ssh-rekey 


Shell scripts to automate the process of regenerating, propagating ssh keys. 

#!/bin/bash
#
#  rekey.sh is a script to either set up or renew passwordless ssh keys on a remote server
#  the first time rekey is run, it will prompt you for a password for the server
#  from then on, every time it is run, it will regenerate a key and set it up for you

# Authors: Mat Caughron, Thom Harrison

# Copyright 2006

DATENAME=`date +%y%m%d-%H%M%S`
REMOTEUSER=felix
REMOTESERVER=servername.com
PORT=20202
KEYTYPE=dsa
KEYBYTES=1024
PASTKEYS=3    # number of live key pairs to maintain as a history, suggested 2 or 3
KEYNAME=identity  # suggested values identity, id_rsa, id_dsa as appropriate
PASSPHRASE=""

# make a directory based on the name (or ip address) of the remote server
    if [ -d ~/.ssh/$REMOTESERVER ]
        then echo "The directory ~/.ssh/$REMOTESERVER is present.  "
        else
            mkdir ~/.ssh/$REMOTESERVER
            echo "The directory ~/.ssh/$REMOTESERVER was created.  "
    fi

# make a local subdirectory inside the above servername directory for the username on the remote server
   if [ -d ~/.ssh/$REMOTESERVER/$REMOTEUSER ]
        then echo "The directory ~/.ssh/$REMOTESERVER/$REMOTEUSER is present.  Your new key and authorized_keys log will
 be located there."
        else
            mkdir ~/.ssh/$REMOTESERVER/$REMOTEUSER
            echo "The directory ~/.ssh/$REMOTESERVER/$REMOTEUSER was created.  Your new key and authorized_keys log will
 be located there."
    fi

$KEYLOCATION=~/.ssh/$REMOTESERVER/$REMOTEUSER


# generate a brand new passphrase-less key locally
ssh-keygen -t $KEYTYPE -b $KEYBYTES -f $KEYLOCATION/$DATENAME.key -N "$PASSPHRASE"

# ensure that permissions are proper for the .ssh subdirectories at least locally (maybe later check remotely too)
chmod 700 ~/.ssh/$REMOTESERVER
chmod 700 ~/.ssh/$REMOTESERVER/$REMOTEUSER
chmod 600 ~/.ssh/$REMOTESERVER/$REMOTEUSER/*

  if [ -e ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME ]
        then scp -i ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME  -P$PORT $REMOTEUSER@$REMOTESERVER:~/.ssh/authorized_keys
~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log
# retrieve the authorized_keys from the remote server
        else scp -P$PORT $REMOTEUSER@$REMOTESERVER:~/.ssh/authorized_keys ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log
  fi

# add the newly generated public key to a temporary copy of the remote authorized_keys
cat ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.key.pub >> ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log

# put the larger authorized_keys file back onto the remote server
  if [ -e ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME ]
        then scp  -i ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME  -P$PORT ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log
$REMOTEUSER@$REMOTESERVER:~/.ssh/authorized_keys
        else  scp   -P$PORT ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.log  $REMOTEUSER@$REMOTESERVER:~/.ssh/authorized_
keys
  fi
# run a ssh session to test whether it works without a passphrase
ssh -i ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.key -p$PORT $REMOTEUSER@$REMOTESERVER 'hostname  && uptime'



cat  ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.key > ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME
cat  ~/.ssh/$REMOTESERVER/$REMOTEUSER/$DATENAME.key.pub > ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME.pub


# echo $REMOTESERVER/$REMOTEUSER/$DATENAME.key > ~/.ssh/$REMOTESERVER/$REMOTEUSER/$KEYNAME.key
# sftp -oPort=$PORT -b putkey $REMOTEUSER@$REMOTESERVER
# cat $REMOTEUSER/$DATENAME.key.pub >> put_authorized_keys



# cycle through old keys filtering out and delete the oldest one
        until [  $PASTKEYS -lt 0 ]; do
             PREVIOUS=$PASTKEYS
             let PASTKEYS-=1
             echo mv $KEYLOCATION/$KEYNAME.key.pub.$PREVIOUS $KEYLOCATION/$KEYNAME.key.pub.$PASTKEYS
             echo mv $KEYLOCATION/$KEYNAME.key.$PREVIOUS $KEYLOCATION/$KEYNAME.key.$PASTKEYS
        done
rm -rf $KEYLOCATION/*\.-1