|
|
|
|
@@ -1,54 +1,79 @@
|
|
|
|
|
# Rotate all ssh keys on servers for certain users
|
|
|
|
|
|
|
|
|
|
These scripts are run locally on your operation Workstation.
|
|
|
|
|
|
|
|
|
|
These scripts are mainly destinated to rotate the SSH key, a set of scripts is for admin users, the other is for normal users.
|
|
|
|
|
|
|
|
|
|
- create new key with name scheme
|
|
|
|
|
- Name consits out of the server location (`awsN-REGION_server name_user name`)
|
|
|
|
|
- the `awsN-REGION_server name_` is the hostname in the `server_list.csv` file
|
|
|
|
|
- the `user name` is the username in the `server_list.csv` file
|
|
|
|
|
- copy to server to
|
|
|
|
|
- $ADMIN/.ssh (to be ended for admin user)
|
|
|
|
|
- $ADMIN/.ssh (this usage is to be ended for admin user, only if such key already exist)
|
|
|
|
|
- /etc/ssh/authorized_keys--master
|
|
|
|
|
- /etc/ssh/authorized_keys/$USER
|
|
|
|
|
|
|
|
|
|
Then remove old key
|
|
|
|
|
Then remove old key (with the remove script)
|
|
|
|
|
|
|
|
|
|
Store ssh key name for current period
|
|
|
|
|
Stores the public ssh key name for current period in the local `ssh-public-keys/admin-current/` folder
|
|
|
|
|
|
|
|
|
|
## Settings files
|
|
|
|
|
|
|
|
|
|
### `settings.ini`
|
|
|
|
|
|
|
|
|
|
Sample file: `settings.sample.ini`
|
|
|
|
|
|
|
|
|
|
```ini
|
|
|
|
|
[Settings]
|
|
|
|
|
key_age=90
|
|
|
|
|
server_list=server_list.csv
|
|
|
|
|
# if start with ~/ it will be replaced with $HOME
|
|
|
|
|
server_pem_folder=~/folder/to/admin/pems/
|
|
|
|
|
server_pem_archive_folder=~/tolder/for/archive/pems/
|
|
|
|
|
server_pem_archive_folder=~/folder/for/archive/pems/
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- key_age is in days, default is 90
|
|
|
|
|
- server_lust is the file name where the servers and info is stored
|
|
|
|
|
- server_list is the file name where the servers and info is stored
|
|
|
|
|
- server_pem_folder is the location for the PEM files, eg in a ~/.ssh/ sub folder
|
|
|
|
|
- server_pem_archive_folder is thge location for the archive files, a sub folder will be created there
|
|
|
|
|
- server_pem_archive_folder is the location for the archive files, a sub folder will be created there
|
|
|
|
|
|
|
|
|
|
### server_list fiel
|
|
|
|
|
### `server_list.csv` file
|
|
|
|
|
|
|
|
|
|
This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated
|
|
|
|
|
Sample file: `server_list.sample.csv`
|
|
|
|
|
|
|
|
|
|
- Sever: server name as to which to connect to
|
|
|
|
|
- Username: the username to use to connect
|
|
|
|
|
This file is not kept in the repository for security purpose. <<< to specify >>>
|
|
|
|
|
|
|
|
|
|
This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated.
|
|
|
|
|
|
|
|
|
|
- Server: server name as to which to connect to
|
|
|
|
|
- Username: the username to use to connect (and actually rotate the key)
|
|
|
|
|
- Flag: currently not used
|
|
|
|
|
- Auth Key Settings: Optional settings block for the public key entry in the auth file
|
|
|
|
|
- Auth Key Settings: Optional settings block for the public key entry in the auth file (IP restriction, commands allowed, etc )
|
|
|
|
|
|
|
|
|
|
The list has to be filled with all hosts for which the admin keys or where user keys should be changed.
|
|
|
|
|
The hostname list depends on the hostnames set in the `.ssh/config` file and the username depends on the OS installed
|
|
|
|
|
|
|
|
|
|
| OS | Username |
|
|
|
|
|
| - | - |
|
|
|
|
|
| Debian | admin |
|
|
|
|
|
| Ubuntu | ubuntu |
|
|
|
|
|
| Amazon Linux | ec2-user |
|
|
|
|
|
|
|
|
|
|
## Scripts
|
|
|
|
|
|
|
|
|
|
### `rotate-ssh-keys.sh`
|
|
|
|
|
### `admin-rotate-ssh-keys.sh`
|
|
|
|
|
|
|
|
|
|
Will create a new key and deploy on the server and move the PEM part to the
|
|
|
|
|
local SSH folder
|
|
|
|
|
Will create a new key and deploy on the server and move the PEM part to the local SSH folder as defined in the `settings.ini` file `server_pem_folder` config setting and store the public keys in the `ssh-public-keys/admin-current` .
|
|
|
|
|
|
|
|
|
|
Previous keys are moved to the`server_pem_archive_folder`
|
|
|
|
|
|
|
|
|
|
The old public keys are moved to the `ssh-public-keys/admin-previous` folder
|
|
|
|
|
|
|
|
|
|
Must have -g flag set to run
|
|
|
|
|
|
|
|
|
|
### `remove-old-ssh-keys.sh`
|
|
|
|
|
### `admin-remove-old-ssh-keys.sh`
|
|
|
|
|
|
|
|
|
|
Will check in the previous ssh public key folder and remove this entry from the remote server
|
|
|
|
|
Will check in the previous ssh public key folder `ssh-public-keys/admin-previous` and remove this entry from the remote server
|
|
|
|
|
|
|
|
|
|
Must have -g flag set to run
|
|
|
|
|
|
|
|
|
|
@@ -71,3 +96,29 @@ Options are
|
|
|
|
|
|
|
|
|
|
- -h override single host name
|
|
|
|
|
- -u override user name for a host
|
|
|
|
|
|
|
|
|
|
### `user-add-ssh-key.sh`
|
|
|
|
|
|
|
|
|
|
This script does not create a new private/public key set, you need to provide a public key
|
|
|
|
|
|
|
|
|
|
The public key must be put into the `ssh-public-keys/user-current` folder
|
|
|
|
|
|
|
|
|
|
Add a user public key to the admin user on a server
|
|
|
|
|
|
|
|
|
|
- -h override single host name
|
|
|
|
|
- -u override user name for a host
|
|
|
|
|
- -k user public key name
|
|
|
|
|
- -n dry run
|
|
|
|
|
- -g flag for actual change call
|
|
|
|
|
|
|
|
|
|
### `user-remove-ssh-key.sh`
|
|
|
|
|
|
|
|
|
|
To removed public keys must be located in the `ssh-public-keys/user-previous` folder
|
|
|
|
|
|
|
|
|
|
Remove a user public key from the admin user on a server
|
|
|
|
|
|
|
|
|
|
- -h override single host name
|
|
|
|
|
- -u override user name for a host
|
|
|
|
|
- -k user public key name
|
|
|
|
|
- -n dry run
|
|
|
|
|
- -g flag for actual change call
|
|
|
|
|
|
