kudos/ssh_controls
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added SSH host keys discovery, re-assigned '-d' command-line option to this function, 2 new parameters in manage_ssh.conf (VRF 1.4.0) [Patrick Van der Veken]

Browse Source
This commit is contained in:
patvdv 2015-09-27 17:53:33 +02:00
parent 7ca0a08be7
commit 9aa4d8cbd3
2 changed files with 132 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
manage_ssh.conf
View File

@ -38,6 +38,13 @@ SSH_UPDATE_USER=""
# options to pass to update_ssh.pl when executing a key update # options to pass to update_ssh.pl when executing a key update
SSH_UPDATE_OPTS="--verbose --remove" SSH_UPDATE_OPTS="--verbose --remove"
# path to the ssh-keyscan too
SSH_KEYSCAN_BIN="/usr/bin/ssh-keyscan"
# extra arguments/options for the ssh-keyscan command
# by default -f <file> is used by manage_sudo.sh to supply hostnames, do not add here
SSH_KEYSCAN_ARGS="-t rsa"
# maximum number of background process to spawn (~maxuprc, ~nstrpty etc) # maximum number of background process to spawn (~maxuprc, ~nstrpty etc)
MAX_BACKGROUND_PROCS=30 MAX_BACKGROUND_PROCS=30

182
manage_ssh.sh
View File

@ -21,9 +21,9 @@
# remote, create SSH key fingerprints or distribute the SSH controls files # remote, create SSH key fingerprints or distribute the SSH controls files
# EXPECTS: (see --help for more options) # EXPECTS: (see --help for more options)
# REQUIRES: check_config(), check_logging(), check_params(), check_root_user(), # REQUIRES: check_config(), check_logging(), check_params(), check_root_user(),
# check_setup(), check_syntax(), count_fields(), die(), display_usage(), # check_setup(), check_syntax(), count_fields(), die(), display_usage(),
# distribute2host(), do_cleanup(), fix2host(), get_linux_version(), # distribute2host(), do_cleanup(), fix2host(), get_linux_version(),
# log(), logc(), resolve_host(), sftp_file(), update2host(), # log(), logc(), resolve_host(), sftp_file(), update2host(),
# update_fingerprints(), wait_for_children(), warn() # update_fingerprints(), wait_for_children(), warn()
# For other pre-requisites see the documentation in display_usage() # For other pre-requisites see the documentation in display_usage()
# #
@ -36,7 +36,7 @@
# @(#) 2015-04-10: fix in --fix-local routine (VRF 1.1.3) [Patrick Van der Veken] # @(#) 2015-04-10: fix in --fix-local routine (VRF 1.1.3) [Patrick Van der Veken]
# @(#) 2015-05-16: added SSH_OWNER_GROUP (VRF 1.1.4) [Patrick Van der Veken] # @(#) 2015-05-16: added SSH_OWNER_GROUP (VRF 1.1.4) [Patrick Van der Veken]
# @(#) 2015-08-15: moved essential configuration items of the script into a # @(#) 2015-08-15: moved essential configuration items of the script into a
# @(#) separate configuration file (global/local), fix in # @(#) separate configuration file (global/local), fix in
# @(#) wait_for_children (VRF 1.2.0) [Patrick Van der Veken] # @(#) wait_for_children (VRF 1.2.0) [Patrick Van der Veken]
# @(#) 2015-08-26: added DO_SFTP_CHMOD configuration parameter to avoid # @(#) 2015-08-26: added DO_SFTP_CHMOD configuration parameter to avoid
# @(#) setstat failures with sftp_file() when remote file # @(#) setstat failures with sftp_file() when remote file
@ -51,6 +51,8 @@
# @(#) 2015-09-15: small fix in wait_for_children() (VRF 1.3.2) [Patrick Van der Veken] # @(#) 2015-09-15: small fix in wait_for_children() (VRF 1.3.2) [Patrick Van der Veken]
# @(#) 2015-09-23: added $GLOBAL_CONFIG_FILE to fix ownership/permissions routine # @(#) 2015-09-23: added $GLOBAL_CONFIG_FILE to fix ownership/permissions routine
# @(#) (VRF 1.3.3) [Patrick Van der Veken] # @(#) (VRF 1.3.3) [Patrick Van der Veken]
# @(#) 2015-09-27: added SSH host keys discovery, re-assigned '-d' command-line
# @(#) option to this function (VRF 1.4.0) [Patrick Van der Veken]
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING! # DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING!
