-
Notifications
You must be signed in to change notification settings - Fork 4
/
keygen.sh
executable file
·351 lines (332 loc) · 13.9 KB
/
keygen.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
#!/bin/bash
################################################################
# ssh private key pair generator for centminmod.com lemp stacks
################################################################
# ssh-keygen -t rsa or ecdsa
KEYTYPE='rsa'
KEYNAME='my1'
RSA_KEYLENTGH='4096'
ECDSA_KEYLENTGH='256'
KEYGEN_DIR='/etc/keygen'
KEYGEN_LOGDIR="${KEYGEN_DIR}/logs"
DT=$(date +"%d%m%y-%H%M%S")
################################################################
if [ ! -d "$KEYGEN_DIR" ]; then
mkdir -p "$KEYGEN_DIR"
fi
if [ ! -d "$KEYGEN_LOGDIR" ]; then
mkdir -p "$KEYGEN_LOGDIR"
fi
# Redirect output of this script log file
exec &> >(tee -a "${KEYGEN_LOGDIR}/keygen-${DT}.log")
if [ ! -d "$HOME/.ssh" ]; then
mkdir -p "$HOME/.ssh"
chmod 700 "$HOME/.ssh"
fi
if [ ! -f /usr/bin/sshpass ]; then
yum -q -y install sshpass >/dev/null 2>&1
SSHPASS='y'
elif [ -f /usr/bin/sshpass ]; then
SSHPASS='y'
fi
keygen() {
keyrotate=$1
_keytype=$_input_keytype
_remoteh=$_input_remoteh
_remotep=$_input_remotep
_remoteu=$_input_remoteu
_comment=$_input_comment
_sshpass=$_input_sshpass
_keyname=$_input_keyname
_unique_keyname=$_input_unique_keyname
# Modify the KEYNAME generation with the unique key name if provided
if [[ -n "$_unique_keyname" ]]; then
KEYNAME="${_unique_keyname}"
fi
if [[ $_keytype = 'rsa' ]]; then
KEYTYPE=$_keytype
KEYOPT="-t rsa -b $RSA_KEYLENTGH"
elif [[ $_keytype = 'ecdsa' ]]; then
KEYTYPE=$_keytype
KEYOPT="-t ecdsa -b $ECDSA_KEYLENTGH"
elif [[ $_keytype = 'ed25519' ]]; then
# openssh 6.7+ supports curve25519-sha256 cipher
KEYTYPE=$_keytype
KEYOPT='-t ed25519'
elif [ -z "$_keytype" ]; then
KEYTYPE="$KEYTYPE"
if [[ "$KEYTYPE" = 'rsa' ]]; then
KEYOPT="-t rsa -b $RSA_KEYLENTGH"
elif [[ "$KEYTYPE" = 'ecdsa' ]]; then
KEYOPT="-t ecdsa -b $ECDSA_KEYLENTGH"
elif [[ "$KEYTYPE" = 'ed25519' ]]; then
# openssh 6.7+ supports curve25519-sha256 cipher
KEYOPT='-t ed25519'
fi
fi
if [[ "$keyrotate" = 'rotate' ]]; then
echo
echo "-------------------------------------------------------------------"
echo "Rotating Private Key Pair..."
echo "-------------------------------------------------------------------"
KEYNAME="$_keyname"
# move existing key pair to still be able to use it
echo "mv $HOME/.ssh/${KEYNAME}.key $HOME/.ssh/${KEYNAME}-old.key"
mv "$HOME/.ssh/${KEYNAME}.key" "$HOME/.ssh/${KEYNAME}-old.key"
echo "mv $HOME/.ssh/${KEYNAME}.key.pub $HOME/.ssh/${KEYNAME}-old.key.pub"
mv "$HOME/.ssh/${KEYNAME}.key.pub" "$HOME/.ssh/${KEYNAME}-old.key.pub"
else
echo
echo "-------------------------------------------------------------------"
echo "Generating Private Key Pair..."
