git/gitflow/gitlib>> keygen>> 返回
项目作者: centminmod

项目描述 :
ssh private key pair generator
高级语言: Shell
项目地址: git://github.com/centminmod/keygen.git
创建时间: 2015-10-02T02:55:19Z
项目社区:https://github.com/centminmod/keygen
开源协议:
下载


description

This script generates and manages SSH keys for different types of encryption algorithms (RSA, ECDSA, and ED25519). It takes various command-line arguments to generate new keys, rotate existing keys, and set up the SSH configuration file for seamless access to remote hosts.

Key functionalities include:

  1. Generating new SSH keys with or without a passphrase.
  2. Rotating SSH keys, replacing the old key on the remote server with a new one.
  3. Logging key generation and rotation processes.
  4. Creating an entry in the SSH configuration file for easy access to remote hosts.
  5. Providing a script to populate the remote server with the same generated SSH key.

install

Install sshpass YUM package and key github repo:

  1. yum -y install sshpass
  3. mkdir -p /root/tools
  4. cd /root/tools
  5. git clone --depth=1 https://github.com/centminmod/keygen
  6. cd keygen
  7. ./keygen.sh

usage

You can use gen command to generate SSH key pairs or use rotatekeys command to rotate an existing SSH key

Where remote server’s SSH password is optionally set via remotessh_password

  1. ./keygen.sh 
  2. -------------------------------------------------------------------------
  3.   ./keygen.sh {gen}
  4.   ./keygen.sh {gen} keytype remoteip remoteport remoteuser keycomment
  6.   or
  8.   ./keygen.sh {gen} keytype remoteip remoteport remoteuser keycomment remotessh_password
  10.   or
  12.   ./keygen.sh {gen} keytype remoteip remoteport remoteuser keycomment remotessh_password unique_keyname_filename
  14. -------------------------------------------------------------------------
  15.   ./keygen.sh {rotatekeys}
  16.   ./keygen.sh {rotatekeys} keytype remoteip remoteport remoteuser keycomment keyname
  18. or
  20.   ./keygen.sh {rotatekeys} keytype remoteip remoteport remoteuser keycomment "" unique_keyname_filename
  22. -------------------------------------------------------------------------
  23.   keytype supported: rsa, ecdsa, ed25519

cleanup

Removal all generated SSH keys and directories amd logs.

Example for my1.key*

  1. rm -rf /etc/keygen/
  2. rm -rf /root/.ssh/my1.key*

Then remove public key entry from/root/.ssh/authorized_keys.

unattended mode

If you do not pass on command line the last argument for remotessh_password for SSH user password, then when you run keygen.sh non-unattended at ssh-copy-id step you will be prompted for remote SSH user’s SSH password for one time only to setup remote server’s authorized_keys file. If you pass remotessh_password on command line, at ssh-copy-id step you will run in unattended mode and not be asked for SSH user’s SSH password as keygen.sh installs and sets up sshpass to handle input for SSH password without user input.

Running unattended mode will also attempt to copy the generated public key over to the defined remote server’s $HOME/.ssh/authorized_keys file so prompt you to do a one time login to the remote server via the password (only if you do not pass remotessh_password on command line). Then it will do a test ssh connection to the remote server using the newly generated key pair.

You’ll end up with private and public key files named myX where X is a number which would increment automatically if you re-run this command on same server.

  • private key at $HOME/.ssh/my1.key
  • public key at $HOME/.ssh/my1.key.pub

Where:

  • 1.1.1.1 is remote server IP
  • 22 is remote server SSH port
  • root is username for remote SSH user
  • comment is unique identifying name i.e. mykey@clienthostname for setting up a Shell aliases further below. Also helps you to revoke the ssh key matching on this comment
  • remotessh_password for SSH user password,

To generate rsa key pair where comment is a unique identifier for your generated key i.e. mykey@clienthostname and you pass the remote SSH user’s SSH password via remotessh_password at ssh-copy-id step

  1. keygen.sh gen rsa 1.1.1.1 22 root comment remotessh_password

To generate rsa key pair where comment is a unique identifier for your generated key i.e. mykey@clienthostname without remotessh_password. At ssh-copy-id step you will be prompted for remote SSH user’s SSH password

  1. keygen.sh gen rsa 1.1.1.1 22 root comment

To generate ecdsa key pair where comment is a unique identifier for your generated key i.e. mykey@clienthostname without remotessh_password. At ssh-copy-id step you will be prompted for remote SSH user’s SSH password

  1. keygen.sh gen ecdsa 1.1.1.1 22 root comment

To generate ed25519 key pair where comment is a unique identifier for your generated key i.e. mykey@clienthostname without remotessh_password. At ssh-copy-id step you will be prompted for remote SSH user’s SSH password

  1. keygen.sh gen ed25519 1.1.1.1 22 root comment

Once run is complete, you’ll now be able to ssh into remote server with just specifying the path to your private key you generated

  1. ssh root@remoteip -p 22 -i ~/.ssh/my1.key

Output also lists instructions for setting up ~/.ssh/config for Shell aliases where mykey@clienthostname is your comment defined above and my1 is your private key name.