#****************************************************************************** #******************************************************************************
@ -64,7 +66,7 @@
# or LOCAL_CONFIG_FILE instead # or LOCAL_CONFIG_FILE instead
# define the V.R.F (version/release/fix) # define the V.R.F (version/release/fix)
MY_VRF="1.3.3" MY_VRF="1.4.0"
# name of the global configuration file (script) # name of the global configuration file (script)
GLOBAL_CONFIG_FILE="manage_ssh.conf" GLOBAL_CONFIG_FILE="manage_ssh.conf"
# name of the local configuration file (script) # name of the local configuration file (script)
@ -81,6 +83,7 @@ KEYS_FILE=""
KEYS_DIR="" KEYS_DIR=""
TARGETS_FILE="" TARGETS_FILE=""
FIX_CREATE=0 FIX_CREATE=0
CAN_DISCOVER_KEYS=0
KEY_COUNT=0 KEY_COUNT=0
KEY_1024_COUNT=0 KEY_1024_COUNT=0
KEY_2048_COUNT=0 KEY_2048_COUNT=0
@ -145,6 +148,12 @@ then
exit 1 exit 1
fi fi
fi fi
# SSH_KEYSCAN_BIN
if [[ -z "${SSH_KEYSCAN_BIN}" ]]
then
print -u2 "ERROR: no value for the SSH_KEYSCAN_BIN setting in the configuration file"
exit 1
fi
# MAX_BACKGROUND_PROCS # MAX_BACKGROUND_PROCS
if [[ -z "${MAX_BACKGROUND_PROCS}" ]] if [[ -z "${MAX_BACKGROUND_PROCS}" ]]
then then
@ -170,15 +179,15 @@ then
then then
if [[ ! -w "${LOG_DIR}" ]] if [[ ! -w "${LOG_DIR}" ]]
then then
# switch off logging intelligently when needed for permission problems # switch off logging intelligently when needed for permission problems
# since this script may run with root/non-root actions # since this script may run with root/non-root actions
print -u2 "ERROR: unable to write to the log directory at ${LOG_DIR}, disabling logging" print -u2 "ERROR: unable to write to the log directory at ${LOG_DIR}, disabling logging"
ARG_LOG=0 ARG_LOG=0
fi fi
else else
if [[ ! -w "${LOG_FILE}" ]] if [[ ! -w "${LOG_FILE}" ]]
then then
# switch off logging intelligently when needed for permission problems # switch off logging intelligently when needed for permission problems
# since this script may run with root/non-root actions # since this script may run with root/non-root actions
print -u2 "ERROR: unable to write to the log file at ${LOG_FILE}, disabling logging" print -u2 "ERROR: unable to write to the log file at ${LOG_FILE}, disabling logging"
ARG_LOG=0 ARG_LOG=0
@ -193,7 +202,7 @@ return 0
function check_params function check_params
{ {
# -- ALL # -- ALL
if (( ARG_ACTION < 1 || ARG_ACTION > 9 )) if (( ARG_ACTION < 1 || ARG_ACTION > 10 ))
then then
display_usage display_usage
exit 0 exit 0
@ -207,7 +216,7 @@ then
exit 1 exit 1
else else
FIX_DIR="${ARG_FIX_DIR}" FIX_DIR="${ARG_FIX_DIR}"
fi fi
fi fi
# --local-dir # --local-dir
if [[ -n "${ARG_LOCAL_DIR}" ]] if [[ -n "${ARG_LOCAL_DIR}" ]]
@ -218,7 +227,7 @@ then
exit 1 exit 1
else else
LOCAL_DIR="${ARG_LOCAL_DIR}" LOCAL_DIR="${ARG_LOCAL_DIR}"
fi fi
fi fi
# --log-dir # --log-dir
[[ -z "${ARG_LOG_DIR}" ]] || LOG_DIR="${ARG_LOG_DIR}" [[ -z "${ARG_LOG_DIR}" ]] || LOG_DIR="${ARG_LOG_DIR}"
@ -278,11 +287,11 @@ do
if [[ ! -r "${FILE}" ]] if [[ ! -r "${FILE}" ]]
then then
print -u2 "ERROR: cannot read file ${FILE}" print -u2 "ERROR: cannot read file ${FILE}"
exit 1 exit 1
fi fi
done done
# check for basic SSH control file(s): targets, /var/tmp/targets.$USER (or $TMP_FILE) # check for basic SSH control file(s): targets, /var/tmp/targets.$USER (or $TMP_FILE)
if (( ARG_ACTION == 1 || ARG_ACTION == 2 || ARG_ACTION == 6 )) if (( ARG_ACTION == 1 || ARG_ACTION == 2 || ARG_ACTION == 6 || ARG_ACTION == 10 ))