echo "-------------------------------------------------------------------"
while [ -f "$HOME/.ssh/${KEYNAME}.key" ]; do
NUM=$(echo "$KEYNAME" | tr -cd '[[:digit:]]') # Extract digits from the key name
INCREMENT=$(echo $(($NUM+1)))
if [[ -n "$_unique_keyname" ]]; then
# Remove digits from the end of the _unique_keyname and add the incremented number
KEYNAME="$(echo "${_unique_keyname}" | sed 's/[[:digit:]]*$//')${INCREMENT}"
else
KEYNAME="my${INCREMENT}"
fi
done
fi
if [ -z "$_comment" ]; then
read -rep "enter comment description for key: " keycomment
else
keycomment=$_comment
fi
echo "ssh-keygen $KEYOPT -N \"\" -f $HOME/.ssh/${KEYNAME}.key -C \"$keycomment\""
ssh-keygen $KEYOPT -N "" -f $HOME/.ssh/${KEYNAME}.key -C "$keycomment"
if [[ "$keyrotate" = 'rotate' ]]; then
OLDPUBKEY=$(cat "$HOME/.ssh/${KEYNAME}-old.key.pub")
NEWPUBKEY=$(cat "$HOME/.ssh/${KEYNAME}.key.pub")
fi
echo
echo "-------------------------------------------------------------------"
echo "${KEYNAME}.key.pub public key"
echo "-------------------------------------------------------------------"
echo "ssh-keygen -lf $HOME/.ssh/${KEYNAME}.key.pub"
echo "[size --------------- fingerprint --------------- - comment - type]"
echo " $(ssh-keygen -lf $HOME/.ssh/${KEYNAME}.key.pub)"
echo
echo "cat $HOME/.ssh/${KEYNAME}.key.pub"
cat "$HOME/.ssh/${KEYNAME}.key.pub"
echo
echo "-------------------------------------------------------------------"
echo "$HOME/.ssh contents"
echo "-------------------------------------------------------------------"
ls -lahrt "$HOME/.ssh"
echo
echo "-------------------------------------------------------------------"
echo "Add SSH key to SSH Agent"
echo "-------------------------------------------------------------------"
# add SSH key to SSH Agent
echo "eval \"$(ssh-agent -s)\""
eval "$(ssh-agent -s)"
echo "ssh-add \"$HOME/.ssh/${KEYNAME}.key\""
ssh-add "$HOME/.ssh/${KEYNAME}.key"
echo
echo "-------------------------------------------------------------------"
echo "Transfering ${KEYNAME}.key.pub to remote host"
echo "-------------------------------------------------------------------"
if [ -z "$_remoteh" ]; then
read -rep "enter remote ip address or hostname: " remotehost
else
remotehost=$_remoteh
fi
if [ -z "$_remotep" ]; then
read -rep "enter remote ip/host port number i.e. 22: " remoteport
else
remoteport=$_remotep
fi
if [ -z "$_remoteu" ]; then
read -rep "enter remote ip/host username i.e. root: " remoteuser
else
remoteuser=$_remoteu
fi
if [[ "$SSHPASS" = [yY] ]]; then
if [[ -z $_sshpass && "$keyrotate" != 'rotate' ]]; then
read -rep "enter remote ip/host username SSH password: " sshpassword
else
sshpassword=$_sshpass
fi
fi
if [[ "$(ping -c1 "$remotehost" -W 2 >/dev/null 2>&1; echo $?)" -eq '0' ]]; then
VALIDREMOTE=y
if [[ "$keyrotate" != 'rotate' ]]; then
echo
echo "-------------------------------------------------------------------"
echo "you MAYBE prompted for remote ip/host password"
echo "enter below command to copy key to remote ip/host"
echo "-------------------------------------------------------------------"
echo
else
echo
fi
else
echo
