kudos/ssh_controls
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

* Fix for poor awk statements in update_fingerprints (Credits: Peter Stoops)

Browse Source 
* Added FINGERPRINT_TYPE as configuration option (md5,sha256) (OpenSSH >v6.8)
This commit is contained in:
patvdv 2018-08-18 18:18:46 +02:00
parent 69ef9a72e0
commit f18086b0e2
2 changed files with 52 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
manage_ssh.conf
View File

@ -62,6 +62,10 @@ BACKUP_DIR="${LOCAL_DIR}/backup"
# location of log directory (default), see --log-dir) # location of log directory (default), see --log-dir)
LOG_DIR="/var/log" LOG_DIR="/var/log"
# type of fingerpint (md5, sha256)
FINGERPRINT_TYPE="md5"
#****************************************************************************** #******************************************************************************
# End of FILE # End of FILE
#****************************************************************************** #******************************************************************************

63
manage_ssh.sh
View File

@ -23,10 +23,10 @@
# EXPECTS: (see --help for more options) # EXPECTS: (see --help for more options)
# REQUIRES: check_config(), check_logging(), check_params(), check_root_user(), # REQUIRES: check_config(), check_logging(), check_params(), check_root_user(),
# check_setup(), check_syntax(), count_fields(), die(), display_usage(), # check_setup(), check_syntax(), count_fields(), die(), display_usage(),
# distribute2host(), distribute2slave(), do_cleanup(), fix2host(), # distribute2host(), distribute2slave(), do_cleanup(), fix2host(),
# fix2slave(), get_linux_name(), get_linux_version(), log(), logc(), # fix2slave(), get_linux_name(), get_linux_version(), log(), logc(),
# resolve_host(), sftp_file(), start_ssh_agent(), stop_ssh_agent(), # resolve_host(), sftp_file(), start_ssh_agent(), stop_ssh_agent(),
# update2host(), update2slave(), update_fingerprints(), # update2host(), update2slave(), update_fingerprints(),
# wait_for_children(), warn() # wait_for_children(), warn()
# For other pre-requisites see the documentation in display_usage() # For other pre-requisites see the documentation in display_usage()
# #
@ -43,7 +43,7 @@
# or LOCAL_CONFIG_FILE instead # or LOCAL_CONFIG_FILE instead
# define the V.R.F (version/release/fix) # define the V.R.F (version/release/fix)
MY_VRF="1.5.4" MY_VRF="1.6.0"
# name of the global configuration file (script) # name of the global configuration file (script)
GLOBAL_CONFIG_FILE="manage_ssh.conf" GLOBAL_CONFIG_FILE="manage_ssh.conf"
# name of the local configuration file (script) # name of the local configuration file (script)
@ -69,6 +69,7 @@ KEY_1024_COUNT=0
KEY_2048_COUNT=0 KEY_2048_COUNT=0
KEY_4096_COUNT=0 KEY_4096_COUNT=0
KEY_OTHER_COUNT=0 KEY_OTHER_COUNT=0
SSH_KEYGEN_OPTS=""
TMP_FILE="${TMP_DIR}/.${SCRIPT_NAME}.$$" TMP_FILE="${TMP_DIR}/.${SCRIPT_NAME}.$$"
TMP_RC_FILE="${TMP_DIR}/.${SCRIPT_NAME}.rc.$$" TMP_RC_FILE="${TMP_DIR}/.${SCRIPT_NAME}.rc.$$"
# command-line parameters # command-line parameters
@ -536,7 +537,7 @@ function distribute2host
SERVER="$1" SERVER="$1"
ERROR_COUNT=0 ERROR_COUNT=0
# convert line to hostname # convert line to hostname
SERVER=${SERVER%%;*} SERVER=${SERVER%%\;*}
resolve_host ${SERVER} resolve_host ${SERVER}
if (( $? )) if (( $? ))
then then
@ -1129,17 +1130,24 @@ FINGER_LINE="$1"
# line should have 3 fields # line should have 3 fields
FINGER_FIELDS=$(count_fields "${FINGER_LINE}" ",") FINGER_FIELDS=$(count_fields "${FINGER_LINE}" ",")
(( FINGER_FIELDS != 3 )) && \die "line '${FINGER_LINE}' has missing or too many field(s) (should be 3))" (( FINGER_FIELDS != 3 )) && die "line '${FINGER_LINE}' has missing or too many field(s) (should be 3))"
# create fingerprint # create fingerprint
FINGER_USER="$(print ${FINGER_LINE} | awk -F, '{print $1}')" FINGER_USER="$(print ${FINGER_LINE} | awk -F, '{print $1}')"
print "${FINGER_LINE}" | awk -F, '{print $2," ",$3}' > ${TMP_FILE} print "${FINGER_LINE}" | awk -F, '{print $2 " " $3}' > ${TMP_FILE}
