kudos/ssh_controls
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

* Add ignore_errors flag to skip errors during key deployment

Browse Source 
* Some other minor updates
This commit is contained in:
Patrick Van der Veken 2025-04-27 08:15:52 +02:00
parent b8b5851705
commit b484d9a264
4 changed files with 71 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
convert_pubkey.pl
View File

@ -2,7 +2,7 @@
#****************************************************************************** #******************************************************************************
# @(#) convert_pubkey.pl # @(#) convert_pubkey.pl
#****************************************************************************** #******************************************************************************
# @(#) Copyright (C) 2014 by KUDOS BVBA <info@kudos.be>. All rights reserved. # @(#) Copyright (C) 2014 by KUDOS BV <info@kudos.be>. All rights reserved.
# #
# This program is a free software; you can redistribute it and/or modify # This program is a free software; you can redistribute it and/or modify
# it under the same terms of the GNU General Public License as published by # it under the same terms of the GNU General Public License as published by
@ -29,7 +29,7 @@ use Pod::Usage;
# ------------------------- CONFIGURATION starts here ------------------------- # ------------------------- CONFIGURATION starts here -------------------------
# define the V.R.F (version/release/fix) # define the V.R.F (version/release/fix)
my $MY_VRF = "1.0.0"; my $script_version = "2025-04-27";
# always assume RSA keys! # always assume RSA keys!
my $key_algo = 'ssh-rsa'; my $key_algo = 'ssh-rsa';
# ------------------------- CONFIGURATION ends here --------------------------- # ------------------------- CONFIGURATION ends here ---------------------------
@ -62,7 +62,7 @@ pod2usage(-verbose => 0) unless (%options);
# check version parameter # check version parameter
if ($options{'version'}) { if ($options{'version'}) {
print "INFO: $0: version $MY_VRF"; print "INFO: $0: version $script_version";
exit (0); exit (0);
} }
# check help parameter # check help parameter
@ -194,8 +194,4 @@ S< >Show version of the script.
=head1 AUTHOR =head1 AUTHOR
(c) KUDOS BVBA, Patrick Van der Veken (c) KUDOS BV, Patrick Van der Veken
=head1 HISTORY
@(#) 2014-12-20: VRF 1.0.0: first version [Patrick Van der Veken]

18
manage_ssh.sh
View File

@ -2,7 +2,7 @@
#****************************************************************************** #******************************************************************************
# @(#) manage_ssh.sh # @(#) manage_ssh.sh
#****************************************************************************** #******************************************************************************
# @(#) Copyright (C) 2014 by KUDOS BVBA (info@kudos.be). All rights reserved. # @(#) Copyright (C) 2014 by KUDOS BV (info@kudos.be). All rights reserved.
# #
# This program is a free software; you can redistribute it and/or modify # This program is a free software; you can redistribute it and/or modify
# it under the same terms of the GNU General Public License as published by # it under the same terms of the GNU General Public License as published by
@ -43,7 +43,7 @@
# or LOCAL_CONFIG_FILE instead # or LOCAL_CONFIG_FILE instead
# define the version (YYYY-MM-DD) # define the version (YYYY-MM-DD)
typeset -r SCRIPT_VERSION="2021-06-17" typeset -r SCRIPT_VERSION="2025-04-28"
# name of the global configuration file (script) # name of the global configuration file (script)
typeset -r GLOBAL_CONFIG_FILE="manage_ssh.conf" typeset -r GLOBAL_CONFIG_FILE="manage_ssh.conf"
# name of the local configuration file (script) # name of the local configuration file (script)
@ -604,7 +604,7 @@ function display_usage
cat << EOT cat << EOT
**** ${SCRIPT_NAME} **** **** ${SCRIPT_NAME} ****
**** (c) KUDOS BVBA - Patrick Van der Veken **** **** (c) KUDOS BV - Patrick Van der Veken ****
Performs basic functions for SSH controls: update SSH keys locally or Performs basic functions for SSH controls: update SSH keys locally or
remote, create SSH key fingerprints or copy/distribute the SSH controls files remote, create SSH key fingerprints or copy/distribute the SSH controls files
@ -1560,6 +1560,15 @@ else
fi fi
# check bit count # check bit count
case "${FINGERPRINT}" in case "${FINGERPRINT}" in
256*)
KEY_256_COUNT=$(( KEY_256_COUNT + 1 ))
;;
384*)
KEY_384_COUNT=$(( KEY_384_COUNT + 1 ))
;;
521*)
KEY_521_COUNT=$(( KEY_521_COUNT + 1 ))
;;
1024*) 1024*)
KEY_1024_COUNT=$(( KEY_1024_COUNT + 1 )) KEY_1024_COUNT=$(( KEY_1024_COUNT + 1 ))
;; ;;
@ -2058,6 +2067,9 @@ case ${ARG_ACTION} in
done done
fi fi
log "${KEY_COUNT} public keys discovered with following bits distribution:" log "${KEY_COUNT} public keys discovered with following bits distribution:"
log " 256 bits: ${KEY_256_COUNT}"
log " 384 bits: ${KEY_384_COUNT}"
log " 521 bits: ${KEY_521_COUNT}"
log " 1024 bits: ${KEY_1024_COUNT}" log " 1024 bits: ${KEY_1024_COUNT}"
log " 2048 bits: ${KEY_2048_COUNT}" log " 2048 bits: ${KEY_2048_COUNT}"
log " 4096 bits: ${KEY_4096_COUNT}" log " 4096 bits: ${KEY_4096_COUNT}"

