added SSH host keys discovery, re-assigned '-d' command-line option to this function, 2 new parameters in manage_ssh.conf (VRF 1.4.0) [Patrick Van der Veken]

2015-09-27 17:53:33 +02:00 · 2015-09-27 17:53:33 +02:00 · 9aa4d8cbd3
commit 9aa4d8cbd3
parent 7ca0a08be7
2 changed files with 132 additions and 57 deletions
--- a/manage_ssh.conf
+++ b/manage_ssh.conf
@ -38,6 +38,13 @@ SSH_UPDATE_USER=""
 # options to pass to update_ssh.pl when executing a key update
 SSH_UPDATE_OPTS="--verbose --remove"

+# path to the ssh-keyscan too
+SSH_KEYSCAN_BIN="/usr/bin/ssh-keyscan"
+
+# extra arguments/options for the ssh-keyscan command 
+# by default -f <file> is used by manage_sudo.sh to supply hostnames, do not add here
+SSH_KEYSCAN_ARGS="-t rsa"
+
 # maximum number of background process to spawn (~maxuprc, ~nstrpty etc)
 MAX_BACKGROUND_PROCS=30

--- a/manage_ssh.sh
+++ b/manage_ssh.sh
@ -51,6 +51,8 @@
 # @(#) 2015-09-15: small fix in wait_for_children() (VRF 1.3.2) [Patrick Van der Veken]
 # @(#) 2015-09-23: added $GLOBAL_CONFIG_FILE to fix ownership/permissions routine
 # @(#)             (VRF 1.3.3) [Patrick Van der Veken]
+# @(#) 2015-09-27: added SSH host keys discovery, re-assigned '-d' command-line
+# @(#)             option to this function (VRF 1.4.0) [Patrick Van der Veken]
 # -----------------------------------------------------------------------------
 # DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING!
 #******************************************************************************
@ -64,7 +66,7 @@
 # or LOCAL_CONFIG_FILE instead

 # define the V.R.F (version/release/fix)
-MY_VRF="1.3.3"
+MY_VRF="1.4.0"
 # name of the global configuration file (script)
 GLOBAL_CONFIG_FILE="manage_ssh.conf"
 # name of the local configuration file (script)
@ -81,6 +83,7 @@ KEYS_FILE=""
 KEYS_DIR=""
 TARGETS_FILE=""
 FIX_CREATE=0
+CAN_DISCOVER_KEYS=0
 KEY_COUNT=0
 KEY_1024_COUNT=0
 KEY_2048_COUNT=0
@ -145,6 +148,12 @@ then
        exit 1
    fi
 fi
+# SSH_KEYSCAN_BIN
+if [[ -z "${SSH_KEYSCAN_BIN}" ]]
+then
+    print -u2 "ERROR: no value for the SSH_KEYSCAN_BIN setting in the configuration file"
+    exit 1
+fi
 # MAX_BACKGROUND_PROCS
 if [[ -z "${MAX_BACKGROUND_PROCS}" ]]
 then
@ -193,7 +202,7 @@ return 0
 function check_params
 {
 # -- ALL
-if (( ARG_ACTION < 1 || ARG_ACTION > 9 ))
+if (( ARG_ACTION < 1 || ARG_ACTION > 10 ))
 then
    display_usage
    exit 0
@ -282,7 +291,7 @@ do
    fi
 done
 # check for basic SSH control file(s): targets, /var/tmp/targets.$USER (or $TMP_FILE)
-if (( ARG_ACTION == 1 || ARG_ACTION == 2 || ARG_ACTION == 6 ))
+if (( ARG_ACTION == 1 || ARG_ACTION == 2 || ARG_ACTION == 6 || ARG_ACTION == 10 ))
 then
    if [[ -z "${ARG_TARGETS}" ]]
    then
@ -338,7 +347,12 @@ then
        fi
    done
 fi
-
+# check if 'ssh-keyscan' exists
+if [[ ! -x "${SSH_KEYSCAN_BIN}" ]]
+then
+    print -u2 "WARN: 'ssh-keyscan' tool not found, host key discovery is not possible"
+    CAN_DISCOVER_KEYS=0
+fi

