3.9 KiB
Rotate all ssh keys on servers for certain users
These scripts are run locally on your operation Workstation.
These scripts are mainly destinated to rotate the SSH key, a set of scripts is for admin users, the other is for normal users.
- create new key with name scheme
- Name consits out of the server location (
awsN-REGION_server name_user name)- the
awsN-REGION_server name_is the hostname in theserver_list.csvfile - the
user nameis the username in theserver_list.csvfile
- the
- Name consits out of the server location (
- copy to server to
- $ADMIN/.ssh (this usage is to be ended for admin user, only if such key already exist)
- /etc/ssh/authorized_keys--master
- /etc/ssh/authorized_keys/$USER
Then remove old key (with the remove script)
Stores the public ssh key name for current period in the local ssh-public-keys/admin-current/ folder
Settings files
settings.ini
Sample file: settings.sample.ini
[Settings]
key_age=90
server_list=server_list.csv
# if start with ~/ it will be replaced with $HOME
server_pem_folder=~/folder/to/admin/pems/
server_pem_archive_folder=~/folder/for/archive/pems/
- key_age is in days, default is 90
- server_list is the file name where the servers and info is stored
- server_pem_folder is the location for the PEM files, eg in a ~/.ssh/ sub folder
- server_pem_archive_folder is the location for the archive files, a sub folder will be created there
server_list.csv file
Sample file: server_list.sample.csv
This file is not kept in the repository for security purpose. <<< to specify >>>
This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated.
- Server: server name as to which to connect to
- Username: the username to use to connect (and actually rotate the key)
- Flag: currently not used
- Auth Key Settings: Optional settings block for the public key entry in the auth file (IP restriction, commands allowed, etc )
The list has to be filled with all hosts for which the admin keys or where user keys should be changed.
The hostname list depends on the hostnames set in the .ssh/config file and the username depends on the OS installed
| OS | Username |
|---|---|
| Debian | admin |
| Ubuntu | ubuntu |
| Amazon Linux | ec2-user |
Scripts
admin-rotate-ssh-keys.sh
Will create a new key and deploy on the server and move the PEM part to the local SSH folder as defined in the settings.ini file server_pem_folder config setting and store the public keys in the ssh-public-keys/admin-current .
Previous keys are moved to theserver_pem_archive_folder
The old public keys are moved to the ssh-public-keys/admin-previous folder
Must have -g flag set to run
admin-remove-old-ssh-keys.sh
Will check in the previous ssh public key folder ssh-public-keys/admin-previous and remove this entry from the remote server
Must have -g flag set to run
Options
For both rotate and remove ssh key
- -h override single host name
- -u override user name for a host
- -f force key change
- -c force create new key even if old key exists
- -n dry run
- -g flag for actual change call
test-ssh-keys.sh
Test access to the server and print information
Options are
- -h override single host name
- -u override user name for a host
user-add-ssh-key.sh
This script does not create a new private/public key set, you need to provide a public key
The public key must be put into the ssh-public-keys/user-current folder
Add a user public key to the admin user on a server
- -h override single host name
- -u override user name for a host
- -k user public key name
- -n dry run
- -g flag for actual change call
user-remove-ssh-key.sh
To removed public keys must be located in the ssh-public-keys/user-previous folder
Remove a user public key from the admin user on a server
- -h override single host name
- -u override user name for a host
- -k user public key name
- -n dry run
- -g flag for actual change call