  1. -------------------------------------------------------------------
  2. Setup source server file /root/.ssh/config
  3. -------------------------------------------------------------------
  5. Add to /root/.ssh/config:
  7. Host my1
  8.   Hostname 1.1.1.1
  9.   Port 22
  10.   IdentityFile /root/.ssh/my1.key
  11.   IdentitiesOnly=yes
  12.   User root
  13.   #LogLevel DEBUG3
  15. saved copy at /etc/keygen/logs/ssh-config-alias-my1-1.1.1.1.key.log
  17. cat /etc/keygen/logs/ssh-config-alias-my1-1.1.1.1.key.log >> /root/.ssh/config
  19. -------------------------------------------------------------------
  20. Once /root/.ssh/config entry added, can connect via Host label:
  21.  my1
  22. -------------------------------------------------------------------
  24. ssh my1
  26. -------------------------------------------------------------------
  28. keygen.sh run logged to: /etc/keygen/logs/keygen-081219-231227.log
  29. config logged to: /etc/keygen/generate-1.1.1.1-22-my1-081219-231227.log
  31. -------------------------------------------------------------------
  33. populating SSH key file at: /etc/keygen/logs/populate-keygen-081219-231227.log
  35. To configure remote with same generated SSH Key type:
  36. bash /etc/keygen/logs/populate-keygen-081219-231227.log
  38. -------------------------------------------------------------------
  39. list /etc/keygen
  41. total 4.0K
  42. -rw-r--r-- 1 root root  92 Dec  8 23:12 generate-1.1.1.1-22-my1-081219-231227.log
  43. drwxr-xr-x 2 root root 161 Dec  8 23:12 logs

So you’ll be able to ssh into remote server via SSH shell alias for Host label

  1. ssh my1

Populate SSH Key Globally

If you want to use the same generated SSH key in globally i.e. remote server use same generated SSH key to access the current server there’s a populated SSH key file in output as well

  1. populating SSH key file at: /etc/keygen/logs/populate-keygen-081219-231227.log
  3. To configure remote with same generated SSH Key type:
  4. bash /etc/keygen/logs/populate-keygen-081219-231227.log

Running the suggested command will

  1. add generated SSH public key to $HOME/.ssh/authorized_keys on local server as well
  2. rsync transfer the generated SSH private key $HOME/.ssh/${KEYNAME}.key to the remote server’s $HOME/.ssh directory as well via this repo’s sshtransfer.sh rsync wrapper.
  1. bash /etc/keygen/logs/populate-keygen-081219-231227.log

contents of /etc/keygen/logs/populate-keygen-081219-231227.log

  1. getpk=$(cat "/root/.ssh/my1.key.pub")
  2. if [[ ! $(grep -w '' /root/.ssh/authorized_keys) ]]; then cat "/root/.ssh/my1.key.pub" >> /root/.ssh/authorized_keys; fi
  3. ./sshtransfer.sh /root/.ssh/my1.key 1.1.1.1 22 my1.key /root/.ssh/

example run

  1. bash /etc/keygen/logs/populate-keygen-081219-231227.log
  3. transfer /root/.ssh/my1.key to root@1.1.1.1:/root/.ssh/
  4. rsync -avzi --progress --stats -e ssh -p 22 -i /root/.ssh/my1.key /root/.ssh/my1.key root@1.1.1.1:/root/.ssh/
  5. sending incremental file list
  6. <f+++++++++ my1.key
  7.             227 100%    0.00kB/s    0:00:00 (xfr#1, to-chk=0/1)
  9. Number of files: 1 (reg: 1)
  10. Number of created files: 1 (reg: 1)
  11. Number of deleted files: 0
  12. Number of regular files transferred: 1
  13. Total file size: 227 bytes
  14. Total transferred file size: 227 bytes
  15. Literal data: 227 bytes
  16. Matched data: 0 bytes
  17. File list size: 0
  18. File list generation time: 0.001 seconds
  19. File list transfer time: 0.000 seconds
  20. Total bytes sent: 280
  21. Total bytes received: 35
  23. sent 280 bytes  received 35 bytes  630.00 bytes/sec
  24. total size is 227  speedup is 0.72
  26. check remote root@1.1.1.1:/root/.ssh/
  27. ssh -p 22 -i /root/.ssh/my1.key root@1.1.1.1 ls -lah /root/.ssh/
  28. total 16K
  29. drwx------  2 root root   63 Dec  8 23:37 .
  30. dr-xr-x---. 9 root root 4.0K Dec  8 22:45 ..
  31. -rw-------  1 root root  171 Dec  8 23:36 authorized_keys
  32. -rw-r--r--  1 root root  174 Dec  8 22:47 known_hosts
  33. -rw-------  1 root root  227 Dec  8 23:36 my1.key

