First stage for ssh key rotate and remove scripts

2024-05-15 18:41:43 +09:00
parent cba0f964e7
commit 950dc33cb9
5 changed files with 315 additions and 79 deletions
--- a/bin/rotate-ssh-keys.sh
+++ b/bin/rotate-ssh-keys.sh
@@ -19,17 +19,15 @@ SSH_PRIVATE_KEYS="${BASE_FOLDER}../ssh-keys/";
 # ssh public keys from current and last
 SSH_PUBLIC_KEYS_PREVIOUS="${BASE_FOLDER}../ssh-public-keys/previous/";
 SSH_PUBLIC_KEYS_CURRENT="${BASE_FOLDER}../ssh-public-keys/current/";
-# PEM folder for server
-PEM_SERVER="${HOME}/.ssh/PEMS/SERVER-ADMIN/";
-# PEM archive folder
-PEM_ARCHIVE="${HOME}/.ssh/ARCHIVED_PEMs/SERVER-ADMIN/$(date +%F)/";
+# list of admin user names, if username does not match this only update the user entry
+ADMIN_USERS=(admin ubuntu ec2-user)

-DRYRUN=0;
+DRY_RUN=0;
 FORCE=0;
 HOST_ONLY="";
 USER_ONLY="";
 #
-while getopts ":h:u:n" opt; do
+while getopts ":h:u:nf" opt; do
 	case "${opt}" in
 		h|hostname)
 			HOST_ONLY="${OPTARG}";
@@ -37,8 +35,8 @@ while getopts ":h:u:n" opt; do
 		u|username)
 			USER_ONLY="${OPTARG}";
 			;;
-		n|dryrun)
-			DRYRUN=1;
+		n|dry-run)
+			DRY_RUN=1;
 			;;
 		f|force)
 			FORCE=1;
@@ -46,12 +44,14 @@ while getopts ":h:u:n" opt; do
 		\?)
 			echo -e "\n Option does not exist: ${OPTARG}\n";
 			echo "-h override single host name";
+			echo "-u override user name for a host";
+			echo "-f force key change";
 			echo "-n dry run";
 			echo ""
 			exit 1;
 			;;
-	esac;
-done;
+	esac
+done

 if [ ! -d "${SSH_PRIVATE_KEYS}" ]; then
 	echo "Missing ssh private keys folder: ${SSH_PRIVATE_KEYS}";
@@ -74,78 +74,93 @@ if [ -z "${key_age}" ]; then
 	echo "A minimnum key age in days must be set";
 	exit;
 fi
-
 # we must have "server_list" set and file must be in config folder
 if [ ! -f "${CONFIG_BASE}${server_list}" ]; then
 	echo "Cannot find ${server_list} file in the config folder";
 	exit;
 fi

+# If the path is under "" then the ~ replacement is needed
+# PEM folder for server
+__PEM_SERVER="${server_pem_folder}";
+if [ -z "${server_pem_folder##~\/*}" ]; then
+	server_pem_folder="${server_pem_folder/~\//"${HOME}"\/}";
+fi;
+PEM_SERVER="${server_pem_folder}/";
+if [ ! -d "${PEM_SERVER}" ]; then
+	echo "Cannot found PEM server key folder: ${PEM_SERVER}";
+	exit;
+fi
+# PEM archive folder
+__PEM_ARCHIVE="${server_pem_archive_folder}/$(date +%F)/";
+if [ -z "${server_pem_archive_folder##~\/*}" ]; then
+	server_pem_archive_folder="${server_pem_archive_folder/~\//"${HOME}"\/}";
+fi
+PEM_ARCHIVE="${server_pem_archive_folder}";
+if [ ! -d "${PEM_ARCHIVE}" ]; then
+	echo "Cannot found PEM server key archive folder: ${PEM_ARCHIVE}";
+	exit;
+fi
+# add todays date
+PEM_ARCHIVE="${PEM_ARCHIVE}/$(date +%F)/"
+
 # default ssh command
 SSH="ssh -a -x";