 return 0
 }
@ -453,6 +467,7 @@ remote, create SSH key fingerprints or copy/distribute the SSH controls files
 Syntax: ${SCRIPT_DIR}/${SCRIPT_NAME} [--help] | (--backup | --check-syntax | --preview-global | --make-finger | --update ) |
            (--apply [--remote-dir=<remote_directory>] [--targets=<host1>,<host2>,...]) |
                ((--copy|--distribute) [--remote-dir=<remote_directory> [--targets=<host1>,<host2>,...]]) |
+                    (--discover [--targets=<host1>,<host2>,...]) |
                    ([--fix-local --fix-dir=<repository_dir> [--create-dir]] | [--fix-remote [--create-dir] [--targets=<host1>,<host2>,...]])
                         [--local-dir=<local_directory>] [--no-log] [--log-dir=<log_directory>] [--debug]

@ -466,7 +481,8 @@ Parameters:
                      (access, alias & keys files)
 --copy|-c           : copy SSH control files to remote host (~targets)
 --debug             : print extra status messages on STDERR
--distribute|-d     : same as --copy
+--discover|-d       : discover SSH host keys (STDOUT)
+--distribute        : same as --copy
 --fix-dir           : location of the local SSH controls client repository
 --fix-local         : fix permissions on the local SSH controls repository
                      (local SSH controls repository given by --fix-dir)
@ -507,7 +523,6 @@ function distribute2host
 {
 SERVER="$1"
 ERROR_COUNT=0
-
 # convert line to hostname
 SERVER=${SERVER%%;*}
 resolve_host ${SERVER}
@ -628,7 +643,6 @@ then
    warn "could not lookup host ${SERVER}, skipping"
    return 1
 fi
-        
 log "fixing ssh controls on ${SERVER} ..."
 if [[ -z "${SSH_UPDATE_USER}" ]]
 then
@ -902,7 +916,6 @@ then
    warn "could not lookup host ${SERVER}, skipping"
    return 1
 fi
-        
 log "setting ssh controls on ${SERVER} ..."
 if [[ -z "${SSH_UPDATE_USER}" ]]
 then
@ -1078,36 +1091,82 @@ for PARAMETER in ${CMD_LINE}
 do
    case ${PARAMETER} in
        -a|-apply|--apply)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
            ARG_ACTION=1
            ;;
        -b|-backup|--backup)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
            ARG_ACTION=9
            ;;
        -c|-copy|--copy)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
            ARG_ACTION=2
            ;;
        -debug|--debug)
            ARG_DEBUG=1
            ;;
-        -d|-distribute|--distribute)
+        -distribute|--distribute)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
            ARG_ACTION=2
            ;;
+        -d|-discover|--discover)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
+            ARG_ACTION=10
+            ARG_LOG=0
+            ARG_VERBOSE=0
+            CAN_DISCOVER_KEYS=1
+            ;;
        -p|--preview-global|-preview-global)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
            ARG_ACTION=7
            ;;
        -s|--check-syntax|-check-syntax)
            ARG_ACTION=8
            ;;
        -fix-local|--fix-local)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
            ARG_ACTION=5
            ;;
        -fix-remote|--fix-remote)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
            ARG_ACTION=6
            ;;
        -m|-make-finger|--make-finger)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
            ARG_ACTION=3
            ;;
        -u|-update|--update)
+            (( ARG_ACTION )) && {
+                print -u2 "ERROR: multiple actions specified"
+                exit 1
+            }
            ARG_ACTION=4
            ;;
        -create-dir|--create-dir)
@ -1476,6 +1535,15 @@ case ${ARG_ACTION} in
        fi
        log "finished backing up the current configuration & keys files"
        ;;
+    10) # gather SSH host keys
+        log "ACTION: gathering SSH host keys ..."
+        if (( CAN_DISCOVER_KEYS ))
+        then
+            cat "${TARGETS_FILE}" | grep -v -E -e '^#' -e '^$' |\
+                ${SSH_KEYSCAN_BIN} ${SSH_KEYSCAN_ARGS} -f -
+        fi
+        log "finished gathering SSH host keys"
+        ;;
 esac

 # finish up work