[ssh-ca] / bin / update-ssh-certs

#! /bin/bash
###
### Update the site's SSH certificates.

set -e
cd "${0%/*}/.."

###--------------------------------------------------------------------------
### General setup stuff.

## Read in a configuration file.
if [ -f etc/config ]; then . etc/config; fi
: ${keytypes="rsa:3072 dsa:1024"}
: ${domain="your.site.example"}
: ${cacomment="ssh-ca@$domain"}
: ${scope="*.$domain"}
: ${validity="-1d:+7d"}

## The key types are adorned with bit lengths.  Work out the raw key type
## names.
cakeytypes=""
for kt in $keytypes; do
  cakeytypes="$cakeytypes ${kt%:*}"
done

## Make the keys if necessary.
mkdir -p keys
for kt in $keytypes; do
  case $kt in
    *:*) bits=-b${kt#*:} kt=${kt%:*} ;;
    *) bits="" ;;
  esac
  if [ ! -f keys/ca-$kt ]; then
    ssh-keygen -fkeys/ca-$kt -t$kt $bits -C"$cacomment" -N ""
  fi
  read pub <keys/ca-$kt.pub
  echo "@cert-authority $scope $pub" >keys/ca-$kt.entry
done

## Functions for managing concurrency.
kids=""
mkdir -p log
run () {
  tag=$1; shift
  "$@" >log/$tag 2>&1&
  kids="$kids $tag:$!"
}

reap () {
  outcome=0
  for kid in $kids; do
    tag=${kid%:*}
    set +e; wait ${kid#*:}; rc=$?; set -e
    case $rc in
      0) ;;
      *)
	echo >&2 "$0: $tag failed (rc = $rc)"
	sed 's,^,| ,' log/$tag
	outcome=1
	;;
    esac
  done
  return $outcome
}

## Read the hosts.
dohost () {
  host=$1; shift

  set -x
  hostkeytypes=$(
    ssh $host "
	cd /etc/ssh
	for kt in $cakeytypes; do
	  if [ -f ssh_host_\${kt}_key.pub ]; then echo \$kt; fi
	done"
  )
  names=""
  for n in "$host" "$@"; do
    names=${names:+$names,}$n
    case "$n" in ".") ;; *) names=${names:+$names,}$n.$domain ;; esac
  done
  any=nil
  for kt in $hostkeytypes; do
    scp $host:/etc/ssh/ssh_host_${kt}_key.pub keys/$host-$kt.pub
    ssh-keygen -skeys/ca-$kt \
      -h -I"$cacomment:$host.$domain" -n$names \
      -V$validity \
      keys/$host-$kt.pub
    scp keys/$host-$kt-cert.pub $host:/etc/ssh/ssh_host_${kt}_key-cert.pub
    any=t
  done
  case "$any" in nil) echo >&2 "no matching key types"; exit 1 ;; esac
}

dotry () {
  host=$1; shift
  ping -c5 -q $host >/dev/null 2>&1 || return 0
  dohost "$host" "$@"
}

must () { run "$1" dohost "$@"; }
try () { run "$1" dotry "$@"; }

. etc/hosts
reap

last=%%%
for i in keys/*.pub; do
  case "$i" in *-cert.pub) continue ;; esac
  host=${i%-*}
  case "$host" in "$last") ;; *) echo; echo "$host" ;; esac
  last=$host
  ssh-keygen -lv -f "$i" | sed 's,^,| ,'
done >distorted-host-keys.new
mv distorted-host-keys.new distorted-host-keys
Commit	Line	Data
eb8701bb MW	1	#! /bin/bash
	2	###
	3	### Update the site's SSH certificates.
	4
	5	set -e
	6	cd "${0%/*}/.."
	7
	8	###--------------------------------------------------------------------------
	9	### General setup stuff.
	10
	11	## Read in a configuration file.
	12	if [ -f etc/config ]; then . etc/config; fi
	13	: ${keytypes="rsa:3072 dsa:1024"}
	14	: ${domain="your.site.example"}
	15	: ${cacomment="ssh-ca@$domain"}
	16	: ${scope="*.$domain"}
	17	: ${validity="-1d:+7d"}
	18
	19	## The key types are adorned with bit lengths. Work out the raw key type
	20	## names.
	21	cakeytypes=""
	22	for kt in $keytypes; do
	23	cakeytypes="$cakeytypes ${kt%:*}"
	24	done
	25
	26	## Make the keys if necessary.
	27	mkdir -p keys
	28	for kt in $keytypes; do
	29	case $kt in
	30	:) bits=-b${kt#:} kt=${kt%:} ;;
	31	*) bits="" ;;
	32	esac
	33	if [ ! -f keys/ca-$kt ]; then
	34	ssh-keygen -fkeys/ca-$kt -t$kt $bits -C"$cacomment" -N ""
	35	fi
	36	read pub <keys/ca-$kt.pub
	37	echo "@cert-authority $scope $pub" >keys/ca-$kt.entry
	38	done
	39
	40	## Functions for managing concurrency.
	41	kids=""
	42	mkdir -p log
	43	run () {
	44	tag=$1; shift
	45	"$@" >log/$tag 2>&1&
	46	kids="$kids $tag:$!"
	47	}
	48
	49	reap () {
	50	outcome=0
	51	for kid in $kids; do
	52	tag=${kid%:*}
	53	set +e; wait ${kid#*:}; rc=$?; set -e
	54	case $rc in
	55	0) ;;
	56	*)
	57	echo >&2 "$0: $tag failed (rc = $rc)"
	58	sed 's,^,\| ,' log/$tag
	59	outcome=1
	60	;;
	61	esac
	62	done
	63	return $outcome
	64	}
65
66	## Read the hosts.
67	dohost () {
68	host=$1; shift
69
70	set -x
71	hostkeytypes=$(
72	ssh $host "
73	cd /etc/ssh
74	for kt in $cakeytypes; do
75	if [ -f ssh_host_\${kt}_key.pub ]; then echo \$kt; fi
76	done"
77	)
78	names=""
79	for n in "$host" "$@"; do
80	names=${names:+$names,}$n
81	case "$n" in ".") ;; *) names=${names:+$names,}$n.$domain ;; esac
82	done
83	any=nil
84	for kt in $hostkeytypes; do
85	scp $host:/etc/ssh/ssh_host_${kt}_key.pub keys/$host-$kt.pub
86	ssh-keygen -skeys/ca-$kt \
87	-h -I"$cacomment:$host.$domain" -n$names \
88	-V$validity \
89	keys/$host-$kt.pub
90	scp keys/$host-$kt-cert.pub $host:/etc/ssh/ssh_host_${kt}_key-cert.pub
91	any=t
92	done
93	case "$any" in nil) echo >&2 "no matching key types"; exit 1 ;; esac
94	}
95
96	dotry () {
97	host=$1; shift
98	ping -c5 -q $host >/dev/null 2>&1 \|\| return 0
99	dohost "$host" "$@"
100	}
101
102	must () { run "$1" dohost "$@"; }
103	try () { run "$1" dotry "$@"; }
104
105	. etc/hosts
106	reap
107
108	last=%%%
109	for i in keys/*.pub; do
110	case "$i" in *-cert.pub) continue ;; esac
111	host=${i%-*}
112	case "$host" in "$last") ;; *) echo; echo "$host" ;; esac
113	last=$host
114	ssh-keygen -lv -f "$i" \| sed 's,^,\| ,'
115	done >distorted-host-keys.new
116	mv distorted-host-keys.new distorted-host-keys