* Add ignore_errors flag to skip errors during key deployment
* Some other minor updates
This commit is contained in:
parent
b8b5851705
commit
b484d9a264
@ -2,7 +2,7 @@
|
||||
#******************************************************************************
|
||||
# @(#) convert_pubkey.pl
|
||||
#******************************************************************************
|
||||
# @(#) Copyright (C) 2014 by KUDOS BVBA <info@kudos.be>. All rights reserved.
|
||||
# @(#) Copyright (C) 2014 by KUDOS BV <info@kudos.be>. All rights reserved.
|
||||
#
|
||||
# This program is a free software; you can redistribute it and/or modify
|
||||
# it under the same terms of the GNU General Public License as published by
|
||||
@ -29,7 +29,7 @@ use Pod::Usage;
|
||||
|
||||
# ------------------------- CONFIGURATION starts here -------------------------
|
||||
# define the V.R.F (version/release/fix)
|
||||
my $MY_VRF = "1.0.0";
|
||||
my $script_version = "2025-04-27";
|
||||
# always assume RSA keys!
|
||||
my $key_algo = 'ssh-rsa';
|
||||
# ------------------------- CONFIGURATION ends here ---------------------------
|
||||
@ -62,7 +62,7 @@ pod2usage(-verbose => 0) unless (%options);
|
||||
|
||||
# check version parameter
|
||||
if ($options{'version'}) {
|
||||
print "INFO: $0: version $MY_VRF";
|
||||
print "INFO: $0: version $script_version";
|
||||
exit (0);
|
||||
}
|
||||
# check help parameter
|
||||
@ -194,8 +194,4 @@ S< >Show version of the script.
|
||||
|
||||
=head1 AUTHOR
|
||||
|
||||
(c) KUDOS BVBA, Patrick Van der Veken
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
@(#) 2014-12-20: VRF 1.0.0: first version [Patrick Van der Veken]
|
||||
(c) KUDOS BV, Patrick Van der Veken
|
||||
@ -2,7 +2,7 @@
|
||||
#******************************************************************************
|
||||
# @(#) manage_ssh.sh
|
||||
#******************************************************************************
|
||||
# @(#) Copyright (C) 2014 by KUDOS BVBA (info@kudos.be). All rights reserved.
|
||||
# @(#) Copyright (C) 2014 by KUDOS BV (info@kudos.be). All rights reserved.
|
||||
#
|
||||
# This program is a free software; you can redistribute it and/or modify
|
||||
# it under the same terms of the GNU General Public License as published by
|
||||
@ -43,7 +43,7 @@
|
||||
# or LOCAL_CONFIG_FILE instead
|
||||
|
||||
# define the version (YYYY-MM-DD)
|
||||
typeset -r SCRIPT_VERSION="2021-06-17"
|
||||
typeset -r SCRIPT_VERSION="2025-04-28"
|
||||
# name of the global configuration file (script)
|
||||
typeset -r GLOBAL_CONFIG_FILE="manage_ssh.conf"
|
||||
# name of the local configuration file (script)
|
||||
@ -604,7 +604,7 @@ function display_usage
|
||||
cat << EOT
|
||||
|
||||
**** ${SCRIPT_NAME} ****
|
||||
**** (c) KUDOS BVBA - Patrick Van der Veken ****
|
||||
**** (c) KUDOS BV - Patrick Van der Veken ****
|
||||
|
||||
Performs basic functions for SSH controls: update SSH keys locally or
|
||||
remote, create SSH key fingerprints or copy/distribute the SSH controls files
|
||||
@ -1560,6 +1560,15 @@ else
|
||||
fi
|
||||
# check bit count
|
||||
case "${FINGERPRINT}" in
|
||||
256*)
|
||||
KEY_256_COUNT=$(( KEY_256_COUNT + 1 ))
|
||||
;;
|
||||
384*)
|
||||
KEY_384_COUNT=$(( KEY_384_COUNT + 1 ))
|
||||
;;
|
||||
521*)
|
||||
KEY_521_COUNT=$(( KEY_521_COUNT + 1 ))
|
||||
;;
|
||||
1024*)
|
||||
KEY_1024_COUNT=$(( KEY_1024_COUNT + 1 ))
|
||||
;;
|
||||
@ -2058,6 +2067,9 @@ case ${ARG_ACTION} in
|
||||
done
|
||||
fi
|
||||
log "${KEY_COUNT} public keys discovered with following bits distribution:"
|
||||
log " 256 bits: ${KEY_256_COUNT}"
|
||||
log " 384 bits: ${KEY_384_COUNT}"
|
||||