+# Add the SSH Key to an auth file if it does not exist yet and the auth file does exist
+# Build bash command to run this
+# @Params
+# AUTH_KEY_FILE {1}: the auth key file where to add the key
+# PUB_KEY_FILE {2}: Public key file name
 add_ssh_key() {
 	AUTH_KEY_FILE="${1}";
-	PUB_KEY_DATA="${2}";
-	RMV_CHATTR_I="chattr -i "
-	ADD_CHATTR_I="chattr +i "
-	RMV_CHMOD_UW="chamod u-w "
-	ADD_CHMOD_UW="chmod u+w "
-	# { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] ||
-    # echo >> "${AUTH_KEY_FILE}" || exit 1; } &&
-	# cat >> "${AUTH_KEY_FILE}" || exit 1;
-
-	# check if same key already exists, if yes, skip
+	PUB_KEY_FILE="${2}";
+	RMV_CHATTR_I="chattr -i"
+	ADD_CHATTR_I="chattr +i"
+	RMV_CHMOD_UW="chmod u-w"
+	ADD_CHMOD_UW="chmod u+w"
+	# check if the auth file exists and the key is not yet in the auth file
 	# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing (from ssh-copy-id)
-
-		# if [ -f "${AUTH_KEY_FILE}" ] && ! cat >> grep "${AUTH_KEY_FILE}"; then
-			# ${RMV_CHATTR_I} ${AUTH_KEY_FILE}
-			# ${ADD_CHMOD_UW} ${AUTH_KEY_FILE}
-			# { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] ||
-				# echo >> "${AUTH_KEY_FILE}" || exit 1; } &&
-				# cat >> "${AUTH_KEY_FILE}"
-			# ${RMV_CHMOD_UW} ${AUTH_KEY_FILE}
-			# ${ADD_CHATTR_I} ${AUTH_KEY_FILE}
-		# fi;
-
+	# PROBLEM:
+	# for grep from pipe, the left data is removed. we also can't cat from pipe
+	# into a var as that would go through a pipe and not be visible
+	# so we get the pub key file name and read it here
+	pub_key=$(cat "${PUB_KEY_FILE}");
 	INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
-		if [ -f "~/TEMP_SSH_PUB.pem.pub" ] && ! cat >> grep "~/TEMP_SSH_PUB.pem.pub"; then
-			${RMV_CHATTR_I} ~/TEMP_SSH_PUB.pem.pub
-			${ADD_CHMOD_UW} ~/TEMP_SSH_PUB.pem.pub
-			{ [ -z \`tail -1c ~/TEMP_SSH_PUB.pem.pub 2>/dev/null\` ] ||
-				echo >> "~/TEMP_SSH_PUB.pem.pub || exit 1; } &&
-				cat >> "~/TEMP_SSH_PUB.pem.pub"
-			${RMV_CHMOD_UW} ~/TEMP_SSH_PUB.pem.pub
-			${ADD_CHATTR_I} ~/TEMP_SSH_PUB.pem.pub
+		if [ -f "${AUTH_KEY_FILE}" ] && ! grep "${pub_key}" "${AUTH_KEY_FILE}" >> /dev/null; then
+			${RMV_CHATTR_I} "${AUTH_KEY_FILE}";
+			${ADD_CHMOD_UW} "${AUTH_KEY_FILE}";
+			{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] ||
+				echo >> "${AUTH_KEY_FILE}" || exit 1; } &&
+				echo "${pub_key}" >> "${AUTH_KEY_FILE}" || exit 1;
+			${RMV_CHMOD_UW} "${AUTH_KEY_FILE}";
+			${ADD_CHATTR_I} "${AUTH_KEY_FILE}";
 		fi;
 		EOF
-	)
-
+	);
 	# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
-	printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
+	printf "exec sudo sh -c '%s'" "${INSTALLKEYS_SH}"
 }

+# install call
+# @Params
+# HOSTNAME {1} hostname to access
+# USERNAME {2} username to use
+# PUB_KEY_FILE {3} public key file to add
+# AUTH_KEY_FILE {4} auth key file where to add the public key
 install_ssh_key() {
 	HOSTNAME="${1}";
 	USERNAME="${2}";
-	PUB_KEY="${3}";
+	PUB_KEY_FILE="${3}";
 	AUTH_KEY_FILE="${4}";
-	# PUB_KEY_DATA=$(printf '%s\n' "$(cat "${PUB_KEY}")")
-	echo "=== FILE ${AUTH_KEY_FILE}";
-	printf '%s\n' "$(cat "${PUB_KEY}")" | ${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_DATA}")"
+	echo "[.] Add to auth file: ${AUTH_KEY_FILE}";
+	if [ ${DRY_RUN} -eq 0 ]; then
+		${SSH} "${USERNAME}"@"${HOSTNAME}" "$(add_ssh_key "${AUTH_KEY_FILE}" "${PUB_KEY_FILE}")"
+	else
+		echo "${SSH} \"${USERNAME}\"@\"${HOSTNAME}\" \"\$(add_ssh_key \"${AUTH_KEY_FILE}\" \"${PUB_KEY_FILE}\")\"";
+	fi
 }