then then
if [[ -z "${ARG_TARGETS}" ]] if [[ -z "${ARG_TARGETS}" ]]
then then
@ -290,12 +299,12 @@ then
if [ \( ! -r "${TARGETS_FILE}" \) -a \( ! -r "/var/tmp/targets.${USER}" \) ] if [ \( ! -r "${TARGETS_FILE}" \) -a \( ! -r "/var/tmp/targets.${USER}" \) ]
then then
print -u2 "ERROR: cannot read file ${TARGETS_FILE} nor /var/tmp/targets.${USER}" print -u2 "ERROR: cannot read file ${TARGETS_FILE} nor /var/tmp/targets.${USER}"
exit 1 exit 1
fi fi
# override default targets file # override default targets file
[[ -r "/var/tmp/targets.${USER}" ]] && TARGETS_FILE="/var/tmp/targets.${USER}" [[ -r "/var/tmp/targets.${USER}" ]] && TARGETS_FILE="/var/tmp/targets.${USER}"
else else
TARGETS_FILE=${TMP_FILE} TARGETS_FILE=${TMP_FILE}
fi fi
fi fi
# check for basic SSH control file(s): keys, keys.d/* # check for basic SSH control file(s): keys, keys.d/*
@ -309,19 +318,19 @@ then
if [[ ! -r "${KEYS_DIR}" ]] if [[ ! -r "${KEYS_DIR}" ]]
then then
print -u2 "ERROR: unable to read directory ${KEYS_DIR}" print -u2 "ERROR: unable to read directory ${KEYS_DIR}"
exit 1 exit 1
fi fi
elif [[ -f "${LOCAL_DIR}/keys" ]] elif [[ -f "${LOCAL_DIR}/keys" ]]
then then
KEYS_FILE="${LOCAL_DIR}/keys" KEYS_FILE="${LOCAL_DIR}/keys"
if [[ ! -r "${KEYS_FILE}" ]] if [[ ! -r "${KEYS_FILE}" ]]
then then
print -u2 "ERROR: cannot read file ${KEYS_FILE}" print -u2 "ERROR: cannot read file ${KEYS_FILE}"
exit 1 exit 1
fi fi
else else
print -u2 "ERROR: could not found any public keys in ${LOCAL_DIR}!" print -u2 "ERROR: could not found any public keys in ${LOCAL_DIR}!"
exit 1 exit 1
fi fi
# check for SSH control scripts & configurations (not .local) # check for SSH control scripts & configurations (not .local)
if (( ARG_ACTION == 1 || ARG_ACTION == 2 || ARG_ACTION == 4 )) if (( ARG_ACTION == 1 || ARG_ACTION == 2 || ARG_ACTION == 4 ))
@ -334,11 +343,16 @@ then
if [[ ! -r "${FILE}" ]] if [[ ! -r "${FILE}" ]]
then then
print -u2 "ERROR: cannot read file ${FILE}" print -u2 "ERROR: cannot read file ${FILE}"
exit 1 exit 1
fi fi
done done
fi
# check if 'ssh-keyscan' exists
if [[ ! -x "${SSH_KEYSCAN_BIN}" ]]
then
print -u2 "WARN: 'ssh-keyscan' tool not found, host key discovery is not possible"
CAN_DISCOVER_KEYS=0
fi fi
return 0 return 0
} }
@ -450,12 +464,13 @@ cat << EOT
Performs basic functions for SSH controls: update SSH keys locally or Performs basic functions for SSH controls: update SSH keys locally or
remote, create SSH key fingerprints or copy/distribute the SSH controls files remote, create SSH key fingerprints or copy/distribute the SSH controls files
Syntax: ${SCRIPT_DIR}/${SCRIPT_NAME} [--help] | (--backup | --check-syntax | --preview-global | --make-finger | --update ) | Syntax: ${SCRIPT_DIR}/${SCRIPT_NAME} [--help] | (--backup | --check-syntax | --preview-global | --make-finger | --update ) |
(--apply [--remote-dir=<remote_directory>] [--targets=<host1>,<host2>,...]) | (--apply [--remote-dir=<remote_directory>] [--targets=<host1>,<host2>,...]) |
((--copy|--distribute) [--remote-dir=<remote_directory> [--targets=<host1>,<host2>,...]]) | ((--copy|--distribute) [--remote-dir=<remote_directory> [--targets=<host1>,<host2>,...]]) |
(--discover [--targets=<host1>,<host2>,...]) |
([--fix-local --fix-dir=<repository_dir> [--create-dir]] | [--fix-remote [--create-dir] [--targets=<host1>,<host2>,...]]) ([--fix-local --fix-dir=<repository_dir> [--create-dir]] | [--fix-remote [--create-dir] [--targets=<host1>,<host2>,...]])
