3.6 KiB
Rotate all ssh keys on servers for certain users
These scripts are run locally on your operation Workstation.
These scripts are mainly destinated to rotate the SSH key, a set of scripts is for admin users, the other is for normal users.
- create new key with name scheme
- Name consits out of the server location (
awsN-REGION_server name_user name)- the
awsN-REGION_server name_is the hostname in theserver_list.csvfile - the
user nameis the username in theserver_list.csvfile
- the
- Name consits out of the server location (
- copy to server to
- $ADMIN/.ssh (this usage is to be ended for admin user, only if such key already exist)
- /etc/ssh/authorized_keys--master
- /etc/ssh/authorized_keys/$USER
Then remove old key (with the remove script)
Stores the public ssh key name for current period in the local ssh-public-keys/admin-current/ folder
Settings files
settings.ini
Sample file: settings.sample.ini
[Settings]
key_age=90
server_list=server_list.csv
# if start with ~/ it will be replaced with $HOME
server_pem_folder=~/folder/to/admin/pems/
server_pem_archive_folder=~/folder/for/archive/pems/
- key_age is in days, default is 90
- server_list is the file name where the servers and info is stored
- server_pem_folder is the location for the PEM files, eg in a ~/.ssh/ sub folder
- server_pem_archive_folder is the location for the archive files, a sub folder will be created there
server_list.csv file
Sample file: server_list.sample.csv
This file is not kept in the repository for security purpose. <<< to specify >>>
This file is semicolon ';' separated and not ',' as usual. The reason is that the authorization key settings block is comma separated.
- Server: server name as to which to connect to
- Username: the username to use to connect (and actually rotate the key)
- Flag: currently not used
- Auth Key Settings: Optional settings block for the public key entry in the auth file (IP restriction, commands allowed, etc )
Scripts
admin-rotate-ssh-keys.sh
Will create a new key and deploy on the server and move the PEM part to the local SSH folder as defined in the settings.ini file server_pem_folder config setting and store the public keys in the ssh-public-keys/admin-current .
Previous keys are moved to theserver_pem_archive_folder
The old public keys are moved to the ssh-public-keys/admin-previous folder
Must have -g flag set to run
admin-remove-old-ssh-keys.sh
Will check in the previous ssh public key folder ssh-public-keys/admin-previous and remove this entry from the remote server
Must have -g flag set to run
Options
For both rotate and remove ssh key
- -h override single host name
- -u override user name for a host
- -f force key change
- -c force create new key even if old key exists
- -n dry run
- -g flag for actual change call
test-ssh-keys.sh
Test access to the server and print information
Options are
- -h override single host name
- -u override user name for a host
user-add-ssh-key.sh
This script does not create a new private/public key set, you need to provide a public key
The public key must be put into the ssh-public-keys/user-current folder
Add a user public key to the admin user on a server
- -h override single host name
- -u override user name for a host
- -k user public key name
- -n dry run
- -g flag for actual change call
user-remove-ssh-key.sh
To removed public keys must be located in the ssh-public-keys/user-previous folder
Remove a user public key from the admin user on a server
- -h override single host name
- -u override user name for a host
- -k user public key name
- -n dry run
- -g flag for actual change call