-# Remove all last entries
-# Move all current to last
-if [ ${DRYRUN} -eq 0 ]; then
-	echo "Remove all previous ssh public keys";
-	rm "${SSH_PUBLIC_KEYS_PREVIOUS}"*;
-	echo "Move all current public keys to the previous folder";
-	mv "${SSH_PUBLIC_KEYS_CURRENT}"* "${SSH_PUBLIC_KEYS_PREVIOUS}";
-	# create new archive folder local
-	mkdir -p "${PEM_ARCHIVE}";
-fi
-
 for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
 	if [[ "${i}" =~ ^\# ]]; then
 		continue;
@@ -163,50 +178,130 @@ for line in `cat "${CONFIG_BASE}${server_list}" | sed 1d`; do
 		continue;
 	fi
 	# check if force or if last rotaet in valid range
-	if [ "${FORCE}" -eq 0 ] && [ -f "${LAST_ROTATE}${hostname}_${username}.last-rotate"]; then
+	if [ "${FORCE}" -eq 0 ] && [ -f "${LAST_ROTATE}${hostname}_${username}.last-rotate" ]; then
 		# holds unix timestamp, if now - this timestamp is < key_age => skip
 		last_rotate=$(cat "${LAST_ROTATE}${hostname}_${username}.last-rotate");
 		current_timestamp=$(date +%s)
 		age=$(( ($current_timestamp - $last_rotate) ))
 		days_left=$(( (age)/(3600*24) ))
 		if [ $days_left -le $key_age ]; then
-			echo "Last rotate for ${username}@${hostname} was ${days_left} days ago, minimum is ${key_age}";
+			echo "[!] Last rotate for ${username}@${hostname} was ${days_left} days ago, minimum is ${key_age}";
+			echo "[_] ............... SKIP";
 			continue;
 		fi
 	fi

 	# flags: (not used at the moment)
+	# Possible: U (add to .ssh/authorized_keys)
 	flags=$(echo "${line}" | cut -d "," -f 3);
 	# name for the SSH key files
 	SSH_KEY_FILE="${hostname}_${username}.pem";
 	SSH_KEY_PUB_FILE="${hostname}_${username}.pem.pub";