[--local-dir=<local_directory>] [--no-log] [--log-dir=<log_directory>] [--debug] [--local-dir=<local_directory>] [--no-log] [--log-dir=<log_directory>] [--debug]
Parameters: Parameters:
--apply|-a : apply SSH controls remotely (~targets) --apply|-a : apply SSH controls remotely (~targets)
@ -463,10 +478,11 @@ Parameters:
--create-dir : also create missing directories when fixing the SSH controls --create-dir : also create missing directories when fixing the SSH controls
repository (see also --fix-local/--fix-remote) repository (see also --fix-local/--fix-remote)
--check-syntax|-s : do basic syntax checking on SSH controls configuration --check-syntax|-s : do basic syntax checking on SSH controls configuration
(access, alias & keys files) (access, alias & keys files)
--copy|-c : copy SSH control files to remote host (~targets) --copy|-c : copy SSH control files to remote host (~targets)
--debug : print extra status messages on STDERR --debug : print extra status messages on STDERR
--distribute|-d : same as --copy --discover|-d : discover SSH host keys (STDOUT)
--distribute : same as --copy
--fix-dir : location of the local SSH controls client repository --fix-dir : location of the local SSH controls client repository
--fix-local : fix permissions on the local SSH controls repository --fix-local : fix permissions on the local SSH controls repository
(local SSH controls repository given by --fix-dir) (local SSH controls repository given by --fix-dir)
@ -478,10 +494,10 @@ Parameters:
--no-log : do not log any messages to the script log file. --no-log : do not log any messages to the script log file.
--make-finger|-m : create (local) key fingerprints file --make-finger|-m : create (local) key fingerprints file
--preview-global|-p : dump the global access namespace (after alias resolution) --preview-global|-p : dump the global access namespace (after alias resolution)
--remote-dir : directory where SSH control files are/should be --remote-dir : directory where SSH control files are/should be
located/copied on/to the target host located/copied on/to the target host
[default: ${REMOTE_DIR}] [default: ${REMOTE_DIR}]
--targets : comma-separated list of target hosts to operate on. Override the --targets : comma-separated list of target hosts to operate on. Override the
hosts contained in the 'targets' configuration file. hosts contained in the 'targets' configuration file.
--update|-u : apply SSH controls locally --update|-u : apply SSH controls locally
@ -490,10 +506,10 @@ Parameters:
Note 1: distribute and update actions are run in parallel across a maximum of Note 1: distribute and update actions are run in parallel across a maximum of
${MAX_BACKGROUND_PROCS} clients at the same time. ${MAX_BACKGROUND_PROCS} clients at the same time.
Note 2: for fix and update actions: make sure correct 'sudo' rules are setup Note 2: for fix and update actions: make sure correct 'sudo' rules are setup
on the target systems to allow the SSH controls script to run with on the target systems to allow the SSH controls script to run with
elevated privileges. elevated privileges.
Note 3: only GLOBAL configuration files will be distributed to target hosts. Note 3: only GLOBAL configuration files will be distributed to target hosts.
