kudos/ssh_controls
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: kudos:master
Branches Tags
kudos:master
kudos:getent
..
compare: kudos:getent
Branches Tags
kudos:master
kudos:getent

No commits in common. "master" and "getent" have entirely different histories.
master ... getent

7 changed files with 511 additions and 1796 deletions
Show Stats Expand all files Collapse all files

30
README.md
View File

@ -1,21 +1,11 @@
<p align="center"><img src="logo.png" alt="SSH Controls Logo"></p>
## What's new
:loudspeaker: **25/07/2025**:
* added the creation of the `$HOME/.ssh` directory when running as `root`.
## About
# SSH Controls
SSH Controls is a light-weight SSH **public key** distribution & management framework
* uses a **desired state** model: SSH Controls *pushes* public keys from a key master (or slave) server onto client host(s) and applies them according to the central configuration.
* uses a **desired state** model: SSH Controls pushes public keys from a key master server onto client host and applies them according to the central configuration.
* uses **SSH** as **transport** mechanism: eat your own dog food. SSH Controls connects to client hosts through the secure path of SSH and using a public key that is under its own control.
* uses **SSH** as **transport** mechanism: eat your own dogfood. SSH Controls connects to client hosts through the secure path of SSH and using a public key that is under its own control.
* supports a **Master→Slave→Client** model so that information can be propagated within more complex LAN set-ups.
* can **shield** public keys from owners/users on client systems: SSH Controls may require the standard `sshd_config` to be reconfigured with an alternate path for the `AuthorizedKeysFile` setting so that public keys are stored in common location which cannot be manipulated by the owners of the public keys. This allows for more administrative control and better security.
* **shields** public keys from owners/users on client systems: SSH Controls requires the standard sshd_config to be reconfigured with an alternate path for the AuthorizedKeysFile setting so that public keys are stored in common location which cannot be manipulated by the owners of the public keys. This allows for more administrative control and better security.
* performs operations with **least privileges**: copy/distribute operations are performed with a low-privileged account. Only the actual key updates requires super-user privileges which need to be configured via SUDO.
@ -23,16 +13,10 @@ SSH Controls is a light-weight SSH **public key** distribution & management fram
* can assign a single public key to **multiple** OS accounts: SSH Controls allows an user to log on under multiple accounts using the same key. Auditing of the connecting user and the target account is possible using fingerprinting.
* allows the use of (nested) **groups** in the master configuration: users, keys and hosts can be grouped in the SSH master configuration files to allow a simplified configuration. Nesting of groups is allowed up to *5 levels* deep.
* allows the use of (nested) **groups** in the specification of the *push* targets. Either via the `--targets` command-line parameter or via the `targets` configuration file.
* allows the use of (nested) **groups** in the master configuration: users, keys and hosts can be grouped in the SSH master configuration files to allow a simplified configuration. Nesting of groups is allowed up to one level deep.
* allows compromised public keys to be **blacklisted**: SSH Controls will deny the use of public keys that have been administrative blacklisted. Blacklisting happens on the SSH master and is applied to all client hosts.
* can discover host public keys to (re)create `known_hosts` file(s) for a large amount of hosts
* supports *md5* and *sha512* fingerprint **hashes** (if the installed SSH version supports these hash types)
* requires **no client agent** component and is **stateless**: SSH Controls performs operations by pushing keys or commands to client hosts. Update processes on the client hosts will only be started on-demand. If the SSH master is - for whatever reason - unavailable then active keys on a client host remain in place and logons are still possible.
* is **easy** to **configure** and **maintain** (command-line based): the configuration is stored in a limited number of flat files and be easily updated. A very rudimentary syntax checking facility is also available to check the consistency of the most important (master) configuration files.
@ -42,6 +26,6 @@ SSH Controls does NOT:
* manage or distribute SSH **private keys**: SSH private keys should be controlled and managed (and safeguarded!) by the actual owners. Though one could consider SSH key pairs of generic accounts (such as application accounts) as an exception, SSH Controls currently does not support the management of private keys.
More documentation can be found at <https://www.kudos.be/ssh_controls/>
* discover SSH **host keys**: SSH Controls will silently ignore any questions related to host keys discoveries upon the first connection to client hosts. If you are managing a large number of client hosts, you may want to prepare a known_hosts file in advance or else let the host keys be added automatically upon first public key distribution.
*Logo created with [Free Logo Maker](https://logomakr.com)*
More documentation can be found at http://www.kudos.be/Projects/SSH_Controls.html