log " 521 bits: ${KEY_521_COUNT}"
|
||||
log " 1024 bits: ${KEY_1024_COUNT}"
|
||||
log " 2048 bits: ${KEY_2048_COUNT}"
|
||||
log " 4096 bits: ${KEY_4096_COUNT}"
|
||||
|
||||
@ -12,6 +12,9 @@
|
||||
# use short hostnames or FQDN (0=short names; 1=FQDN) [default: 0]
|
||||
use_fqdn=1
|
||||
|
||||
# ignore errors during key deployment (0=no; 1=yes [default: 0])
|
||||
ignore_errors=0
|
||||
|
||||
# target directory for allowed SSH key files
|
||||
access_dir=/etc/ssh_controls/keys.d
|
||||
|
||||
|
||||
@ -31,7 +31,7 @@ use Pod::Usage;
|
||||
|
||||
# ------------------------- CONFIGURATION starts here -------------------------
|
||||
# define the version (YYYY-MM-DD)
|
||||
my $script_version = "2021-01-12";
|
||||
my $script_version = "2025-04-28";
|
||||
# name of global configuration file (no path, must be located in the script directory)
|
||||
my $global_config_file = "update_ssh.conf";
|
||||
# name of localized configuration file (no path, must be located in the script directory)
|
||||
@ -42,7 +42,9 @@ my $max_recursion = 5;
|
||||
my %selinux_contexts = ( '5' => 'sshd_key_t',
|
||||
'6' => 'ssh_home_t',
|
||||
'7' => 'ssh_home_t',
|
||||
'8' => 'ssh_home_t');
|
||||
'8' => 'ssh_home_t',
|
||||
'9' => 'ssh_home_t',
|
||||
'10' => 'ssh_home_t');
|
||||
# disallowed paths for home directories for accounts
|
||||
my @disallowed_homes = ('/', '/etc', '/bin', '/sbin', '/usr/bin', '/usr/sbin');
|
||||
# disallowed login shells for @accounts
|
||||
@ -51,7 +53,7 @@ my @disallowed_shells = ('/bin/nologin','/bin/false','/sbin/nologin','/sbin/fals
|
||||
my $key_location='use_controls';
|
||||
# ------------------------- CONFIGURATION ends here ---------------------------
|
||||
# initialize variables
|
||||
my ($debug, $verbose, $preview, $remove, $global, $use_fqdn) = (0,0,0,0,0,0);
|
||||
my ($debug, $verbose, $preview, $remove, $global, $use_fqdn, $ignore_errors) = (0,0,0,0,0,0,0);
|
||||
my (@config_files, @zombie_files, $access_dir, $blacklist_file);
|
||||
my (%options, @uname, @pwgetent, @accounts, %aliases, %keys, %access, @blacklist);
|
||||
my ($os, $hostname, $run_dir, $authorizedkeys_option);
|
||||
@ -98,6 +100,10 @@ sub parse_config_file {
|
||||
$use_fqdn = $1;
|
||||
do_log ("DEBUG: picking up setting: use_fqdn=${use_fqdn}");
|
||||
}
|
||||
if (/^\s*ignore_errors\s*=\s*(0|1)\s*$/) {
|
||||
$ignore_errors = $1;
|
||||
do_log ("DEBUG: picking up setting: ignore_errors=${ignore_errors}");
|
||||
}
|
||||
if (/^\s*access_dir\s*=\s*([0-9A-Za-z_\-\.\/~]+)\s*$/) {
|
||||
$access_dir = $1;
|
||||
do_log ("DEBUG: picking up setting: access_dir=${access_dir}");
|
||||
@ -153,12 +159,24 @@ sub set_file {
|
||||
|
||||
my ($file, $perm, $uid, $gid) = @_;
|
||||
|
||||
chmod ($perm, "$file")
|
||||
or do_log ("ERROR: cannot set permissions on $file [$!/$hostname]")
|
||||
and exit (1);
|
||||
chown ($uid, $gid, "$file")
|
||||
or do_log ("ERROR: cannot set ownerships on $file [$!/$hostname]")
|
||||
and exit (1);
|
||||
my $rc = chmod ($perm, "$file");
|
||||
if (!$rc) {
|
||||
if ($ignore_errors) {
|
||||
do_log ("ERROR: cannot set permissions on $file [$!/$hostname] -- IGNORED");
|
||||
} else {
|
||||
do_log ("ERROR: cannot set permissions on $file [$!/$hostname]");
|
||||
exit (1);
|
||||
}
|
||||
}
|
||||
my $rc = chown ($uid, $gid, "$file");
|
||||
if (!$rc) {
|
||||
if ($ignore_errors) {
|
||||
do_log ("ERROR: cannot set ownerships on $file [$!/$hostname] -- IGNORED");
|
||||
} else {
|
||||
do_log ("ERROR: cannot set ownerships on $file [$!/$hostname]");
|
||||
exit (1);
|
||||
}
|
||||
}
|
||||
|
||||
return (1);
|
||||
}
|
||||
@ -179,6 +197,7 @@ if ( @ARGV > 0 ) {
|
||||
debug|d
|
||||
help|h|?
