ssh-rekey
Shell scripts to automate the process of regenerating, propagating ssh keys.
#!/bin/bash
#
# rekey.sh is a script to either set up or renew passwordless ssh keys on a remote server
# the first time rekey is run, it will prompt you for a password for the server
# from then on, every time it is run, it will regenerate a key and set it up for you
# Authors: Mat Caughron, Thom Harrison
# Copyright 2006
DATENAME=`date +%y%m%d-%H%M%S`
REMOTEUSER=felix
REMOTESERVER=servername.com
PORT=20202
KEYTYPE=dsa
KEYBYTES=1024
PASTKEYS=3 # number of live key pairs to maintain as a history, suggested 2 or 3
KEYNAME=identity # suggested values identity, id_rsa, id_dsa as appropriate
PASSPHRASE=""
# make a directory based on the name (or ip address) of the remote server
if [ -d ~/.ssh/$REMOTESERVER ]
then echo "The directory ~/.ssh/$REMOTESERVER is present. "
else
mkdir ~/.ssh/$REMOTESERVER
echo "The directory ~/.ssh/$REMOTESERVER was created. "
fi
# make a local subdirectory inside the above servername directory for the username on the remote server
if [ -d ~/.ssh/$REMOTESERVER/$REMOTEUSER ]
then echo "The directory ~/.ssh/$REMOTESERVER/$REMOTEUSER is present. Your new key and authorized_keys log will
be located there."
else
mkdir ~/.ssh/$REMOTESERVER/$REMOTEUSER
echo "The directory ~/.ssh/$REMOTESERVER/$REMOTEUSER was created. Your new key and authorized_keys log will
be located there."
fi
$KEYLOCATION=~/.ssh/$REMOTESERVER/$REMOTEUSER
# generate a brand new passphrase-less key locally
ssh-keygen -t $KEYTYPE -b $KEYBYTES -f $KEYLOCATION/$DATENAME.key -N "$PASSPHRASE"
# ensure that permissions are proper for the .ssh subdirectories at least locally (maybe later check remotely too)
chmod 700 ~/.ssh/$REMOTESERVER
chmod 700 ~/.ssh/$REMOTESERVER/$REMOTEUSER
chmod 600 ~/.ssh/$REMOTESERVER/$REMOTEUSER/*
if [ -e ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME ]
then scp -i ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME -P$PORT $REMOTEUSER@$REMOTESERVER:~/.ssh/authorized_keys
~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log
# retrieve the authorized_keys from the remote server
else scp -P$PORT $REMOTEUSER@$REMOTESERVER:~/.ssh/authorized_keys ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log
fi
# add the newly generated public key to a temporary copy of the remote authorized_keys
cat ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.key.pub >> ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log
# put the larger authorized_keys file back onto the remote server
if [ -e ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME ]
then scp -i ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME -P$PORT ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log
$REMOTEUSER@$REMOTESERVER:~/.ssh/authorized_keys
else scp -P$PORT ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log $REMOTEUSER@$REMOTESERVER:~/.ssh/authorized_
keys
fi
# run a ssh session to test whether it works without a passphrase
ssh -i ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.key -p$PORT $REMOTEUSER@$REMOTESERVER 'hostname && uptime'
cat ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.key > ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME
cat ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.key.pub > ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME.pub
# echo $REMOTESERVER/$REMOTEUSER/$DATENAME.key > ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME.key
# sftp -oPort=$PORT -b putkey $REMOTEUSER@$REMOTESERVER
# cat $REMOTEUSER/$DATENAME.key.pub >> put_authorized_keys
# cycle through old keys filtering out and delete the oldest one
until [ $PASTKEYS -lt 0 ]; do
PREVIOUS=$PASTKEYS
let PASTKEYS-=1
echo mv $KEYLOCATION/$KEYNAME.key.pub.$PREVIOUS $KEYLOCATION/$KEYNAME.key.pub.$PASTKEYS
echo mv $KEYLOCATION/$KEYNAME.key.$PREVIOUS $KEYLOCATION/$KEYNAME.key.$PASTKEYS
done
rm -rf $KEYLOCATION/*\.-1