12
convert_pubkey.pl
View File

@ -2,7 +2,7 @@
#******************************************************************************
# @(#) convert_pubkey.pl
#******************************************************************************
# @(#) Copyright (C) 2014 by KUDOS BV <info@kudos.be>. All rights reserved.
# @(#) Copyright (C) 2014 by KUDOS BVBA <info@kudos.be>. All rights reserved.
#
# This program is a free software; you can redistribute it and/or modify
# it under the same terms of the GNU General Public License as published by
@ -29,7 +29,7 @@ use Pod::Usage;
# ------------------------- CONFIGURATION starts here -------------------------
# define the V.R.F (version/release/fix)
my $script_version = "2025-04-27";
my $MY_VRF = "1.0.0";
# always assume RSA keys!
my $key_algo = 'ssh-rsa';
# ------------------------- CONFIGURATION ends here ---------------------------
@ -62,7 +62,7 @@ pod2usage(-verbose => 0) unless (%options);
# check version parameter
if ($options{'version'}) {
print "INFO: $0: version $script_version";
print "INFO: $0: version $MY_VRF";
exit (0);
}
# check help parameter
@ -194,4 +194,8 @@ S< >Show version of the script.
=head1 AUTHOR
(c) KUDOS BV, Patrick Van der Veken
(c) KUDOS BVBA, Patrick Van der Veken
=head1 HISTORY
@(#) 2014-12-20: VRF 1.0.0: first version [Patrick Van der Veken]

BIN
logo.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 6.9 KiB

31
manage_ssh.conf
View File

@ -13,17 +13,17 @@
# (leave blank for current user)
SSH_TRANSFER_USER=""
# name of the UNIX group that should own the SSH controls files (must exist already)
# name of the OS group that should own the SSH controls files
SSH_OWNER_GROUP="sshadmin"
# whether a 'chmod' needs to be executed after each sftp transfer [0=No; 1=Yes]
DO_SFTP_CHMOD=1
# whether a 'chmod' needs to be executed after each sftp transfer [0=Yes; 1=No]
DO_SFTP_CHMOD=0
# extra arguments/options for the SFTP command
SFTP_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -o BatchMode=yes -b - "
SFTP_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -b - "
# extra arguments/options for the SSH command
SSH_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -o BatchMode=yes -n"
SSH_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -n"
# location of the local SSH controls directory
LOCAL_DIR="/etc/ssh_master"
@ -32,27 +32,12 @@ LOCAL_DIR="/etc/ssh_master"
REMOTE_DIR="/etc/ssh_controls/holding"
# name of the user account performing the SSH controls update
# (leave blank for current user running script)
# user should have remote sudo root privs (except when using user 'root')
# (leave blank for current user but user should have remote sudo root privs)
SSH_UPDATE_USER=""
# options to pass to update_ssh.pl when executing a key update
SSH_UPDATE_OPTS="--verbose --remove"
# path to the ssh-keyscan too
SSH_KEYSCAN_BIN="/usr/bin/ssh-keyscan"
# extra arguments/options for the ssh-keyscan command
# by default -f <file> is used by manage_sudo.sh to supply hostnames, do not add here
SSH_KEYSCAN_ARGS="-t rsa"
# whether to start an SSH agent process for the master->client operations [0=No; 1=Yes]
DO_SSH_AGENT=0
# location of the SSH private key that should be added to the SSH agent process
# must be a passphrase-less key (required when using DO_SSH_AGENT)
SSH_PRIVATE_KEY="$HOME/.ssh/id_rsa"
# maximum number of background process to spawn (~maxuprc, ~nstrpty etc)
MAX_BACKGROUND_PROCS=30
@ -62,10 +47,6 @@ BACKUP_DIR="${LOCAL_DIR}/backup"
# location of log directory (default), see --log-dir)
LOG_DIR="/var/log"
# type of fingerpint (md5, sha256)
FINGERPRINT_TYPE="md5"
#******************************************************************************
# End of FILE
#******************************************************************************

