ScriptsCollections/SSH-Rotate-Keys
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16 Commits 1 Branch 3 Tags
a27ca6a45594a00eed31660b14122d62473143c5
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

ReadMe.md

Rotate all ssh keys on servers for certain users

These scripts are run locally on your operation Workstation.

These scripts are mainly destinated to rotate the SSH key, a set of scripts is for admin users, the other is for normal users.

  • create new key with name scheme
    • Name consits out of the server location (awsN-REGION_server name_user name)
      • the awsN-REGION_server name_ is the hostname in the server_list.csv file
      • the user name is the username in the server_list.csv file
  • copy to server to
    • $ADMIN/.ssh (this usage is to be ended for admin user, only if such key already exist)
    • /etc/ssh/authorized_keys--master
    • /etc/ssh/authorized_keys/$USER

Then remove old key

Store ssh key name for current period in your ssh-public-keys/admin-current/ folder

Settings files

settings.ini

[Settings]
key_age=90
server_list=server_list.csv
# if start with ~/ it will be replaced with $HOME
server_pem_folder=~/folder/to/admin/pems/
server_pem_archive_folder=~/folder/for/archive/pems/
  • key_age is in days, default is 90
  • server_list is the file name where the servers and info is stored
  • server_pem_folder is the location for the PEM files, eg in a ~/.ssh/ sub folder
  • server_pem_archive_folder is the location for the archive files, a sub folder will be created there

server_list file

This file is not kept in the repository for security purpose. <<< to specify >>>

This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated.

  • Server: server name as to which to connect to
  • Username: the username to use to connect (and actually rotate the key)
  • Flag: currently not used
  • Auth Key Settings: Optional settings block for the public key entry in the auth file (IP restriction, commands allowed, etc )

Scripts

admin-rotate-ssh-keys.sh

Will create a new key and deploy on the server and move the PEM part to the local SSH folder.

Folders are defined in the settings.ini

Must have -g flag set to run

admin-remove-old-ssh-keys.sh

Will check in the previous ssh public key folder and remove this entry from the remote server

Must have -g flag set to run

Options

For both rotate and remove ssh key

  • -h override single host name
  • -u override user name for a host
  • -f force key change
  • -c force create new key even if old key exists
  • -n dry run
  • -g flag for actual change call

test-ssh-keys.sh

Test access to the server and print information

Options are

  • -h override single host name
  • -u override user name for a host

user-add-ssh-key.sh

This script does not provide key, you need to provide a public key

Add a user public key to the admin user on a server

  • -h override single host name
  • -u override user name for a host
  • -k user public key name
  • -n dry run
  • -g flag for actual change call

user-remove-ssh-key.sh

Remove a user public key from the admin user on a server

  • -h override single host name
  • -u override user name for a host
  • -k user public key name
  • -n dry run
  • -g flag for actual change call
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 104 KiB
Languages
Shell 100%