EOT EOT
@ -502,12 +518,11 @@ return 0
} }
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# distribute SSH controls to a single host/client # distribute SSH controls to a single host/client
function distribute2host function distribute2host
{ {
SERVER="$1" SERVER="$1"
ERROR_COUNT=0 ERROR_COUNT=0
# convert line to hostname # convert line to hostname
SERVER=${SERVER%%;*} SERVER=${SERVER%%;*}
resolve_host ${SERVER} resolve_host ${SERVER}
@ -525,7 +540,7 @@ for FILE in "${LOCAL_DIR}/access!660" \
"${LOCAL_DIR}/update_ssh.conf!660" \ "${LOCAL_DIR}/update_ssh.conf!660" \
"${SCRIPT_DIR}/${SCRIPT_NAME}!770" \ "${SCRIPT_DIR}/${SCRIPT_NAME}!770" \
"${SCRIPT_DIR}/${GLOBAL_CONFIG_FILE}!660" "${SCRIPT_DIR}/${GLOBAL_CONFIG_FILE}!660"
do do
# sftp transfer # sftp transfer
sftp_file ${FILE} ${SERVER} sftp_file ${FILE} ${SERVER}
COPY_RC=$? COPY_RC=$?
@ -628,7 +643,6 @@ then
warn "could not lookup host ${SERVER}, skipping" warn "could not lookup host ${SERVER}, skipping"
return 1 return 1
fi fi
log "fixing ssh controls on ${SERVER} ..." log "fixing ssh controls on ${SERVER} ..."
if [[ -z "${SSH_UPDATE_USER}" ]] if [[ -z "${SSH_UPDATE_USER}" ]]
then then
@ -663,7 +677,7 @@ LSB_VERSION=$(lsb_release -rs 2>/dev/null | cut -f1 -d'.')
if [[ -z "${LSB_VERSION}" ]] if [[ -z "${LSB_VERSION}" ]]
then then
RELEASE_STRING=$(/bin/grep -i 'release' /etc/redhat-release 2>/dev/null) RELEASE_STRING=$(/bin/grep -i 'release' /etc/redhat-release 2>/dev/null)
case "${RELEASE_STRING}" in case "${RELEASE_STRING}" in
*release\ 5*) *release\ 5*)
RHEL_VERSION=5 RHEL_VERSION=5
@ -852,7 +866,7 @@ return $?
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# transfer a file using sftp # transfer a file using sftp
function sftp_file function sftp_file
{ {
TRANSFER_FILE="$1" TRANSFER_FILE="$1"
TRANSFER_HOST="$2" TRANSFER_HOST="$2"
@ -888,7 +902,7 @@ return ${SFTP_RC}
} }
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# update SSH controls on a single host/client # update SSH controls on a single host/client
# !! requires appropriate 'sudo' rules on remote client for privilege elevation # !! requires appropriate 'sudo' rules on remote client for privilege elevation
function update2host function update2host
{ {
@ -902,7 +916,6 @@ then
warn "could not lookup host ${SERVER}, skipping" warn "could not lookup host ${SERVER}, skipping"
return 1 return 1
fi fi
log "setting ssh controls on ${SERVER} ..." log "setting ssh controls on ${SERVER} ..."