Logging

Latest version automatically saves to log files the keygen.sh run + a config summary log

  1. -------------------------------------------------------------------
  3. keygen.sh run logged to: /etc/keygen/logs/keygen-010118-083341.log
  4. config logged to: /etc/keygen/generate-1.1.1.1-22-my4-010118-083341.log
  6. -------------------------------------------------------------------
  7. list all config logs
  9. /etc/keygen/generate-1.1.1.1-22-my1-010118-082758.log
  10. /etc/keygen/generate-1.1.1.1-22-my2-010118-082907.log
  11. /etc/keygen/generate-1.1.1.1-22-my3-010118-083220.log
  12. /etc/keygen/generate-1.1.1.1-22-my4-010118-083341.log
  14. -------------------------------------------------------------------

config summary log for /etc/keygen/generate-1.1.1.1-22-my4-010118-083341.log where it logs remote hostname, remote user, the ssh keyname, short format hostname and kernel version

  1. cat /etc/keygen/generate-1.1.1.1-22-my4-010118-083341.log
  2. ip: 1.1.1.1 user: root keyname: my4 host: host1 2.6.32-042stab126.2

Removing public key from remote server

To revoke a public key from your remote server so that the source data server can not connect to the remote server anymore, you need to remove the generated public key from remote server’s /root/.ssh/authorized_keys file. You can use the comment i.e. mykey@clienthostname as a filter for sed deletion of the line.

On remote server run command where mykey@clienthostname is your comment you specified when you generated your key pair.

  1. sed -i '/mykey@clienthostname$/d' /root/.ssh/authorized_keys

If you setup a SSH aliase in ~/.ssh/config, then you also need to remove the entry for mykey@clienthostname

Rotate Existing SSH Key

New rotatekeys command allows you to rotate an existing SSH key both on local and remote server end. This assumes you are running keygen.sh on the same server that initially generated the existing SSH key on the server via gen command

generated with (where remote ssh root password = remotessh_password)

  1. ./keygen.sh {gen} keytype remoteip remoteport remoteuser keycomment remotessh_password

rotated with

  1. ./keygen.sh {rotatekeys} keytype remoteip remoteport remoteuser keycomment keyname

Example:

generated with (where comment = mykey@clienthostname and where remoter ssh root password = remotessh_password)

  1. ./keygen.sh gen rsa 1.1.1.1 22 root mykey@clienthostname remotessh_password

resulting in key = my1.key so keyname = my1

  1. -------------------------------------------------------------------
  2. /root/.ssh contents
  3. -------------------------------------------------------------------
  4. total 12K
  5. dr-xr-x---. 8 root root 4.0K Apr 20 17:14 ..
  6. -rw-------  1 root root 3.2K Apr 20 17:17 my1.key
  7. -rw-r--r--  1 root root  736 Apr 20 17:17 my1.key.pub
  8. drwx------  2 root root   38 Apr 20 17:17 .

