kudos/ssh_controls
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

* Fix for poor awk statements in update_fingerprints (Credits: Peter Stoops)

Browse Source 
* Added FINGERPRINT_TYPE as configuration option (md5,sha256) (OpenSSH >v6.8)
This commit is contained in:
patvdv 2018-08-18 18:18:46 +02:00
parent 69ef9a72e0
commit f18086b0e2
2 changed files with 52 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
manage_ssh.conf
View File

@ -62,6 +62,10 @@ BACKUP_DIR="${LOCAL_DIR}/backup"
# location of log directory (default), see --log-dir) # location of log directory (default), see --log-dir)
LOG_DIR="/var/log" LOG_DIR="/var/log"
# type of fingerpint (md5, sha256)
FINGERPRINT_TYPE="md5"
#****************************************************************************** #******************************************************************************
# End of FILE # End of FILE
#****************************************************************************** #******************************************************************************

47
manage_ssh.sh
View File

@ -43,7 +43,7 @@
# or LOCAL_CONFIG_FILE instead # or LOCAL_CONFIG_FILE instead
# define the V.R.F (version/release/fix) # define the V.R.F (version/release/fix)
MY_VRF="1.5.4" MY_VRF="1.6.0"
# name of the global configuration file (script) # name of the global configuration file (script)
GLOBAL_CONFIG_FILE="manage_ssh.conf" GLOBAL_CONFIG_FILE="manage_ssh.conf"
# name of the local configuration file (script) # name of the local configuration file (script)
@ -69,6 +69,7 @@ KEY_1024_COUNT=0
KEY_2048_COUNT=0 KEY_2048_COUNT=0
KEY_4096_COUNT=0 KEY_4096_COUNT=0
KEY_OTHER_COUNT=0 KEY_OTHER_COUNT=0
SSH_KEYGEN_OPTS=""
TMP_FILE="${TMP_DIR}/.${SCRIPT_NAME}.$$" TMP_FILE="${TMP_DIR}/.${SCRIPT_NAME}.$$"
TMP_RC_FILE="${TMP_DIR}/.${SCRIPT_NAME}.rc.$$" TMP_RC_FILE="${TMP_DIR}/.${SCRIPT_NAME}.rc.$$"
# command-line parameters # command-line parameters
@ -536,7 +537,7 @@ function distribute2host
SERVER="$1" SERVER="$1"
ERROR_COUNT=0 ERROR_COUNT=0
# convert line to hostname # convert line to hostname
SERVER=${SERVER%%;*} SERVER=${SERVER%%\;*}
resolve_host ${SERVER} resolve_host ${SERVER}
if (( $? )) if (( $? ))
then then
@ -1129,17 +1130,24 @@ FINGER_LINE="$1"
# line should have 3 fields # line should have 3 fields
FINGER_FIELDS=$(count_fields "${FINGER_LINE}" ",") FINGER_FIELDS=$(count_fields "${FINGER_LINE}" ",")
(( FINGER_FIELDS != 3 )) && \die "line '${FINGER_LINE}' has missing or too many field(s) (should be 3))" (( FINGER_FIELDS != 3 )) && die "line '${FINGER_LINE}' has missing or too many field(s) (should be 3))"
# create fingerprint # create fingerprint
FINGER_USER="$(print ${FINGER_LINE} | awk -F, '{print $1}')" FINGER_USER="$(print ${FINGER_LINE} | awk -F, '{print $1}')"
print "${FINGER_LINE}" | awk -F, '{print $2," ",$3}' > ${TMP_FILE} print "${FINGER_LINE}" | awk -F, '{print $2 " " $3}' > ${TMP_FILE}
# check if fingerprint is valid # check if fingerprint is valid
FINGERPRINT="$(ssh-keygen -l -f ${TMP_FILE} 2>&1)" FINGERPRINT="$(ssh-keygen ${SSH_KEYGEN_OPTS} -l -f ${TMP_FILE} 2>&1)"
FINGER_RC=$? FINGER_RC=$?
if (( ! FINGER_RC )) if (( ! FINGER_RC ))
then then
case "${OS_NAME}" in
HP-UX)
FINGER_ENTRY="$(print ${FINGERPRINT} | awk '{print $1,$2,$4}')" FINGER_ENTRY="$(print ${FINGERPRINT} | awk '{print $1,$2,$4}')"
;;
*)
FINGER_ENTRY="$(print ${FINGERPRINT} | awk '{print $1,$2,$5}')"
;;
esac
log "${FINGER_USER}->${FINGER_ENTRY}" log "${FINGER_USER}->${FINGER_ENTRY}"
print "${FINGER_USER} ${FINGER_ENTRY}" >> "${LOCAL_DIR}/fingerprints" print "${FINGER_USER} ${FINGER_ENTRY}" >> "${LOCAL_DIR}/fingerprints"
else else
@ -1187,7 +1195,7 @@ do
else else
wait ${PID} wait ${PID}
RC=$? RC=$?
if (( ${RC} )) if (( RC ))
then then
warn "child process ${PID} exited [RC=${RC}]" warn "child process ${PID} exited [RC=${RC}]"
WAIT_ERRORS=$(( WAIT_ERRORS + 1 )) WAIT_ERRORS=$(( WAIT_ERRORS + 1 ))
@ -1555,6 +1563,31 @@ case ${ARG_ACTION} in
log "ACTION: create key fingerprints into ${LOCAL_DIR}/fingerprints" log "ACTION: create key fingerprints into ${LOCAL_DIR}/fingerprints"
> "${LOCAL_DIR}/fingerprints" > "${LOCAL_DIR}/fingerprints"
# check fingerprint type
if [[ -n "${FINGERPRINT_TYPE}" ]]
then
case "${FINGERPRINT_TYPE}" in
md5|sha256|MD5|SHA256)
log "fingerprinting with type: ${FINGERPRINT_TYPE}"
;;
*)
die "unknown fingerprint type specified in the configuration file"
;;
esac
else
FINGERPRINT_TYPE="md5"
log "fingerprinting with type: ${FINGERPRINT_TYPE}"
fi
# check if ssh-keygen support fingerprint type
FAIL_SSH_KEYGEN=$(ssh-keygen -E 2>&1 | grep -c "illegal")
if (( ! FAIL_SSH_KEYGEN ))
then
SSH_KEYGEN_OPTS="-E ${FINGERPRINT_TYPE}"
else
warn "ssh-keygen only supports MD5 fingerprinting, regardless of your choice"
fi
# are keys stored in a file or a directory? # are keys stored in a file or a directory?
if [[ -n "${KEYS_DIR}" ]] if [[ -n "${KEYS_DIR}" ]]
then then
@ -1601,7 +1634,7 @@ case ${ARG_ACTION} in
fi fi
# check if the SSH control repo is already there # check if the SSH control repo is already there
if [[ ${FIX_CREATE} -eq 1 && ! -d "${FIX_DIR}" ]] if (( FIX_CREATE )) && [[ ! -d "${FIX_DIR}" ]]
then then
# create stub directories # create stub directories
mkdir -p "${FIX_DIR}/holding" 2>/dev/null || \ mkdir -p "${FIX_DIR}/holding" 2>/dev/null || \