1626
manage_ssh.sh
View File

File diff suppressed because it is too large Load Diff

15
update_ssh.conf
View File

@ -12,22 +12,11 @@
# use short hostnames or FQDN (0=short names; 1=FQDN) [default: 0]
use_fqdn=1
# ignore errors during key deployment (0=no; 1=yes [default: 0])
ignore_errors=0
# target directory for allowed SSH key files
access_dir=/etc/ssh_controls/keys.d
# toggle to specify the final location of public keys by allowing to override
# the value of $access_dir with the 'AuthorizedKeysFile' in sshd (=enables the
# use of $HOME/.ssh for public keys for example):
# 'use_controls': take the value from the configured 'access_dir' option
# 'use_sshd' : use the value from 'AuthorizedKeysFile' setting in sshd
# [default: use_controls]
key_location=use_controls
access_dir=/etc/kudos/ssh_controls/keys.d
# location of the keys blacklist file
blacklist_file=/etc/ssh_controls/keys.blacklisted
blacklist_file=/etc/kudos/ssh_controls/keys.blacklisted
#******************************************************************************
# End of FILE

331
update_ssh.pl
View File

@ -2,7 +2,7 @@
#******************************************************************************
# @(#) update_ssh.pl
#******************************************************************************
# @(#) Copyright (C) 2014 by KUDOS BV <info@kudos.be>. All rights reserved.
# @(#) Copyright (C) 2014 by KUDOS BVBA <info@kudos.be>. All rights reserved.
#
# This program is a free software; you can redistribute it and/or modify
# it under the same terms of the GNU General Public License as published by
@ -41,34 +41,23 @@ use Pod::Usage;
#******************************************************************************
# ------------------------- CONFIGURATION starts here -------------------------
# define the version (YYYY-MM-DD)
my $script_version = "2025-07-25";
# define the V.R.F (version/release/fix)
my $MY_VRF = "1.2.0";
# name of global configuration file (no path, must be located in the script directory)
my $global_config_file = "update_ssh.conf";
# name of localized configuration file (no path, must be located in the script directory)
my $local_config_file = "update_ssh.conf.local";
# maxiumum level of recursion for alias resolution
my $max_recursion = 5;
# selinux context labels of key files for different RHEL version
my %selinux_contexts = ( '5' => 'sshd_key_t',
'6' => 'ssh_home_t',
'7' => 'ssh_home_t',
'8' => 'ssh_home_t',
'9' => 'ssh_home_t',
'10' => 'ssh_home_t');
# disallowed paths for home directories for accounts
my @disallowed_homes = ('/', '/etc', '/bin', '/sbin', '/usr/bin', '/usr/sbin');
# disallowed login shells for @accounts
my @disallowed_shells = ('/bin/nologin','/bin/false','/sbin/nologin','/sbin/false');
# default toggle for key location
my $key_location='use_controls';
'7' => 'ssh_home_t');
# ------------------------- CONFIGURATION ends here ---------------------------
# initialize variables
my ($debug, $verbose, $preview, $remove, $global, $use_fqdn, $ignore_errors) = (0,0,0,0,0,0,0);
my ($debug, $verbose, $preview, $remove, $global, $use_fqdn) = (0,0,0,0,0,0);
my (@config_files, @zombie_files, $access_dir, $blacklist_file);
my (%options, @uname, @pwgetent, @accounts, %aliases, %keys, %access, @blacklist);
my ($os, $hostname, $run_dir, $authorizedkeys_option);
my ($selinux_status, $selinux_context, $linux_version, $has_selinux, $recursion_count) = ("","","",0,1);
my ($os, $hostname, $run_dir);