rotated with indentifying keyname = my1

  1. ./keygen.sh rotatekeys rsa 1.1.1.1 22 root mykey@clienthostname my1

full output

  1. ./keygen.sh rotatekeys rsa 1.1.1.1 22 root mykey@clienthostname my1
  3. -------------------------------------------------------------------
  4. Rotating Private Key Pair...
  5. -------------------------------------------------------------------
  6. ssh-keygen -t rsa -b 4096 -N  -f /root/.ssh/my1.key -C my1comment
  7. Generating public/private rsa key pair.
  8. Your identification has been saved in /root/.ssh/my1.key.
  9. Your public key has been saved in /root/.ssh/my1.key.pub.
  10. The key fingerprint is:
  11. 9c:8b:f7:74:44:27:79:6b:36:3b:29:e7:98:c2:3f:5e my1comment
  12. The key's randomart image is:
  13. +--[ RSA 4096]----+
  14. |                 |
  15. |             .   |
  16. |            + o  |
  17. |       . . . + . |
  18. |        S   . =  |
  19. |       . . . o + |
  20. |      . o.. o E  |
  21. |       . oo..B . |
  22. |          .+=..  |
  23. +-----------------+
  25. -------------------------------------------------------------------
  26. my1.key.pub public key
  27. -------------------------------------------------------------------
  28. ssh-keygen -lf /root/.ssh/my1.key.pub
  29. [size --------------- fingerprint ---------------     - comment - type]
  30. 4096 9c:8b:f7:74:44:27:79:6b:36:3b:29:e7:98:c2:3f:5e  my1comment (RSA)
  32. cat /root/.ssh/my1.key.pub
  33. ssh-rsa AAAAB3NzaC1..NEW..w== my1comment
  35. -------------------------------------------------------------------
  36. /root/.ssh contents
  37. -------------------------------------------------------------------
  38. total 24K
  39. dr-xr-x---. 8 root root 4.0K Apr 20 17:14 ..
  40. -rw-r--r--  1 root root  175 Apr 20 17:17 known_hosts
  41. -rw-r--r--  1 root root  736 Apr 20 17:17 my1-old.key.pub
  42. -rw-------  1 root root 3.2K Apr 20 17:17 my1-old.key
  43. -rw-r--r--  1 root root  736 Apr 20 17:30 my1.key.pub
  44. -rw-------  1 root root 3.2K Apr 20 17:30 my1.key
  45. drwx------  2 root root   96 Apr 20 17:30 .
  47. -------------------------------------------------------------------
  48. Transfering my1.key.pub to remote host
  49. -------------------------------------------------------------------
  51. rotate and replace old public key from remote: root@1.1.1.1
  53. ssh root@1.1.1.1 -p 22 -i /root/.ssh/my1-old.key "sed -i 's|ssh-rsa AAAAB3NzaC1..OLD...gw== my1comment|ssh-rsa AAAAB3NzaC1..NEW..w== my1comment|' /root/.ssh/authorized_keys"
  56. -------------------------------------------------------------------
  57. Testing connection
  58. -------------------------------------------------------------------
  60. ssh root@1.1.1.1 -p 22 -i /root/.ssh/my1.key "uname -a"
  61. Linux remote.localdomain 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
  63. -------------------------------------------------------------------
  64. Setup source server file /root/.ssh/config
  65. -------------------------------------------------------------------
  67. Add to /root/.ssh/config:
  69. Host my1
  70. Hostname 1.1.1.1
  71. Port 22
  72. IdentityFile /root/.ssh/my1.key
  73. IdentitiesOnly=yes
  74. User root
  75. #LogLevel DEBUG3
  77. saved copy at /etc/keygen/logs/ssh-config-alias-my1-1.1.1.1.key.log
  79. cat /etc/keygen/logs/ssh-config-alias-my1-1.1.1.1.key.log >> /root/.ssh/
  81. -------------------------------------------------------------------
  82. Once /root/.ssh/config entry added, can connect via Host label:
  83. my1
  84. -------------------------------------------------------------------
  86. ssh my1

sshtransfer.sh

sshtransfer.sh script is a wrapper script to quickly transfer files to a remote server configured with keygen.sh setup.

Usage

  1. ./sshtransfer.sh 
  3. usage:
  5. ./sshtransfer.sh filename remoteip_addr remoteip_port sshkeyname remote_directory

For example, transfer local /home/test.txt file to remote server with ip = 1.1.1.1 and remote port 22 in remote directory /home/remotessh and key name my1.key located at /root/.ssh/my1.key.

  1. ./sshtransfer.sh /home/test.txt 1.1.1.1 22 my1.key /home/remotessh
  3. transfer /home/test.txt to root@1.1.1.1:/home/remotessh
  4. rsync -avzi --progress --stats -e ssh -p 22 -i /root/.ssh/my1.key /home/test.txt root@1.1.1.1:/home/remotessh
  5. sending incremental file list
  6. <f..t...... test.txt
  7.            2 100%    0.00kB/s    0:00:00 (xfer#1, to-check=0/1)
  9. Number of files: 1
  10. Number of files transferred: 1
  11. Total file size: 2 bytes
  12. Total transferred file size: 2 bytes
  13. Literal data: 2 bytes
  14. Matched data: 0 bytes
  15. File list size: 25
  16. File list generation time: 0.001 seconds
  17. File list transfer time: 0.000 seconds
  18. Total bytes sent: 76
  19. Total bytes received: 37
  21. sent 76 bytes  received 37 bytes  15.07 bytes/sec
  22. total size is 2  speedup is 0.02
  24. check remote root@1.1.1.1:/home/remotessh
  25. ssh -p 22 -i /root/.ssh/my1.key root@1.1.1.1 ls -lah /home/remotessh
  26. total 12K
  27. drwxr-xr-x  2 root root 4.0K Jul  3 21:03 .
  28. drwxr-xr-x. 8 root root 4.0K Jul  3 20:33 ..
  29. -rw-r--r--  1 root root    2 Jul  3 21:03 test.txt