# Rotate all ssh keys on servers for certain users

- create new key with name scheme
- copy to server to
  - $ADMIN/.ssh (to be ended for admin user)
  - /etc/ssh/authorized_keys--master
  - /etc/ssh/authorized_keys/$USER

Then remove old key

Store ssh key name for current period

## Settings files

### `settings.ini`

```ini
[Settings]
key_age=90
server_list=server_list.csv
# if start with ~/ it will be replaced with $HOME
server_pem_folder=~/folder/to/admin/pems/
server_pem_archive_folder=~/tolder/for/archive/pems/
```

- key_age is in days, default is 90
- server_lust is the file name where the servers and info is stored
- server_pem_folder is the location for the PEM files, eg in a ~/.ssh/ sub folder
- server_pem_archive_folder is thge location for the archive files, a sub folder will be created there

### server_list fiel

This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated

- Sever: server name as to which to connect to
- Username: the username to use to connect
- Flag: currently not used
- Auth Key Settings: Optional settings block for the public key entry in the auth file

## Scripts

### `rotate-ssh-keys.sh`

Will create a new key and deploy on the server and move the PEM part to the
local SSH folder

Must have -g flag set to run

### `remove-old-ssh-keys.sh`

Will check in the previous ssh public key folder and remove this entry from the remote server

Must have -g flag set to run

### Options

For both rotate and remove ssh key

- -h override single host name
- -u override user name for a host
- -f force key change
- -c force create new key even if old key exists
- -n dry run
- -g flag for actual change call

### `test-ssh-keys.sh`

Test access to the server and print information

Options are

- -h override single host name
- -u override user name for a host