set -e
. lib/func.sh
+orig_domain=$domain date=$(date +%Y-%m-%d)
## The key types are adorned with bit lengths. Work out the raw key type
## names.
## Start a new output directory.
rm -rf publish.new
mkdir publish.new
+exec 3<etc/hosts 4>publish.new/hosts.list 5>publish.new/known_hosts
+echo ":certificate-authority" >&4
for kt in $rawkeytypes; do
cp ca/ca-$kt.pub publish.new/
read pub <ca/ca-$kt.pub
- echo "$@cert-authority $scope $pub" >publish.new/ca-$kt.entry
+ echo "@cert-authority $scope $pub" |
+ tee publish.new/ca-$kt.entry >&4
+ ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4
done
## Sign the various host keys.
-exec 3<etc/hosts 4>publish.new/hosts.list
last=%%%
+idomain=$domain
+echo >&5 "### BEGIN $idomain KEYS (generated $date)"
while read line <&3; do
## Ignore comments and empty lines.
## Read the host line.
set -- $line
+ case "$1" in
+ @domain) domain=$2; continue ;;
+ @*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;;
+ esac
host=$1
names=""
+ nicks=""
## If this is a different host, then start a new section of the list.
- case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac
+ case "$last" in
+ "$host") ;;
+ *) { echo; echo ":host $host"; } >&4 ;;
+ esac
last=$host
## Build a list of names for the host.
for n in "$@"; do
- names=${names:+$names,}$n
case "$n" in
- *.* | *:*) ;;
- *) names=${names:+$names,}$n.$domain ;;
+ .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
+ *.* | *:*) names=${names:+$names,}$n ;;
+ *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
esac
done
publish.new/$host-$kt.pub
mv publish.new/$host-$kt-cert.pub \
publish.new/$host-$kt.cert
- ssh-keygen -lv -fpublish.new/$host-$kt.pub | sed 's,^,| ,' >&4
+ for fd in 4 5; do
+ { printf "%s " $names; cat host/$host-$kt.pub; } >&$fd
+ done
+ ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4
done
done
-exec 3>&- 4>&-
+echo >&5 "### END $idomain KEYS"
+exec 3>&- 4>&- 5>&-
## Sign the list.
run_gpg --armor -o publish.new/hosts.asc \
~mdw / ssh-ca / blobdiff