3
update_ssh.conf
View File

@ -12,6 +12,9 @@
# use short hostnames or FQDN (0=short names; 1=FQDN) [default: 0] # use short hostnames or FQDN (0=short names; 1=FQDN) [default: 0]
use_fqdn=1 use_fqdn=1
# ignore errors during key deployment (0=no; 1=yes [default: 0])
ignore_errors=0
# target directory for allowed SSH key files # target directory for allowed SSH key files
access_dir=/etc/ssh_controls/keys.d access_dir=/etc/ssh_controls/keys.d

60
update_ssh.pl
View File

@ -31,7 +31,7 @@ use Pod::Usage;
# ------------------------- CONFIGURATION starts here ------------------------- # ------------------------- CONFIGURATION starts here -------------------------
# define the version (YYYY-MM-DD) # define the version (YYYY-MM-DD)
my $script_version = "2021-01-12"; my $script_version = "2025-04-28";
# name of global configuration file (no path, must be located in the script directory) # name of global configuration file (no path, must be located in the script directory)
my $global_config_file = "update_ssh.conf"; my $global_config_file = "update_ssh.conf";
# name of localized configuration file (no path, must be located in the script directory) # name of localized configuration file (no path, must be located in the script directory)
@ -42,7 +42,9 @@ my $max_recursion = 5;
my %selinux_contexts = ( '5' => 'sshd_key_t', my %selinux_contexts = ( '5' => 'sshd_key_t',
'6' => 'ssh_home_t', '6' => 'ssh_home_t',
'7' => 'ssh_home_t', '7' => 'ssh_home_t',
'8' => 'ssh_home_t'); '8' => 'ssh_home_t',
'9' => 'ssh_home_t',
'10' => 'ssh_home_t');
# disallowed paths for home directories for accounts # disallowed paths for home directories for accounts
my @disallowed_homes = ('/', '/etc', '/bin', '/sbin', '/usr/bin', '/usr/sbin'); my @disallowed_homes = ('/', '/etc', '/bin', '/sbin', '/usr/bin', '/usr/sbin');
# disallowed login shells for @accounts # disallowed login shells for @accounts
@ -51,7 +53,7 @@ my @disallowed_shells = ('/bin/nologin','/bin/false','/sbin/nologin','/sbin/fals
my $key_location='use_controls'; my $key_location='use_controls';
# ------------------------- CONFIGURATION ends here --------------------------- # ------------------------- CONFIGURATION ends here ---------------------------
# initialize variables # initialize variables
my ($debug, $verbose, $preview, $remove, $global, $use_fqdn) = (0,0,0,0,0,0); my ($debug, $verbose, $preview, $remove, $global, $use_fqdn, $ignore_errors) = (0,0,0,0,0,0,0);
my (@config_files, @zombie_files, $access_dir, $blacklist_file); my (@config_files, @zombie_files, $access_dir, $blacklist_file);
my (%options, @uname, @pwgetent, @accounts, %aliases, %keys, %access, @blacklist); my (%options, @uname, @pwgetent, @accounts, %aliases, %keys, %access, @blacklist);
my ($os, $hostname, $run_dir, $authorizedkeys_option); my ($os, $hostname, $run_dir, $authorizedkeys_option);
@ -98,6 +100,10 @@ sub parse_config_file {
$use_fqdn = $1; $use_fqdn = $1;
do_log ("DEBUG: picking up setting: use_fqdn=${use_fqdn}"); do_log ("DEBUG: picking up setting: use_fqdn=${use_fqdn}");
} }
if (/^\s*ignore_errors\s*=\s*(0|1)\s*$/) {
$ignore_errors = $1;
do_log ("DEBUG: picking up setting: ignore_errors=${ignore_errors}");
}
if (/^\s*access_dir\s*=\s*([0-9A-Za-z_\-\.\/~]+)\s*$/) { if (/^\s*access_dir\s*=\s*([0-9A-Za-z_\-\.\/~]+)\s*$/) {
$access_dir = $1; $access_dir = $1;
do_log ("DEBUG: picking up setting: access_dir=${access_dir}"); do_log ("DEBUG: picking up setting: access_dir=${access_dir}");
@ -153,12 +159,24 @@ sub set_file {