echo "-------------------------------------------------------------------"
echo "enter below command to copy key to remote ip/host"
echo "-------------------------------------------------------------------"
echo
fi
if [[ "$SSHPASS" = [yY] ]]; then
if [[ "$keyrotate" = 'rotate' ]]; then
# rotate key routine replace old remote public key first using renamed
# $HOME/.ssh/${KEYNAME}-old.key identity
echo "rotate and replace old public key from remote: $remoteuser@$remotehost"
echo
echo "ssh $remoteuser@$remotehost -p $remoteport -i $HOME/.ssh/${KEYNAME}-old.key \"sed -i 's|$OLDPUBKEY|$NEWPUBKEY|' /root/.ssh/authorized_keys\"" | tee "${KEYGEN_LOGDIR}/cmd-rotatekeys-${KEYNAME}-old.key.log"
echo
ssh "$remoteuser@$remotehost" -p "$remoteport" -i $HOME/.ssh/${KEYNAME}-old.key "sed -i 's|$OLDPUBKEY|$NEWPUBKEY|' /root/.ssh/authorized_keys"
else
echo "copy $HOME/.ssh/${KEYNAME}.key.pub to remote: $remoteuser@$remotehost"
echo "sshpass -p $sshpassword ssh-copy-id -o StrictHostKeyChecking=no -i $HOME/.ssh/${KEYNAME}.key.pub $remoteuser@$remotehost -p $remoteport" | tee "${KEYGEN_LOGDIR}/cmd-generated-${KEYNAME}.key.log"
fi
else
if [[ "$keyrotate" = 'rotate' ]]; then
# rotate key routine replace old remote public key first using renamed
# $HOME/.ssh/${KEYNAME}-old.key identity
echo "rotate and replace old public key from remote: "$remoteuser@$remotehost""
echo
echo "ssh $remoteuser@$remotehost -p $remoteport -i $HOME/.ssh/${KEYNAME}-old.key \"sed -i 's|$OLDPUBKEY|$NEWPUBKEY|' /root/.ssh/authorized_keys\"" | tee "${KEYGEN_LOGDIR}/cmd-rotatekeys-${KEYNAME}-old.key.log"
echo
ssh "$remoteuser@$remotehost" -p "$remoteport" -i $HOME/.ssh/${KEYNAME}-old.key "sed -i 's|$OLDPUBKEY|$NEWPUBKEY|' /root/.ssh/authorized_keys"
else
echo "copy $HOME/.ssh/${KEYNAME}.key.pub to remote: $remoteuser@$remotehost" | tee "${KEYGEN_LOGDIR}/cmd-generated-${KEYNAME}.key.log"
echo "ssh-copy-id -i $HOME/.ssh/${KEYNAME}.key.pub $remoteuser@$remotehost -p $remoteport"
fi
fi
if [[ "$VALIDREMOTE" = 'y' && "$keyrotate" != 'rotate' ]]; then
pushd "$HOME/.ssh" >/dev/null 2>&1
if [[ "$SSHPASS" = [yY] ]]; then
sshpass -p "$sshpassword" ssh-copy-id -o StrictHostKeyChecking=no -i $HOME/.ssh/${KEYNAME}.key.pub "$remoteuser@$remotehost" -p "$remoteport"
else
ssh-copy-id -i $HOME/.ssh/${KEYNAME}.key.pub "$remoteuser@$remotehost" -p "$remoteport"
fi
SSHCOPYERR=$?
if [[ "$SSHCOPYERR" -ne '0' ]]; then
rm -rf "$HOME/.ssh/${KEYNAME}.key"
rm -rf "$HOME/.ssh/${KEYNAME}.key.pub"
fi
popd >/dev/null 2>&1
fi
if [[ "$keyrotate" = 'rotate' ]]; then
rm -rf "$HOME/.ssh/${KEYNAME}-old.key"
rm -rf "$HOME/.ssh/${KEYNAME}-old.key.pub"
fi
if [[ "$VALIDREMOTE" = 'y' && "$SSHCOPYERR" -eq '0' ]]; then
echo
echo "-------------------------------------------------------------------"
echo "Testing connection please wait..."
echo "-------------------------------------------------------------------"
echo
echo "ssh $remoteuser@$remotehost -p $remoteport -i $HOME/.ssh/${KEYNAME}.key 'uname -nr'"
echo
ssh "$remoteuser@$remotehost" -p "$remoteport" -i $HOME/.ssh/${KEYNAME}.key 'uname -nr' | tee "${KEYGEN_LOGDIR}/tmpfile.log"
ssh_err=$?