if [[ -z "${SSH_UPDATE_USER}" ]] if [[ -z "${SSH_UPDATE_USER}" ]]
then then
@ -971,7 +984,7 @@ case "${FINGERPRINT}" in
KEY_OTHER_COUNT=$(( KEY_OTHER_COUNT + 1 )) KEY_OTHER_COUNT=$(( KEY_OTHER_COUNT + 1 ))
;; ;;
esac esac
return 0 return 0
} }
@ -1078,36 +1091,82 @@ for PARAMETER in ${CMD_LINE}
do do
case ${PARAMETER} in case ${PARAMETER} in
-a|-apply|--apply) -a|-apply|--apply)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=1 ARG_ACTION=1
;; ;;
-b|-backup|--backup) -b|-backup|--backup)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=9 ARG_ACTION=9
;; ;;
-c|-copy|--copy) -c|-copy|--copy)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=2 ARG_ACTION=2
;; ;;
-debug|--debug) -debug|--debug)
ARG_DEBUG=1 ARG_DEBUG=1
;; ;;
-d|-distribute|--distribute) -distribute|--distribute)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=2 ARG_ACTION=2
;; ;;
-d|-discover|--discover)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=10
ARG_LOG=0
ARG_VERBOSE=0
CAN_DISCOVER_KEYS=1
;;
-p|--preview-global|-preview-global) -p|--preview-global|-preview-global)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=7 ARG_ACTION=7
;; ;;
-s|--check-syntax|-check-syntax) -s|--check-syntax|-check-syntax)
ARG_ACTION=8 ARG_ACTION=8
;; ;;
-fix-local|--fix-local) -fix-local|--fix-local)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=5 ARG_ACTION=5
;; ;;
-fix-remote|--fix-remote) -fix-remote|--fix-remote)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=6 ARG_ACTION=6
;; ;;
-m|-make-finger|--make-finger) -m|-make-finger|--make-finger)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=3 ARG_ACTION=3
;; ;;
-u|-update|--update) -u|-update|--update)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=4 ARG_ACTION=4
;; ;;
-create-dir|--create-dir) -create-dir|--create-dir)
@ -1154,14 +1213,14 @@ do
display_usage display_usage
exit 0 exit 0
;; ;;
esac esac
done done
# check for configuration files (local overrides local) # check for configuration files (local overrides local)
if [[ -r "${SCRIPT_DIR}/${GLOBAL_CONFIG_FILE}" || -r "${SCRIPT_DIR}/${LOCAL_CONFIG_FILE}" ]] if [[ -r "${SCRIPT_DIR}/${GLOBAL_CONFIG_FILE}" || -r "${SCRIPT_DIR}/${LOCAL_CONFIG_FILE}" ]]
then then
if [[ -r "${SCRIPT_DIR}/${GLOBAL_CONFIG_FILE}" ]] if [[ -r "${SCRIPT_DIR}/${GLOBAL_CONFIG_FILE}" ]]
then then
. "${SCRIPT_DIR}/${GLOBAL_CONFIG_FILE}" . "${SCRIPT_DIR}/${GLOBAL_CONFIG_FILE}"
fi fi
if [[ -r "${SCRIPT_DIR}/${LOCAL_CONFIG_FILE}" ]] if [[ -r "${SCRIPT_DIR}/${LOCAL_CONFIG_FILE}" ]]
@ -1170,7 +1229,7 @@ then
fi fi
else else
print -u2 "ERROR: could not find global or local configuration file" print -u2 "ERROR: could not find global or local configuration file"
fi fi
# startup checks # startup checks
check_params && check_config && check_setup && check_logging check_params && check_config && check_setup && check_logging
@ -1178,8 +1237,8 @@ check_params && check_config && check_setup && check_logging
# catch shell signals # catch shell signals
trap 'do_cleanup; exit' 1 2 3 15 trap 'do_cleanup; exit' 1 2 3 15
log "*** start of ${SCRIPT_NAME} [${CMD_LINE}] ***" log "*** start of ${SCRIPT_NAME} [${CMD_LINE}] ***"
(( ARG_LOG )) && log "logging takes places in ${LOG_FILE}" (( ARG_LOG )) && log "logging takes places in ${LOG_FILE}"
log "runtime info: LOCAL_DIR is set to: ${LOCAL_DIR}" log "runtime info: LOCAL_DIR is set to: ${LOCAL_DIR}"
@ -1220,7 +1279,7 @@ case ${ARG_ACTION} in
done done
# final wait for background processes to be finished completely # final wait for background processes to be finished completely
wait_for_children ${PIDS} || \ wait_for_children ${PIDS} || \
warn "$? background jobs (possibly) failed to complete correctly" warn "$? background jobs (possibly) failed to complete correctly"