|
||||
global|g
|
||||
ignore|i
|
||||
preview|p
|
||||
remove|r
|
||||
verbose|v
|
||||
@ -202,6 +221,10 @@ if ($options{'help'}) {
|
||||
if ($options{'global'}) {
|
||||
$global = 1;
|
||||
}
|
||||
# check ignore parameter
|
||||
if ($options{'ignore'}) {
|
||||
$ignore_errors = 1;
|
||||
}
|
||||
# check preview parameter
|
||||
if ($options{'preview'}) {
|
||||
$preview = 1;
|
||||
@ -618,6 +641,14 @@ unless ($preview) {
|
||||
$linux_version = 8;
|
||||
last SWITCH_RELEASE;
|
||||
};
|
||||
$release_string =~ m/release 9/i && do {
|
||||
$linux_version = 9;
|
||||
last SWITCH_RELEASE;
|
||||
};
|
||||
$release_string =~ m/release 10/i && do {
|
||||
$linux_version = 8;
|
||||
last SWITCH_RELEASE;
|
||||
};
|
||||
}
|
||||
}
|
||||
# use fall back in case we cannot determine the version
|
||||
@ -783,6 +814,7 @@ update_ssh.pl - distributes SSH public keys in a desired state model.
|
||||
|
||||
update_ssh.pl[-d|--debug]
|
||||
[-h|--help]
|
||||
[-i|--ignore]
|
||||
([-p|--preview] [-g|--global]) | [-r|--remove]
|
||||
[-v|--verbose]
|
||||
[-V|--version]
|
||||
@ -819,6 +851,8 @@ Following settings must be configured:
|
||||
|
||||
=item * B<use_fqdn> : whether to use short or FQDN host names
|
||||
|
||||
=item * B<ignore_errors> : whether to ignore errors during key deployment
|
||||
|
||||
=item * B<access_dir> : target directory for allowed SSH public key files
|
||||
|
||||
=item * B<key_location> : whether or not to use AuthorizedkeysFile setting in sshd_config for overriding $access_dir
|
||||
@ -849,11 +883,15 @@ S< >Be I<very> verbose during execution; show array/hash dumps.
|
||||
|
||||
S< >Show the help page.
|
||||
|
||||
=item -i | --ignore
|
||||
|
||||
S< >Ignore errors during key deployment.
|
||||
|
||||
=item -p | --preview
|
||||
|
||||
S< >Do not actually distribute any SSH public keys, nor update/remove any 'authorized_keys' files.
|
||||
|
||||
=item -p | --global
|
||||
=item -g | --global
|
||||
|
||||
S< >Must be used in conjunction with the --preview option. This will dump the global namespace/configuration to STDOUT.
|
||||
|
||||
@ -883,4 +921,4 @@ S< >Show version of the script.
|
||||
|
||||
=head1 AUTHOR
|
||||
|
||||
(c) KUDOS BVBA, Patrick Van der Veken
|
||||
(c) KUDOS BV, Patrick Van der Veken
|
||||
Loading…
x
Reference in New Issue
Block a user