Add settings block to ssh public key in auth file, ReadMe file update

ReadMe.md

@@ -10,20 +10,64 @@ Then remove old key
 
 Store ssh key name for current period
 
+## Settings files
+
+### `settings.ini`
+
+```ini
+[Settings]
+key_age=90
+server_list=server_list.csv
+# if start with ~/ it will be replaced with $HOME
+server_pem_folder=~/folder/to/admin/pems/
+server_pem_archive_folder=~/tolder/for/archive/pems/
+```
+
+- key_age is in days, default is 90
+- server_lust is the file name where the servers and info is stored
+- server_pem_folder is the location for the PEM files, eg in a ~/.ssh/ sub folder
+- server_pem_archive_folder is thge location for the archive files, a sub folder will be created there
+
+### server_list fiel
+
+This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated
+
+- Sever: server name as to which to connect to
+- Username: the username to use to connect
+- Flag: currently not used
+- Auth Key Settings: Optional settings block for the public key entry in the auth file
+
 ## Scripts
 
-### rotate-ssh-keys.sh
+### `rotate-ssh-keys.sh`
 
 Will create a new key and deploy on the server and move the PEM part to the
 local SSH folder
 
-### remove-old-ssh-keys.sh
+Must have -g flag set to run
+
+### `remove-old-ssh-keys.sh`
 
 Will check in the previous ssh public key folder and remove this entry from the remote server
 
+Must have -g flag set to run
+
 ### Options
 
+For both rotate and remove ssh key
+
 - -h override single host name
 - -u override user name for a host
 - -f force key change
+- -c force create new key even if old key exists
 - -n dry run
+- -g flag for actual change call
+
+### `test-ssh-keys.sh`
+
+Test access to the server and print information
+
+Options are
+
+- -h override single host name
+- -u override user name for a host

bin/remove-old-ssh-keys.sh

@@ -131,6 +131,8 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
 	fi
 	# flags: (not used at the moment)
 	flags=$(echo "${line}" | cut -d "," -f 3);
+	# auth key settings (in front of auth key)
+	settings=$(echo "${line}" | cut -d "," -f 4);
 	# ssh key names
 	SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub";
 

bin/rotate-ssh-keys.sh

@@ -127,6 +127,7 @@ SSH="ssh -a -x";
 add_ssh_key() {
 	AUTH_KEY_FILE="${1}";
 	PUB_KEY_FILE="${2}";
+	AUTH_KEY_SETTINGS="${3}";
 	RMV_CHATTR_I="chattr -i"
 	ADD_CHATTR_I="chattr +i"
 	RMV_CHMOD_UW="chmod u-w"
@@ -138,13 +139,20 @@ add_ssh_key() {
 	# into a var as that would go through a pipe and not be visible
 	# so we get the pub key file name and read it here
 	pub_key=$(cat "${PUB_KEY_FILE}");
+	# if we have auth key settings, prefix them to the pub key
+	# Note that the check key "pub_key" ignores any prefixes, but we add with settings prefix
+	if [ ! -z "${AUTH_KEY_SETTINGS}" ]; then
+		pub_key_write="${AUTH_KEY_SETTINGS} ${pub_key}";
+	else
+		pub_key_write="${pub_key}";
+	fi
 	INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
 		if [ -f "${AUTH_KEY_FILE}" ] && ! grep "${pub_key}" "${AUTH_KEY_FILE}" >> /dev/null; then
 			${RMV_CHATTR_I} "${AUTH_KEY_FILE}";
 			${ADD_CHMOD_UW} "${AUTH_KEY_FILE}";
 			{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] ||
 				echo >> "${AUTH_KEY_FILE}" || exit 1; } &&
-				echo "${pub_key}" >> "${AUTH_KEY_FILE}" || exit 1;
+				echo "${pub_key_write}" >> "${AUTH_KEY_FILE}" || exit 1;
 			${RMV_CHMOD_UW} "${AUTH_KEY_FILE}";
 			${ADD_CHATTR_I} "${AUTH_KEY_FILE}";
 		fi;
@@ -165,11 +173,12 @@ install_ssh_key() {
 	USERNAME="${2}";
 	PUB_KEY_FILE="${3}";
 	AUTH_KEY_FILE="${4}";
+	AUTH_KEY_SETTINGS="${5}";
 	echo "[.] Add to auth file: ${AUTH_KEY_FILE}";
 	if [ ${DRY_RUN} -eq 0 ]; then
-		${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}")"
+		${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}" "${AUTH_KEY_SETTINGS}")"
 	else
-		echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\")\"";
+		echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\" \"${AUTH_KEY_SETTINGS}\")\"";
 	fi
 }
 
@@ -206,6 +215,8 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
 	# flags: (not used at the moment)
 	# Possible: U (add to .ssh/authorized_keys)
 	flags=$(echo "${line}" | cut -d "," -f 3);
+	# auth key settings (in front of auth key)
+	auth_key_settings=$(echo "${line}" | cut -d "," -f 4);
 	# name for the SSH key files
 	SSH_KEY_FILE="${hostname}_${username}.pem";
 	SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub";
@@ -276,10 +287,10 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
 	# deploy public key to server
 	if [[ ${ADMIN_USERS[@]} =~ $username ]]; then
 		# - master admin file
-		install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master";
+		install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master" "${auth_key_settings}";
 	fi
 	# - admin ssh config auth file
-	install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}"
+	install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}" "${auth_key_settings}";
 	if [ ${NEW_KEY_CREATED} -eq 1 ]; then
 		# - copy local PEM file to archive folder
 		if [ -f "${PEM_SERVER}${SSH_KEY_FILE}" ]; then