ScriptsCollections/SSH-Rotate-Keys
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add -g (go) option, add force new key creation, test script add

Browse Source 
Remove and Rotate script have -g (go) flag for actual run.
Remove has text updates for removed key info
Rotate force only forces rotation, but will not create new key unless -c (force create) is set
Test script added for testing connections
This commit is contained in:
Clemens Schwaighofer
2024-05-16 13:55:18 +09:00
parent 950dc33cb9
commit 65a235b152
3 changed files with 158 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
bin/rotate-ssh-keys.sh
View File

@@ -2,12 +2,6 @@
# Rotate and deploy admin keys
# List of servers with info
# ssh-keygen -t ed25519 -N "" -C "<COMMENT>" -f <FILE>
# store old key names, current key names
# base folder for all data
BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
# config folder
@@ -24,10 +18,12 @@ ADMIN_USERS=(admin ubuntu ec2-user)
DRY_RUN=0;
FORCE=0;
FORCE_CREATE=0;
GO=0;
HOST_ONLY="";
USER_ONLY="";
#
while getopts ":h:u:nf" opt; do
while getopts ":h:u:nfg" opt; do
case "${opt}" in
h|hostname)
HOST_ONLY="${OPTARG}";
@@ -41,12 +37,20 @@ while getopts ":h:u:nf" opt; do
f|force)
FORCE=1;
;;
c|force-create)
FORCE_CREATE=1
;;
g|go)
GO=1;
;;
\?)
echo -e "\n Option does not exist: ${OPTARG}\n";
echo "-h override single host name";
echo "-u override user name for a host";
echo "-f force key change";
echo "-c force create new key even if old key exists";
echo "-n dry run";
echo "-g flag for actual change call";
echo ""
exit 1;
;;
@@ -103,8 +107,16 @@ if [ ! -d "${PEM_ARCHIVE}" ]; then
fi
# add todays date
PEM_ARCHIVE="${PEM_ARCHIVE}/$(date +%F)/"
# abort if go not set
if [ ${GO} -eq 0 ] && [ ${DRY_RUN} -eq 1 ]; then
GO=1;
elif [ ${GO} -eq 0 ]; then
echo "No -g (go) parameter set. aborting. For testing set -n for dry run"
exit;
fi
# default ssh command
# -t is needed for systens when "Defaults requiretty" is set
SSH="ssh -a -x";
# Add the SSH Key to an auth file if it does not exist yet and the auth file does exist
@@ -203,7 +215,7 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
# else create new
CREATE_NEW_KEY=0;
# if we have force, override this all
if [ ${FORCE} -eq 1 ]; then
if [ ${FORCE_CREATE} -eq 1 ]; then
CREATE_NEW_KEY=1;
elif [ -f "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" ] || [ -f "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" ]; then
# if we miss private key -> alert skip
@@ -304,5 +316,4 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
echo "[=] ............... DONE";
done
# __END__