3 ### Update the site's SSH certificates.
8 ###--------------------------------------------------------------------------
9 ### General setup stuff.
11 ## Read in a configuration file.
12 if [ -f etc
/config
]; then . etc
/config
; fi
13 : ${keytypes="rsa:3072 dsa:1024"}
14 : ${domain="your.site.example"}
15 : ${cacomment="ssh-ca@$domain"}
16 : ${scope="*.$domain"}
17 : ${validity="-1d:+7d"}
19 ## The key types are adorned with bit lengths. Work out the raw key type
22 for kt
in $keytypes; do
23 cakeytypes
="$cakeytypes ${kt%:*}"
26 ## Make the keys if necessary.
28 for kt
in $keytypes; do
30 *:*) bits
=-b
${kt#*:} kt
=${kt%:*} ;;
33 if [ ! -f keys
/ca-
$kt ]; then
34 ssh-keygen
-fkeys
/ca-
$kt -t
$kt $bits -C
"$cacomment" -N
""
36 read pub
<keys
/ca-
$kt.pub
37 echo "@cert-authority $scope $pub" >keys
/ca-
$kt.entry
40 ## Functions for managing concurrency.
53 set +e
; wait ${kid#*:}; rc
=$?
; set -e
57 echo >&2 "$0: $tag failed (rc = $rc)"
58 sed 's,^,| ,' log
/$tag
74 for kt in $cakeytypes; do
75 if [ -f ssh_host_\${kt}_key.pub ]; then echo \$kt; fi
79 for n
in "$host" "$@"; do
80 names
=${names:+$names,}$n
81 case "$n" in ".") ;; *) names
=${names:+$names,}$n.
$domain ;; esac
84 for kt
in $hostkeytypes; do
85 scp
$host:/etc
/ssh/ssh_host_
${kt}_key.pub keys
/$host-$kt.pub
86 ssh-keygen
-skeys
/ca-
$kt \
87 -h
-I
"$cacomment:$host.$domain" -n
$names \
90 scp keys
/$host-$kt-cert.pub
$host:/etc
/ssh/ssh_host_
${kt}_key-cert.pub
93 case "$any" in nil
) echo >&2 "no matching key types"; exit 1 ;; esac
98 ping -c5
-q
$host >/dev
/null
2>&1 ||
return 0
102 must
() { run
"$1" dohost
"$@"; }
103 try
() { run
"$1" dotry
"$@"; }
109 for i
in keys
/*.pub
; do
110 case "$i" in *-cert.pub
) continue ;; esac
112 case "$host" in "$last") ;; *) echo; echo "$host" ;; esac
114 ssh-keygen
-lv
-f
"$i" |
sed 's,^,| ,'
115 done >distorted-host-keys.new
116 mv distorted-host-keys.new distorted-host-keys