diff --git a/ReadMe.md b/ReadMe.md index 7c41d69..7484c22 100644 --- a/ReadMe.md +++ b/ReadMe.md @@ -4,8 +4,26 @@ - copy to server to - $ADMIN/.ssh (to be ended for admin user) - /etc/ssh/authorized_keys--master - - /etc/ssh/authorized_keys/$ADMIN + - /etc/ssh/authorized_keys/$USER Then remove old key Store ssh key name for current period + +## Scripts + +### rotate-ssh-keys.sh + +Will create a new key and deploy on the server and move the PEM part to the +local SSH folder + +### remove-old-ssh-keys.sh + +Will check in the previous ssh public key folder and remove this entry from the remote server + +### Options + +- -h override single host name +- -u override user name for a host +- -f force key change +- -n dry run diff --git a/bin/remove-old-ssh-keys.sh b/bin/remove-old-ssh-keys.sh old mode 100644 new mode 100755 index 6c4de1a..4fce1f5 --- a/bin/remove-old-ssh-keys.sh +++ b/bin/remove-old-ssh-keys.sh @@ -6,6 +6,44 @@ BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/"; CONFIG_BASE="${BASE_FOLDER}../config/"; # previous public key SSH_PUBLIC_KEYS_PREVIOUS="${BASE_FOLDER}../ssh-public-keys/previous/"; +# list of admin user names, if username does not match this only update the user entry +ADMIN_USERS=(admin ubuntu ec2-user) + +DRY_RUN=0; +FORCE=0; +HOST_ONLY=""; +USER_ONLY=""; +# +while getopts ":h:u:nf" opt; do + case "${opt}" in + h|hostname) + HOST_ONLY="${OPTARG}"; + ;; + u|username) + USER_ONLY="${OPTARG}"; + ;; + n|dry-run) + DRY_RUN=1; + ;; + f|force) + FORCE=1; + ;; + \?) + echo -e "\n Option does not exist: ${OPTARG}\n"; + echo "-h override single host name"; + echo "-u override user name for a host"; + echo "-f force key change"; + echo "-n dry run"; + echo "" + exit 1; + ;; + esac +done + +if [ ! -d "${SSH_PUBLIC_KEYS_PREVIOUS}" ]; then + echo "Missing ssh public keys previous folder: ${SSH_PUBLIC_KEYS_PREVIOUS}"; + exit; +fi # load config if [ -f "${CONFIG_BASE}settings.ini" ]; then @@ -17,13 +55,91 @@ if [ ! -f "${CONFIG_BASE}${server_list}" ]; then exit fi +# default ssh command +SSH="ssh -a -x"; + +remove_ssh_key() { + AUTH_KEY_FILE="${1}"; + PUB_KEY_FILE="${2}"; + RMV_CHATTR_I="chattr -i" + ADD_CHATTR_I="chattr +i" + RMV_CHMOD_UW="chmod u-w" + ADD_CHMOD_UW="chmod u+w" + pub_key=$(cat "${PUB_KEY_FILE}"); + # we need to escape for sed + pub_key_escaped=$(printf '%s\n' "$pub_key" | sed -e 's/[]\/$*.^[]/\\&/g'); + # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing (from ssh-copy-id) + UNINSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF + if [ -f "${AUTH_KEY_FILE}" ] && grep "${pub_key}" "${AUTH_KEY_FILE}" >> /dev/null; then + ${RMV_CHATTR_I} "${AUTH_KEY_FILE}"; + ${ADD_CHMOD_UW} "${AUTH_KEY_FILE}"; + sed -i "/${pub_key_escaped}/d" "${AUTH_KEY_FILE}"; + ${RMV_CHMOD_UW} "${AUTH_KEY_FILE}"; + ${ADD_CHATTR_I} "${AUTH_KEY_FILE}"; + fi; + EOF + ); + # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; + printf "exec sudo sh -c '%s'" "${UNINSTALLKEYS_SH}" +} + +uninstall_ssh_key() { + HOSTNAME="${1}"; + USERNAME="${2}"; + PUB_KEY_FILE="${3}"; + AUTH_KEY_FILE="${4}"; + echo "[.] Remove from auth file: ${AUTH_KEY_FILE}"; + if [ ${DRY_RUN} -eq 0 ]; then + # find the pub key in the file and remove this line only + ${SSH} "${USERNAME}"@"${HOSTNAME}" "$(remove_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}")" + else + echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(remove_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\")\""; + fi +} + # find last public in remote server and remove it for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do - hostname=$(echo "${line}" | cut -d "," -f 1) - # flags are current "M" for multi key, has other users public key in too - flags=$(echo "${line}" | cut -d "," -f 2) - echo "Remove previous key for: ${hostname}"; + if [[ "${i}" =~ ^\# ]]; then + continue; + fi + # hostname is on pos 1 + hostname=$(echo "${line}" | cut -d "," -f 1); + # if hostname opt set and not matching skip + if [ ! -z "${HOST_ONLY}" ] && [ "${HOST_ONLY}" != "${hostname}" ]; then + continue; + fi + # login user name + username=$(echo "${line}" | cut -d "," -f 2); + # if username opt set and not matching skip + if [ ! -z "${USER_ONLY}" ] && [ "${USER_ONLY}" != "${username}" ]; then + continue; + fi + # flags: (not used at the moment) + flags=$(echo "${line}" | cut -d "," -f 3); + # ssh key names + SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub"; + + # previous public key does not exist, skip + if [ ! -f "${SSH_PUBLIC_KEYS_PREVIOUS}${SSH_KEY_PUB_FILE}" ]; then + echo "[!] Missing previous public key file ${SSH_KEY_PUB_FILE} for ${username}@${hostname}"; + continue; + fi + + echo "[-] Remove previous key for: ${username}@${hostname} with flags '${flags}'"; # find in master key and $admin user + if [[ ${ADMIN_USERS[@]} =~ $username ]]; then + # find in "/etc/ssh/authorized_keys--master"; + uninstall_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_PREVIOUS}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master"; + fi + uninstall_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_PREVIOUS}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}" + # remove old key + echo "[-] Remove previous public key: ${SSH_KEY_PUB_FILE}"; + if [ ${DRY_RUN} -eq 0 ]; then + rm "${SSH_PUBLIC_KEYS_PREVIOUS}${SSH_KEY_PUB_FILE}"; + else + echo "rm \"${SSH_PUBLIC_KEYS_PREVIOUS}${SSH_KEY_PUB_FILE}\";"; + fi; + echo "[=] ............... DONE"; done # __END__ diff --git a/bin/rotate-ssh-keys.sh b/bin/rotate-ssh-keys.sh index e200e5b..a0b2c30 100755 --- a/bin/rotate-ssh-keys.sh +++ b/bin/rotate-ssh-keys.sh @@ -19,17 +19,15 @@ SSH_PRIVATE_KEYS="${BASE_FOLDER}../ssh-keys/"; # ssh public keys from current and last SSH_PUBLIC_KEYS_PREVIOUS="${BASE_FOLDER}../ssh-public-keys/previous/"; SSH_PUBLIC_KEYS_CURRENT="${BASE_FOLDER}../ssh-public-keys/current/"; -# PEM folder for server -PEM_SERVER="${HOME}/.ssh/PEMS/SERVER-ADMIN/"; -# PEM archive folder -PEM_ARCHIVE="${HOME}/.ssh/ARCHIVED_PEMs/SERVER-ADMIN/$(date +%F)/"; +# list of admin user names, if username does not match this only update the user entry +ADMIN_USERS=(admin ubuntu ec2-user) -DRYRUN=0; +DRY_RUN=0; FORCE=0; HOST_ONLY=""; USER_ONLY=""; # -while getopts ":h:u:n" opt; do +while getopts ":h:u:nf" opt; do case "${opt}" in h|hostname) HOST_ONLY="${OPTARG}"; @@ -37,8 +35,8 @@ while getopts ":h:u:n" opt; do u|username) USER_ONLY="${OPTARG}"; ;; - n|dryrun) - DRYRUN=1; + n|dry-run) + DRY_RUN=1; ;; f|force) FORCE=1; @@ -46,12 +44,14 @@ while getopts ":h:u:n" opt; do \?) echo -e "\n Option does not exist: ${OPTARG}\n"; echo "-h override single host name"; + echo "-u override user name for a host"; + echo "-f force key change"; echo "-n dry run"; echo "" exit 1; ;; - esac; -done; + esac +done if [ ! -d "${SSH_PRIVATE_KEYS}" ]; then echo "Missing ssh private keys folder: ${SSH_PRIVATE_KEYS}"; @@ -74,78 +74,93 @@ if [ -z "${key_age}" ]; then echo "A minimnum key age in days must be set"; exit; fi - # we must have "server_list" set and file must be in config folder if [ ! -f "${CONFIG_BASE}${server_list}" ]; then echo "Cannot find ${server_list} file in the config folder"; exit; fi +# If the path is under "" then the ~ replacement is needed +# PEM folder for server +__PEM_SERVER="${server_pem_folder}"; +if [ -z "${server_pem_folder##~\/*}" ]; then + server_pem_folder="${server_pem_folder/~\//"${HOME}"\/}"; +fi; +PEM_SERVER="${server_pem_folder}/"; +if [ ! -d "${PEM_SERVER}" ]; then + echo "Cannot found PEM server key folder: ${PEM_SERVER}"; + exit; +fi +# PEM archive folder +__PEM_ARCHIVE="${server_pem_archive_folder}/$(date +%F)/"; +if [ -z "${server_pem_archive_folder##~\/*}" ]; then + server_pem_archive_folder="${server_pem_archive_folder/~\//"${HOME}"\/}"; +fi +PEM_ARCHIVE="${server_pem_archive_folder}"; +if [ ! -d "${PEM_ARCHIVE}" ]; then + echo "Cannot found PEM server key archive folder: ${PEM_ARCHIVE}"; + exit; +fi +# add todays date +PEM_ARCHIVE="${PEM_ARCHIVE}/$(date +%F)/" + # default ssh command SSH="ssh -a -x"; +# Add the SSH Key to an auth file if it does not exist yet and the auth file does exist +# Build bash command to run this +# @Params +# AUTH_KEY_FILE {1}: the auth key file where to add the key +# PUB_KEY_FILE {2}: Public key file name add_ssh_key() { AUTH_KEY_FILE="${1}"; - PUB_KEY_DATA="${2}"; - RMV_CHATTR_I="chattr -i " - ADD_CHATTR_I="chattr +i " - RMV_CHMOD_UW="chamod u-w " - ADD_CHMOD_UW="chmod u+w " - # { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || - # echo >> "${AUTH_KEY_FILE}" || exit 1; } && - # cat >> "${AUTH_KEY_FILE}" || exit 1; - - # check if same key already exists, if yes, skip + PUB_KEY_FILE="${2}"; + RMV_CHATTR_I="chattr -i" + ADD_CHATTR_I="chattr +i" + RMV_CHMOD_UW="chmod u-w" + ADD_CHMOD_UW="chmod u+w" + # check if the auth file exists and the key is not yet in the auth file # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing (from ssh-copy-id) - - # if [ -f "${AUTH_KEY_FILE}" ] && ! cat >> grep "${AUTH_KEY_FILE}"; then - # ${RMV_CHATTR_I} ${AUTH_KEY_FILE} - # ${ADD_CHMOD_UW} ${AUTH_KEY_FILE} - # { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || - # echo >> "${AUTH_KEY_FILE}" || exit 1; } && - # cat >> "${AUTH_KEY_FILE}" - # ${RMV_CHMOD_UW} ${AUTH_KEY_FILE} - # ${ADD_CHATTR_I} ${AUTH_KEY_FILE} - # fi; - + # PROBLEM: + # for grep from pipe, the left data is removed. we also can't cat from pipe + # into a var as that would go through a pipe and not be visible + # so we get the pub key file name and read it here + pub_key=$(cat "${PUB_KEY_FILE}"); INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF - if [ -f "~/TEMP_SSH_PUB.pem.pub" ] && ! cat >> grep "~/TEMP_SSH_PUB.pem.pub"; then - ${RMV_CHATTR_I} ~/TEMP_SSH_PUB.pem.pub - ${ADD_CHMOD_UW} ~/TEMP_SSH_PUB.pem.pub - { [ -z \`tail -1c ~/TEMP_SSH_PUB.pem.pub 2>/dev/null\` ] || - echo >> "~/TEMP_SSH_PUB.pem.pub || exit 1; } && - cat >> "~/TEMP_SSH_PUB.pem.pub" - ${RMV_CHMOD_UW} ~/TEMP_SSH_PUB.pem.pub - ${ADD_CHATTR_I} ~/TEMP_SSH_PUB.pem.pub + if [ -f "${AUTH_KEY_FILE}" ] && ! grep "${pub_key}" "${AUTH_KEY_FILE}" >> /dev/null; then + ${RMV_CHATTR_I} "${AUTH_KEY_FILE}"; + ${ADD_CHMOD_UW} "${AUTH_KEY_FILE}"; + { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || + echo >> "${AUTH_KEY_FILE}" || exit 1; } && + echo "${pub_key}" >> "${AUTH_KEY_FILE}" || exit 1; + ${RMV_CHMOD_UW} "${AUTH_KEY_FILE}"; + ${ADD_CHATTR_I} "${AUTH_KEY_FILE}"; fi; EOF - ) - + ); # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; - printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" + printf "exec sudo sh -c '%s'" "${INSTALLKEYS_SH}" } +# install call +# @Params +# HOSTNAME {1} hostname to access +# USERNAME {2} username to use +# PUB_KEY_FILE {3} public key file to add +# AUTH_KEY_FILE {4} auth key file where to add the public key install_ssh_key() { HOSTNAME="${1}"; USERNAME="${2}"; - PUB_KEY="${3}"; + PUB_KEY_FILE="${3}"; AUTH_KEY_FILE="${4}"; - # PUB_KEY_DATA=$(printf '%s\n' "$(cat "${PUB_KEY}")") - echo "=== FILE ${AUTH_KEY_FILE}"; - printf '%s\n' "$(cat "${PUB_KEY}")" | ${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_DATA}")" + echo "[.] Add to auth file: ${AUTH_KEY_FILE}"; + if [ ${DRY_RUN} -eq 0 ]; then + ${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}")" + else + echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\")\""; + fi } -# Remove all last entries -# Move all current to last -if [ ${DRYRUN} -eq 0 ]; then - echo "Remove all previous ssh public keys"; - rm "${SSH_PUBLIC_KEYS_PREVIOUS}"*; - echo "Move all current public keys to the previous folder"; - mv "${SSH_PUBLIC_KEYS_CURRENT}"* "${SSH_PUBLIC_KEYS_PREVIOUS}"; - # create new archive folder local - mkdir -p "${PEM_ARCHIVE}"; -fi - for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do if [[ "${i}" =~ ^\# ]]; then continue; @@ -163,50 +178,130 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do continue; fi # check if force or if last rotaet in valid range - if [ "${FORCE}" -eq 0 ] && [ -f "${LAST_ROTATE}${hostname}_${username}.last-rotate"]; then + if [ "${FORCE}" -eq 0 ] && [ -f "${LAST_ROTATE}${hostname}_${username}.last-rotate" ]; then # holds unix timestamp, if now - this timestamp is < key_age => skip last_rotate=$(cat "${LAST_ROTATE}${hostname}_${username}.last-rotate"); current_timestamp=$(date +%s) age=$(( ($current_timestamp - $last_rotate) )) days_left=$(( (age)/(3600*24) )) if [ $days_left -le $key_age ]; then - echo "Last rotate for ${username}@${hostname} was ${days_left} days ago, minimum is ${key_age}"; + echo "[!] Last rotate for ${username}@${hostname} was ${days_left} days ago, minimum is ${key_age}"; + echo "[_] ............... SKIP"; continue; fi fi # flags: (not used at the moment) + # Possible: U (add to .ssh/authorized_keys) flags=$(echo "${line}" | cut -d "," -f 3); # name for the SSH key files SSH_KEY_FILE="${hostname}_${username}.pem"; SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub"; - # create name - echo "Create new key for: ${username}@${hostname} with flags '${flags}'"; # if current exist, skip creation # if pem or pub missing, but not both, alert and skip # else create new - if [ -f "${SSH_KEY_FILE}" ] - ssh-keygen -t ed25519 -N "" -C "${hostname}: $(date +%F)" -f "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" - # move the public key to the current folder - mv "${SSH_PRIVATE_KEYS}${SSH_KEY_PUB_FILE}" "${SSH_PUBLIC_KEYS_CURRENT}"; + CREATE_NEW_KEY=0; + # if we have force, override this all + if [ ${FORCE} -eq 1 ]; then + CREATE_NEW_KEY=1; + elif [ -f "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" ] || [ -f "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" ]; then + # if we miss private key -> alert skip + if [ ! -f "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" ]; then + # extract public key from ${PEM_SERVER}${SSH_KEY_FILE} and check if same to public key + if [ ! -f "${PEM_SERVER}${SSH_KEY_FILE}" ]; then + echo "[!] There are no master pem file to extract public key from for ${username}@${hostname}"; + echo "[_] ............... SKIP"; + continue; + else + __COMP_PUB_KEY=$(ssh-keygen -y -f "${PEM_SERVER}${SSH_KEY_FILE}"); + __CURRENT_PUB_KEY=$(cat "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}"); + if [ "${__COMP_PUB_KEY}" != "${__CURRENT_PUB_KEY}" ]; then + echo "[!] Current PEM public key does not match existing for ${username}@${hostname}"; + echo "[!] Current Public: ${__CURRENT_PUB_KEY}"; + echo "[!] Master Public : ${__COMP_PUB_KEY}"; + echo "[_] ............... SKIP"; + continue; + fi + fi + fi + else + CREATE_NEW_KEY=1 + fi + # create name + NEW_KEY_CREATED=0; + if [ ${CREATE_NEW_KEY} -eq 1 ]; then + echo "[+] Create new key for: ${username}@${hostname} with flags '${flags}' as: ${SSH_KEY_PUB_FILE}"; + # previous still exists? alert and abort + if [ -f "${SSH_PUBLIC_KEYS_PREVIOUS}${SSH_KEY_PUB_FILE}" ]; then + echo "[!] Previous public