-	# create name
-	echo "Create new key for: ${username}@${hostname} with flags '${flags}'";
 	# if current exist, skip creation
 	# if pem or pub missing, but not both, alert and skip
 	# else create new
-	if [ -f "${SSH_KEY_FILE}" ]
-	ssh-keygen -t ed25519 -N "" -C "${hostname}: $(date +%F)" -f "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}"
-	# move the public key to the current folder
-	mv "${SSH_PRIVATE_KEYS}${SSH_KEY_PUB_FILE}" "${SSH_PUBLIC_KEYS_CURRENT}";
+	CREATE_NEW_KEY=0;
+	# if we have force, override this all
+	if [ ${FORCE} -eq 1 ]; then
+		CREATE_NEW_KEY=1;
+	elif [ -f "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" ] || [ -f "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" ]; then
+		# if we miss private key -> alert skip
+		if [ ! -f "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" ]; then
+			# extract public key from ${PEM_SERVER}${SSH_KEY_FILE} and check if same to public key
+			if [ ! -f "${PEM_SERVER}${SSH_KEY_FILE}" ]; then
+				echo "[!] There are no master pem file to extract public key from for ${username}@${hostname}";
+				echo "[_] ............... SKIP";
+				continue;
+			else
+				__COMP_PUB_KEY=$(ssh-keygen -y -f "${PEM_SERVER}${SSH_KEY_FILE}");
+				__CURRENT_PUB_KEY=$(cat "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}");
+				if [ "${__COMP_PUB_KEY}" != "${__CURRENT_PUB_KEY}" ]; then
+					echo "[!] Current PEM public key does not match existing for ${username}@${hostname}";
+					echo "[!] Current Public: ${__CURRENT_PUB_KEY}";
+					echo "[!] Master Public : ${__COMP_PUB_KEY}";
+					echo "[_] ............... SKIP";
+					continue;
+				fi
+			fi
+		fi
+	else
+		CREATE_NEW_KEY=1
+	fi
+	# create name
+	NEW_KEY_CREATED=0;
+	if [ ${CREATE_NEW_KEY} -eq 1 ]; then
+		echo "[+] Create new key for: ${username}@${hostname} with flags '${flags}' as: ${SSH_KEY_PUB_FILE}";
+		# previous still exists? alert and abort
+		if [ -f "${SSH_PUBLIC_KEYS_PREVIOUS}${SSH_KEY_PUB_FILE}" ]; then
+			echo "[!] Previous public key still exists, was the remote key removed for ${username}@${hostname}";
+			continue;
+		fi
+		# Move all current to last
+		if [ -f "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" ]; then
+			echo "[>] Move current public key to the previous folder";
+			if [ ${DRY_RUN} -eq 0 ]; then
+				mv "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "${SSH_PUBLIC_KEYS_PREVIOUS}";
+			else
+				echo "mv \"${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}\" \"${SSH_PUBLIC_KEYS_PREVIOUS}\";";
+			fi
+		fi
+		# only create if not dry run
+		if [ ${DRY_RUN} -eq 0 ]; then
+			# <<< $'\ny'
+			ssh-keygen -q -t ed25519 -N "" -C "${username}@${hostname}: $(date +%F)" -f "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}"
+			# move the public key to the current folder
+			mv "${SSH_PRIVATE_KEYS}${SSH_KEY_PUB_FILE}" "${SSH_PUBLIC_KEYS_CURRENT}";
+			# flag new key creation for move
+		else
+			echo "ssh-keygen -q -t ed25519 -N \"\" -C \"${username}@${hostname}: $(date +%F)\" -f \"${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}\";";
+			echo "mv \"${SSH_PRIVATE_KEYS}${SSH_KEY_PUB_FILE}\" \"${SSH_PUBLIC_KEYS_CURRENT}\";";
+		fi
+		NEW_KEY_CREATED=1;
+	else
+		echo "[~] Deploy current key for: ${username}@${hostname} with flags '${flags}': ${SSH_KEY_PUB_FILE}";
+	fi
 	# deploy public key to server
-	# - master admin file
-	install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master"
+	if [[ ${ADMIN_USERS[@]} =~ $username ]]; then
+		# - master admin file
+		install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys--master";
+	fi
 	# - admin ssh config auth file
 	install_ssh_key "${hostname}" "${username}" "${SSH_PUBLIC_KEYS_CURRENT}${SSH_KEY_PUB_FILE}" "/etc/ssh/authorized_keys/${username}"
-	# - copy local PEM file to archive folder
-	if [ ${DRYRUN} -eq 0 ]; then
+	if [ ${NEW_KEY_CREATED} -eq 1 ]; then
+		# - copy local PEM file to archive folder
 		if [ -f "${PEM_SERVER}${SSH_KEY_FILE}" ]; then
-			cp "${PEM_SERVER}${SSH_KEY_FILE}" "${PEM_ARCHIVE}";
+			# create new archive folder local, one time action
+			if [ ! -d "${PEM_ARCHIVE}" ]; then
+				echo "[+] Create ${PEM_ARCHIVE}":
+				if [ ${DRY_RUN} -eq 0 ]; then
+					mkdir -p "${PEM_ARCHIVE}";
+				else
+					echo "mkdir -p \"${PEM_ARCHIVE}\";";
+				fi
+			fi
+			echo "[>] Move old PEM key to archive folder: ${__PEM_ARCHIVE}";
+			if [ ${DRY_RUN} -eq 0 ]; then
+				cp "${PEM_SERVER}${SSH_KEY_FILE}" "${PEM_ARCHIVE}";
+			else
+				echo "cp \"${PEM_SERVER}${SSH_KEY_FILE}\" \"${PEM_ARCHIVE}\";";
+			fi
+		fi
+		echo "[>] Move PEM key '${SSH_KEY_FILE}' to .ssh folder: ${__PEM_SERVER}";
+		if [ ${DRY_RUN} -eq 0 ]; then
+			# - copy to local ssh folder
+			mv "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" "${PEM_SERVER}";
+		else
+			echo "mv \"${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}\" \"${PEM_SERVER}\";";
 		fi
-		# - copy to local ssh folder
-		mv "${SSH_PRIVATE_KEYS}${SSH_KEY_FILE}" "${PEM_SERVER}";
 	fi
 	# post roate write timestamp into rotate file
-	if [ ${DRYRUN} -eq 0 ]; then
+	if [ ${DRY_RUN} -eq 0 ]; then
 		echo $(date +%s) > "${LAST_ROTATE}${hostname}_${username}.last-rotate";
+	else
+		echo "\"echo $(date +%s) > \"${LAST_ROTATE}${hostname}_${username}.last-rotate\";";
 	fi
+	echo "[=] ............... DONE";
 done