# check if fingerprint is valid # check if fingerprint is valid
FINGERPRINT="$(ssh-keygen -l -f ${TMP_FILE} 2>&1)" FINGERPRINT="$(ssh-keygen ${SSH_KEYGEN_OPTS} -l -f ${TMP_FILE} 2>&1)"
FINGER_RC=$? FINGER_RC=$?
if (( ! FINGER_RC )) if (( ! FINGER_RC ))
then then
FINGER_ENTRY="$(print ${FINGERPRINT} | awk '{print $1,$2,$4}')" case "${OS_NAME}" in
HP-UX)
FINGER_ENTRY="$(print ${FINGERPRINT} | awk '{print $1,$2,$4}')"
;;
*)
FINGER_ENTRY="$(print ${FINGERPRINT} | awk '{print $1,$2,$5}')"
;;
esac
log "${FINGER_USER}->${FINGER_ENTRY}" log "${FINGER_USER}->${FINGER_ENTRY}"
print "${FINGER_USER} ${FINGER_ENTRY}" >> "${LOCAL_DIR}/fingerprints" print "${FINGER_USER} ${FINGER_ENTRY}" >> "${LOCAL_DIR}/fingerprints"
else else
@ -1187,7 +1195,7 @@ do
else else
wait ${PID} wait ${PID}
RC=$? RC=$?
if (( ${RC} )) if (( RC ))
then then
warn "child process ${PID} exited [RC=${RC}]" warn "child process ${PID} exited [RC=${RC}]"
WAIT_ERRORS=$(( WAIT_ERRORS + 1 )) WAIT_ERRORS=$(( WAIT_ERRORS + 1 ))
@ -1431,7 +1439,7 @@ case ${ARG_ACTION} in
# check for root or non-root model # check for root or non-root model
if [[ "${SSH_UPDATE_USER}" != "root" ]] if [[ "${SSH_UPDATE_USER}" != "root" ]]
then then
check_root_user && die "must NOT be run as user 'root'" check_root_user && die "must NOT be run as user 'root'"
fi fi
# start SSH agent (if needed) # start SSH agent (if needed)
if (( DO_SSH_AGENT && CAN_START_AGENT )) if (( DO_SSH_AGENT && CAN_START_AGENT ))
@ -1491,7 +1499,7 @@ case ${ARG_ACTION} in
# check for root or non-root model # check for root or non-root model
if [[ "${SSH_TRANSFER_USER}" != "root" ]] if [[ "${SSH_TRANSFER_USER}" != "root" ]]
then then
check_root_user && die "must NOT be run as user 'root'" check_root_user && die "must NOT be run as user 'root'"
fi fi
# start SSH agent (if needed) # start SSH agent (if needed)
if (( DO_SSH_AGENT && CAN_START_AGENT )) if (( DO_SSH_AGENT && CAN_START_AGENT ))
@ -1550,11 +1558,36 @@ case ${ARG_ACTION} in
# check for root or non-root model # check for root or non-root model
if [[ "${SSH_UPDATE_USER}" != "root" ]] if [[ "${SSH_UPDATE_USER}" != "root" ]]
then then
check_root_user && die "must NOT be run as user 'root'" check_root_user && die "must NOT be run as user 'root'"
fi fi
log "ACTION: create key fingerprints into ${LOCAL_DIR}/fingerprints" log "ACTION: create key fingerprints into ${LOCAL_DIR}/fingerprints"
> "${LOCAL_DIR}/fingerprints" > "${LOCAL_DIR}/fingerprints"
# check fingerprint type
if [[ -n "${FINGERPRINT_TYPE}" ]]
then
case "${FINGERPRINT_TYPE}" in
md5|sha256|MD5|SHA256)
log "fingerprinting with type: ${FINGERPRINT_TYPE}"
;;
*)
die "unknown fingerprint type specified in the configuration file"
;;
esac
else
FINGERPRINT_TYPE="md5"
log "fingerprinting with type: ${FINGERPRINT_TYPE}"
fi
# check if ssh-keygen support fingerprint type
FAIL_SSH_KEYGEN=$(ssh-keygen -E 2>&1 | grep -c "illegal")
if (( ! FAIL_SSH_KEYGEN ))
then
SSH_KEYGEN_OPTS="-E ${FINGERPRINT_TYPE}"
else
warn "ssh-keygen only supports MD5 fingerprinting, regardless of your choice"
fi
# are keys stored in a file or a directory? # are keys stored in a file or a directory?
if [[ -n "${KEYS_DIR}" ]] if [[ -n "${KEYS_DIR}" ]]
then then
@ -1601,7 +1634,7 @@ case ${ARG_ACTION} in
fi fi
# check if the SSH control repo is already there # check if the SSH control repo is already there
if [[ ${FIX_CREATE} -eq 1 && ! -d "${FIX_DIR}" ]] if (( FIX_CREATE )) && [[ ! -d "${FIX_DIR}" ]]
then then
# create stub directories # create stub directories
mkdir -p "${FIX_DIR}/holding" 2>/dev/null || \ mkdir -p "${FIX_DIR}/holding" 2>/dev/null || \
@ -1690,7 +1723,7 @@ case ${ARG_ACTION} in
# check for root or non-root model # check for root or non-root model
if [[ "${SSH_UPDATE_USER}" != "root" ]] if [[ "${SSH_UPDATE_USER}" != "root" ]]
then then
check_root_user && die "must NOT be run as user 'root'" check_root_user && die "must NOT be run as user 'root'"
fi fi
# start SSH agent (if needed) # start SSH agent (if needed)
if (( DO_SSH_AGENT && CAN_START_AGENT )) if (( DO_SSH_AGENT && CAN_START_AGENT ))