_CHATTR_I} "${AUTH_KEY_FILE}";
|
||||||
${ADD_CHMOD_UW} "${AUTH_KEY_FILE}";
|
${ADD_CHMOD_UW} "${AUTH_KEY_FILE}";
|
||||||
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] ||
|
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] ||
|
||||||
echo >> "${AUTH_KEY_FILE}" || exit 1; } &&
|
echo >> "${AUTH_KEY_FILE}" || exit 1; } &&
|
||||||
echo "${pub_key}" >> "${AUTH_KEY_FILE}" || exit 1;
|
echo "${pub_key_write}" >> "${AUTH_KEY_FILE}" || exit 1;
|
||||||
${RMV_CHMOD_UW} "${AUTH_KEY_FILE}";
|
${RMV_CHMOD_UW} "${AUTH_KEY_FILE}";
|
||||||
${ADD_CHATTR_I} "${AUTH_KEY_FILE}";
|
${ADD_CHATTR_I} "${AUTH_KEY_FILE}";
|
||||||
fi;
|
fi;
|
||||||
@@ -165,11 +173,12 @@ install_ssh_key() {
|
|||||||
USERNAME="${2}";
|
USERNAME="${2}";
|
||||||
PUB_KEY_FILE="${3}";
|
PUB_KEY_FILE="${3}";
|
||||||
AUTH_KEY_FILE="${4}";
|
AUTH_KEY_FILE="${4}";
|
||||||
|
AUTH_KEY_SETTINGS="${5}";
|
||||||
echo "[.] Add to auth file: ${AUTH_KEY_FILE}";
|
echo "[.] Add to auth file: ${AUTH_KEY_FILE}";
|
||||||
if [ ${DRY_RUN} -eq 0 ]; then
|
if [ ${DRY_RUN} -eq 0 ]; then
|
||||||
${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}")"
|
${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}" "${AUTH_KEY_SETTINGS}")"
|
||||||
else
|
else
|
||||||
echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\")\"";
|
echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\" \"${AUTH_KEY_SETTINGS}\")\"";
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -206,6 +215,8 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
|
|||||||
# flags: (not used at the moment)
|
# flags: (not used at the moment)
|
||||||
# Possible: U (add to .ssh/authorized_keys)
|
# Possible: U (add to .ssh/authorized_keys)
|
||||||
flags=$(echo "${line}" | cut -d "," -f 3);
|
flags=$(echo "${line}" | cut -d "," -f 3);
|
||||||
|
# auth key settings (in front of auth key)
|
||||||
|
auth_key_settings=$(echo "${line}" | cut -d "," -f 4);
|
||||||
# name for the SSH key files
|
# name for the SSH key files
|
||||||
SSH_KEY_FILE="${hostname}_${username}.pem";
|
SSH_KEY_FILE="${hostname}_${username}.pem";
|
||||||
SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub";
|
SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub";
|
||||||
@@ -276,10 +287,10 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
|
|||||||
# deploy public key to server
|
# deploy public key to server
|
||||||
if [[ ${ADMIN_USERS[@]} =~ $username ]]; then
|
if [[ ${ADMIN_USERS[@]} =~ $username ]]; then
|
||||||
# - master admin file
|
# - master admin file
|
||||||
install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master";
|
install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master" "${auth_key_settings}";
|
||||||
fi
|
fi
|
||||||
# - admin ssh config auth file
|
# - admin ssh config auth file
|
||||||
install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}"
|
install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}" "${auth_key_settings}";
|
||||||
if [ ${NEW_KEY_CREATED} -eq 1 ]; then
|
if [ ${NEW_KEY_CREATED} -eq 1 ]; then
|
||||||
# - copy local PEM file to archive folder
|
# - copy local PEM file to archive folder
|
||||||
if [ -f "${PEM_SERVER}${SSH_KEY_FILE}" ]; then
|
if [ -f "${PEM_SERVER}${SSH_KEY_FILE}" ]; then
|
||||||
|
|||||||
Reference in New Issue
Block a user