my ($file, $perm, $uid, $gid) = @_; my ($file, $perm, $uid, $gid) = @_;
chmod ($perm, "$file") my $rc = chmod ($perm, "$file");
or do_log ("ERROR: cannot set permissions on $file [$!/$hostname]") if (!$rc) {
and exit (1); if ($ignore_errors) {
chown ($uid, $gid, "$file") do_log ("ERROR: cannot set permissions on $file [$!/$hostname] -- IGNORED");
or do_log ("ERROR: cannot set ownerships on $file [$!/$hostname]") } else {
and exit (1); do_log ("ERROR: cannot set permissions on $file [$!/$hostname]");
exit (1);
}
}
my $rc = chown ($uid, $gid, "$file");
if (!$rc) {
if ($ignore_errors) {
do_log ("ERROR: cannot set ownerships on $file [$!/$hostname] -- IGNORED");
} else {
do_log ("ERROR: cannot set ownerships on $file [$!/$hostname]");
exit (1);
}
}
return (1); return (1);
} }
@ -179,6 +197,7 @@ if ( @ARGV > 0 ) {
debug|d debug|d
help|h|? help|h|?
global|g global|g
ignore|i
preview|p preview|p
remove|r remove|r
verbose|v verbose|v
@ -202,6 +221,10 @@ if ($options{'help'}) {
if ($options{'global'}) { if ($options{'global'}) {
$global = 1; $global = 1;
} }
# check ignore parameter
if ($options{'ignore'}) {
$ignore_errors = 1;
}
# check preview parameter # check preview parameter
if ($options{'preview'}) { if ($options{'preview'}) {
$preview = 1; $preview = 1;
@ -618,6 +641,14 @@ unless ($preview) {
$linux_version = 8; $linux_version = 8;
last SWITCH_RELEASE; last SWITCH_RELEASE;
}; };
$release_string =~ m/release 9/i && do {
$linux_version = 9;
last SWITCH_RELEASE;
};
$release_string =~ m/release 10/i && do {
$linux_version = 8;
last SWITCH_RELEASE;
};
} }
} }
# use fall back in case we cannot determine the version # use fall back in case we cannot determine the version
@ -783,6 +814,7 @@ update_ssh.pl - distributes SSH public keys in a desired state model.
update_ssh.pl[-d|--debug] update_ssh.pl[-d|--debug]
[-h|--help] [-h|--help]
[-i|--ignore]
([-p|--preview] [-g|--global]) | [-r|--remove] ([-p|--preview] [-g|--global]) | [-r|--remove]
[-v|--verbose] [-v|--verbose]
[-V|--version] [-V|--version]
@ -819,6 +851,8 @@ Following settings must be configured:
=item * B<use_fqdn> : whether to use short or FQDN host names =item * B<use_fqdn> : whether to use short or FQDN host names
=item * B<ignore_errors> : whether to ignore errors during key deployment
=item * B<access_dir> : target directory for allowed SSH public key files =item * B<access_dir> : target directory for allowed SSH public key files
=item * B<key_location> : whether or not to use AuthorizedkeysFile setting in sshd_config for overriding $access_dir =item * B<key_location> : whether or not to use AuthorizedkeysFile setting in sshd_config for overriding $access_dir
@ -849,11 +883,15 @@ S< >Be I<very> verbose during execution; show array/hash dumps.
S< >Show the help page. S< >Show the help page.
=item -i | --ignore
S< >Ignore errors during key deployment.
=item -p | --preview =item -p | --preview
S< >Do not actually distribute any SSH public keys, nor update/remove any 'authorized_keys' files. S< >Do not actually distribute any SSH public keys, nor update/remove any 'authorized_keys' files.
=item -p | --global =item -g | --global
S< >Must be used in conjunction with the --preview option. This will dump the global namespace/configuration to STDOUT. S< >Must be used in conjunction with the --preview option. This will dump the global namespace/configuration to STDOUT.
@ -883,4 +921,4 @@ S< >Show version of the script.
=head1 AUTHOR =head1 AUTHOR
(c) KUDOS BVBA, Patrick Van der Veken (c) KUDOS BV, Patrick Van der Veken