log "finished applying SSH controls remotely" log "finished applying SSH controls remotely"
;; ;;
@ -1275,7 +1334,7 @@ case ${ARG_ACTION} in
do do
update_fingerprints "${LINE}" update_fingerprints "${LINE}"
KEY_COUNT=$(( KEY_COUNT + 1 )) KEY_COUNT=$(( KEY_COUNT + 1 ))
done done
else else
while read LINE while read LINE
do do
@ -1300,7 +1359,7 @@ case ${ARG_ACTION} in
then then
die "failed to apply SSH controls locally [RC=${RC}]" die "failed to apply SSH controls locally [RC=${RC}]"
else else
log "finished applying SSH controls locally [RC=${RC}]" log "finished applying SSH controls locally [RC=${RC}]"
fi fi
;; ;;
5) # fix local directory structure/perms/ownerships 5) # fix local directory structure/perms/ownerships
@ -1310,12 +1369,12 @@ case ${ARG_ACTION} in
then then
log "you requested to create directories (if needed)" log "you requested to create directories (if needed)"
else else
log "you requested NOT to create directories (if needed)" log "you requested NOT to create directories (if needed)"
fi fi
# check if the SSH control repo is already there # check if the SSH control repo is already there
if [[ ${FIX_CREATE} = 1 && ! -d "${FIX_DIR}" ]] if [[ ${FIX_CREATE} = 1 && ! -d "${FIX_DIR}" ]]
then then
# create stub directories # create stub directories
mkdir -p "${FIX_DIR}/holding" 2>/dev/null || \ mkdir -p "${FIX_DIR}/holding" 2>/dev/null || \
warn "failed to create directory ${FIX_DIR}/holding" warn "failed to create directory ${FIX_DIR}/holding"
@ -1332,7 +1391,7 @@ case ${ARG_ACTION} in
then then
chmod 2775 "${FIX_DIR}/holding" 2>/dev/null && \ chmod 2775 "${FIX_DIR}/holding" 2>/dev/null && \
chown root:${SSH_OWNER_GROUP} "${FIX_DIR}/holding" 2>/dev/null chown root:${SSH_OWNER_GROUP} "${FIX_DIR}/holding" 2>/dev/null
fi fi
if [[ -d "${FIX_DIR}/keys.d" ]] if [[ -d "${FIX_DIR}/keys.d" ]]
then then
chmod 755 "${FIX_DIR}/keys.d" 2>/dev/null && \ chmod 755 "${FIX_DIR}/keys.d" 2>/dev/null && \
@ -1396,8 +1455,8 @@ case ${ARG_ACTION} in
6) # fix remote directory structure/perms/ownerships 6) # fix remote directory structure/perms/ownerships
log "ACTION: fix remote SSH controls repository" log "ACTION: fix remote SSH controls repository"
check_root_user && die "must NOT be run as user 'root'" check_root_user && die "must NOT be run as user 'root'"
# derive SSH controls repo from $REMOTE_DIR: # derive SSH controls repo from $REMOTE_DIR:
# /etc/ssh_controls/holding -> /etc/ssh_controls # /etc/ssh_controls/holding -> /etc/ssh_controls
FIX_DIR="$(print ${REMOTE_DIR%/*})" FIX_DIR="$(print ${REMOTE_DIR%/*})"
[[ -z "${FIX_DIR}" ]] && \ [[ -z "${FIX_DIR}" ]] && \
die "could not determine SSH controls repo path from \$REMOTE_DIR?" die "could not determine SSH controls repo path from \$REMOTE_DIR?"
@ -1462,7 +1521,7 @@ case ${ARG_ACTION} in
then then
log "$(tar -cvf ${BACKUP_TAR_FILE} ${KEYS_DIR} 2>/dev/null)" log "$(tar -cvf ${BACKUP_TAR_FILE} ${KEYS_DIR} 2>/dev/null)"
else else
log "$(tar -cvf ${BACKUP_TAR_FILE} ${KEYS_FILE} 2>/dev/null)" log "$(tar -cvf ${BACKUP_TAR_FILE} ${KEYS_FILE} 2>/dev/null)"
fi fi
# configuration files # configuration files
for FILE in "${LOCAL_DIR}/access" "${LOCAL_DIR}/alias ${LOCAL_DIR}/targets" for FILE in "${LOCAL_DIR}/access" "${LOCAL_DIR}/alias ${LOCAL_DIR}/targets"
@ -1476,6 +1535,15 @@ case ${ARG_ACTION} in
fi fi
log "finished backing up the current configuration & keys files" log "finished backing up the current configuration & keys files"
;; ;;
10) # gather SSH host keys
log "ACTION: gathering SSH host keys ..."
if (( CAN_DISCOVER_KEYS ))
then
cat "${TARGETS_FILE}" | grep -v -E -e '^#' -e '^$' |\
${SSH_KEYSCAN_BIN} ${SSH_KEYSCAN_ARGS} -f -
fi
log "finished gathering SSH host keys"
;;
esac esac
# finish up work # finish up work