if [[ "$ssh_err" -eq '0' ]]; then
# log on success
if [[ "$keyrotate" = 'rotate' ]]; then
menuopt=rotate
else
menuopt=generate
fi
sshremote_idname=$(cat "${KEYGEN_LOGDIR}/tmpfile.log")
rm -rf "${KEYGEN_LOGDIR}/tmpfile.log"
echo "ip: ${remotehost} user: ${remoteuser} keyname: ${KEYNAME} host: ${sshremote_idname}" > "${KEYGEN_DIR}/${menuopt}-${remotehost}-${remoteport}-${KEYNAME}-${DT}.log"
fi
echo
echo "-------------------------------------------------------------------"
echo "Setup source server file ${HOME}/.ssh/config"
echo "-------------------------------------------------------------------"
echo
echo "Add to ${HOME}/.ssh/config:"
echo "Host ${KEYNAME}
Hostname $remotehost
Port $remoteport
IdentityFile $HOME/.ssh/${KEYNAME}.key
IdentitiesOnly=yes
User $(id -u -n)
#LogLevel DEBUG3" | tee "${KEYGEN_LOGDIR}/ssh-config-alias-${KEYNAME}-${remotehost}.key.log"
echo
echo "saved copy at ${KEYGEN_LOGDIR}/ssh-config-alias-${KEYNAME}-${remotehost}.key.log"
echo
echo "cat ${KEYGEN_LOGDIR}/ssh-config-alias-${KEYNAME}-${remotehost}.key.log >> ${HOME}/.ssh/config"
echo
echo "-------------------------------------------------------------------"
echo "Once ${HOME}/.ssh/config entry added, can connect via Host label:"
echo " ${KEYNAME}"
echo "-------------------------------------------------------------------"
echo
echo "ssh ${KEYNAME}"
echo
echo "-------------------------------------------------------------------"
echo "keygen.sh run logged to: ${KEYGEN_LOGDIR}/keygen-${DT}.log"
echo "config logged to: ${KEYGEN_DIR}/${menuopt}-${remotehost}-${remoteport}-${KEYNAME}-${DT}.log"
echo
echo "-------------------------------------------------------------------"
echo "getpk=\$(cat \"$HOME/.ssh/${KEYNAME}.key.pub\")" > "${KEYGEN_LOGDIR}/populate-keygen-${DT}.log"
echo "if [[ ! \$(grep -w \"\$getpk\" "$HOME/.ssh/authorized_keys") ]]; then cat \"$HOME/.ssh/${KEYNAME}.key.pub\" >> $HOME/.ssh/authorized_keys; fi" >> "${KEYGEN_LOGDIR}/populate-keygen-${DT}.log"
echo "./sshtransfer.sh $HOME/.ssh/${KEYNAME}.key $remotehost $remoteport ${KEYNAME}.key $HOME/.ssh/" >> "${KEYGEN_LOGDIR}/populate-keygen-${DT}.log"
echo "populating SSH key file at: ${KEYGEN_LOGDIR}/populate-keygen-${DT}.log"
echo
echo "To configure remote with same generated SSH Key:"
echo "bash ${KEYGEN_LOGDIR}/populate-keygen-${DT}.log"
echo
echo "-------------------------------------------------------------------"
echo "list $KEYGEN_DIR"
echo
ls -lAhrt "$KEYGEN_DIR"
exit
fi
}
case "$1" in
gen )
_input_keytype=$2
_input_remoteh=$3
_input_remotep=$4
_input_remoteu=$5
_input_comment=$6
_input_sshpass=$7
_input_unique_keyname=$8
keygen
exit
;;
rotatekeys )
_input_keytype=$2
_input_remoteh=$3
_input_remotep=$4
_input_remoteu=$5
_input_comment=$6
_input_keyname=$7
_input_unique_keyname=$8
keygen rotate
exit
;;
* )
echo "-------------------------------------------------------------------------"
echo " $0 {gen}"
echo " $0 {gen} keytype remoteip remoteport remoteuser keycomment"
echo
echo " or"
echo
echo " $0 {gen} keytype remoteip remoteport remoteuser keycomment remotessh_password"
echo
echo " or"
echo
echo " $0 {gen} keytype remoteip remoteport remoteuser keycomment remotessh_password unique_keyname_filename"
echo
echo "-------------------------------------------------------------------------"
echo " $0 {rotatekeys}"
echo " $0 {rotatekeys} keytype remoteip remoteport remoteuser keycomment keyname"
echo
echo "or"
echo
echo " $0 {rotatekeys} keytype remoteip remoteport remoteuser keycomment \"\" unique_keyname_filename"
echo
echo "-------------------------------------------------------------------------"
echo " keytype supported: rsa, ecdsa, ed25519"
;;
esac