# Rotate all ssh keys on servers for certain users These scripts are run locally on your operation Workstation. These scripts are mainly destinated to rotate the SSH key, a set of scripts is for admin users, the other is for normal users. - create new key with name scheme - Name consits out of the server location (`awsN-REGION_server name_user name`) - the `awsN-REGION_server name_` is the hostname in the `server_list.csv` file - the `user name` is the username in the `server_list.csv` file - copy to server to - $ADMIN/.ssh (this usage is to be ended for admin user, only if such key already exist) - /etc/ssh/authorized_keys--master - /etc/ssh/authorized_keys/$USER Then remove old key (with the remove script) Stores the public ssh key name for current period in the local `ssh-public-keys/admin-current/` folder ## Settings files ### `settings.ini` Sample file: `settings.sample.ini` ```ini [Settings] key_age=90 server_list=server_list.csv # if start with ~/ it will be replaced with $HOME server_pem_folder=~/folder/to/admin/pems/ server_pem_archive_folder=~/folder/for/archive/pems/ ``` - key_age is in days, default is 90 - server_list is the file name where the servers and info is stored - server_pem_folder is the location for the PEM files, eg in a ~/.ssh/ sub folder - server_pem_archive_folder is the location for the archive files, a sub folder will be created there ### `server_list.csv` file Sample file: `server_list.sample.csv` This file is not kept in the repository for security purpose. <<< to specify >>> This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated. - Server: server name as to which to connect to - Username: the username to use to connect (and actually rotate the key) - Flag: currently not used - Auth Key Settings: Optional settings block for the public key entry in the auth file (IP restriction, commands allowed, etc ) ## Scripts ### `admin-rotate-ssh-keys.sh` Will create a new key and deploy on the server and move the PEM part to the local SSH folder as defined in the `settings.ini` file `server_pem_folder` config setting and store the public keys in the `ssh-public-keys/admin-current` . Previous keys are moved to the`server_pem_archive_folder` The old public keys are moved to the `ssh-public-keys/admin-previous` folder Must have -g flag set to run ### `admin-remove-old-ssh-keys.sh` Will check in the previous ssh public key folder `ssh-public-keys/admin-previous` and remove this entry from the remote server Must have -g flag set to run ### Options For both rotate and remove ssh key - -h override single host name - -u override user name for a host - -f force key change - -c force create new key even if old key exists - -n dry run - -g flag for actual change call ### `test-ssh-keys.sh` Test access to the server and print information Options are - -h override single host name - -u override user name for a host ### `user-add-ssh-key.sh` This script does not create a new private/public key set, you need to provide a public key The public key must be put into the `ssh-public-keys/user-current` folder Add a user public key to the admin user on a server - -h override single host name - -u override user name for a host - -k user public key name - -n dry run - -g flag for actual change call ### `user-remove-ssh-key.sh` To removed public keys must be located in the `ssh-public-keys/user-previous` folder Remove a user public key from the admin user on a server - -h override single host name - -u override user name for a host - -k user public key name - -n dry run - -g flag for actual change call