key still exists, was the remote key removed for ${username}@${hostname}"; + continue; + fi + # Move all current to last + if [ -f "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" ]; then + echo "[>] Move current public key to the previous folder"; + if [ ${DRY_RUN} -eq 0 ]; then + mv "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "${SSH_PUBLIC_KEYS_PREVIOUS}"; + else + echo "mv \"${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}\" \"${SSH_PUBLIC_KEYS_PREVIOUS}\";"; + fi + fi + # only create if not dry run + if [ ${DRY_RUN} -eq 0 ]; then + # <<< $'\ny' + ssh-keygen -q -t ed25519 -N "" -C "${username}@${hostname}: $(date +%F)" -f "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" + # move the public key to the current folder + mv "${SSH_PRIVATE_KEYS}${SSH_KEY_PUB_FILE}" "${SSH_PUBLIC_KEYS_CURRENT}"; + # flag new key creation for move + else + echo "ssh-keygen -q -t ed25519 -N \"\" -C \"${username}@${hostname}: $(date +%F)\" -f \"${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}\";"; + echo "mv \"${SSH_PRIVATE_KEYS}${SSH_KEY_PUB_FILE}\" \"${SSH_PUBLIC_KEYS_CURRENT}\";"; + fi + NEW_KEY_CREATED=1; + else + echo "[~] Deploy current key for: ${username}@${hostname} with flags '${flags}': ${SSH_KEY_PUB_FILE}"; + fi # deploy public key to server - # - master admin file - install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master" + if [[ ${ADMIN_USERS[@]} =~ $username ]]; then + # - master admin file + install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master"; + fi # - admin ssh config auth file install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}" - # - copy local PEM file to archive folder - if [ ${DRYRUN} -eq 0 ]; then + if [ ${NEW_KEY_CREATED} -eq 1 ]; then + # - copy local PEM file to archive folder if [ -f "${PEM_SERVER}${SSH_KEY_FILE}" ]; then - cp "${PEM_SERVER}${SSH_KEY_FILE}" "${PEM_ARCHIVE}"; + # create new archive folder local, one time action + if [ ! -d "${PEM_ARCHIVE}" ]; then + echo "[+] Create ${PEM_ARCHIVE}": + if [ ${DRY_RUN} -eq 0 ]; then + mkdir -p "${PEM_ARCHIVE}"; + else + echo "mkdir -p \"${PEM_ARCHIVE}\";"; + fi + fi + echo "[>] Move old PEM key to archive folder: ${__PEM_ARCHIVE}"; + if [ ${DRY_RUN} -eq 0 ]; then + cp "${PEM_SERVER}${SSH_KEY_FILE}" "${PEM_ARCHIVE}"; + else + echo "cp \"${PEM_SERVER}${SSH_KEY_FILE}\" \"${PEM_ARCHIVE}\";"; + fi + fi + echo "[>] Move PEM key '${SSH_KEY_FILE}' to .ssh folder: ${__PEM_SERVER}"; + if [ ${DRY_RUN} -eq 0 ]; then + # - copy to local ssh folder + mv "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" "${PEM_SERVER}"; + else + echo "mv \"${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}\" \"${PEM_SERVER}\";"; fi - # - copy to local ssh folder - mv "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" "${PEM_SERVER}"; fi # post roate write timestamp into rotate file - if [ ${DRYRUN} -eq 0 ]; then + if [ ${DRY_RUN} -eq 0 ]; then echo $(date +%s) > "${LAST_ROTATE}${hostname}_${username}.last-rotate"; + else + echo "\"echo $(date +%s) > \"${LAST_ROTATE}${hostname}_${username}.last-rotate\";"; fi + echo "[=] ............... DONE"; done diff --git a/config/.gitignore b/config/.gitignore index d6b7ef3..4eeca2f 100644 --- a/config/.gitignore +++ b/config/.gitignore @@ -1,2 +1,3 @@ * !.gitignore +!settings.sample.ini diff --git a/config/settings.sample.ini b/config/settings.sample.ini new file mode 100644 index 0000000..d087f71 --- /dev/null +++ b/config/settings.sample.ini @@ -0,0 +1,6 @@ +[Settings] +key_age=90 +server_list=server_list.csv +# if start with ~/ it will be replaced with $HOME +server_pem_folder=path to pem folder for server pems +server_pem_archive_folder=path to archive folder for old pems