my ($selinux_status, $selinux_context, $linux_version, $has_selinux) = ("","","",0);
$|++;
@ -98,7 +87,7 @@ sub parse_config_file {
my $config_file = shift;
unless (open (CONF_FD, "<", $config_file)) {
do_log ("ERROR: failed to open the configuration file ${config_file} [$!/$hostname]")
do_log ("ERROR: failed to open the configuration file ${config_file} [$! $hostname]")
and exit (1);
}
while (<CONF_FD>) {
@ -107,25 +96,14 @@ sub parse_config_file {
if (/^\s*$/ || /^#/) {
next;
} else {
if (/^\s*use_fqdn\s*=\s*(0|1)\s*$/) {
if (/^\s*use_fqdn\s*=\s*([0-9]+)\s*$/) {
$use_fqdn = $1;
do_log ("DEBUG: picking up setting: use_fqdn=${use_fqdn}");
}
if (/^\s*ignore_errors\s*=\s*(0|1)\s*$/) {
$ignore_errors = $1;
do_log ("DEBUG: picking up setting: ignore_errors=${ignore_errors}");
}
if (/^\s*access_dir\s*=\s*([0-9A-Za-z_\-\.\/~]+)\s*$/) {
$access_dir = $1;
do_log ("DEBUG: picking up setting: access_dir=${access_dir}");
}
if (/^\s*key_location\s*=\s*(use_controls|use_sshd)\s*/) {
$key_location = $1;
do_log ("DEBUG: picking up setting: key_location=${key_location}");
if ($key_location eq 'use_sshd') {
do_log ("DEBUG: applied setting: key_location=${key_location}");
}
}
if (/^\s*blacklist_file\s*=\s*([0-9A-Za-z_\-\.\/~]+)\s*$/) {
$blacklist_file = $1;
# support tilde (~) expansion for ~root
@ -170,24 +148,12 @@ sub set_file {
my ($file, $perm, $uid, $gid) = @_;
my $rc = chmod ($perm, "$file");
if (!$rc) {
if ($ignore_errors) {
do_log ("ERROR: cannot set permissions on $file [$!/$hostname] -- IGNORED");
} else {
do_log ("ERROR: cannot set permissions on $file [$!/$hostname]");
exit (1);
}
}
my $rc = chown ($uid, $gid, "$file");
if (!$rc) {
if ($ignore_errors) {
do_log ("ERROR: cannot set ownerships on $file [$!/$hostname] -- IGNORED");
} else {
do_log ("ERROR: cannot set ownerships on $file [$!/$hostname]");
exit (1);
}
}
chmod ($perm, "$file")
or do_log ("ERROR: cannot set permissions on $file [$! $hostname]")
and exit (1);
chown ($uid, $gid, "$file")
or do_log ("ERROR: cannot set ownerships on $file [$! $hostname]")
and exit (1);
return (1);
}
@ -208,7 +174,6 @@ if ( @ARGV > 0 ) {
debug|d
help|h|?
global|g
ignore|i
preview|p
remove|r
verbose|v
@ -220,7 +185,7 @@ pod2usage(-verbose => 0) unless (%options);
# check version parameter
if ($options{'version'}) {
$verbose = 1;
do_log ("INFO: $0: version $script_version");
do_log ("INFO: $0: version $MY_VRF");
exit (0);
}
# check help parameter
@ -232,10 +197,6 @@ if ($options{'help'}) {
if ($options{'global'}) {
$global = 1;
}
# check ignore parameter
if ($options{'ignore'}) {
$ignore_errors = 1;
}
# check preview parameter
if ($options{'preview'}) {
$preview = 1;
@ -265,7 +226,7 @@ $verbose = 1 if ($options{'verbose'});
# where am I? (1/2)
$0 =~ /^(.+[\\\/])[^\\\/]+[\\\/]*$/;
$run_dir = $1 || ".";
my $run_dir = $1 || ".";
$run_dir =~ s#/$##; # remove trailing slash
# don't do anything without configuration file(s)
@ -282,19 +243,30 @@ foreach my $config_file (@config_files) {
parse_config_file ($config_file);
}
# is the target directory for keys present? (not for global preview and
# not when $key_location is use_sshd)
unless (($preview and $global) or $key_location eq 'use_sshd') {
do_log ("INFO: checking for SSH controls mode ...");
# is the target directory for keys present? (not for global preview)
unless ($preview and $global) {
do_log ("INFO: checking for SSH control mode ...");
if (-d $access_dir) {
do_log ("INFO: host is under SSH controls via $access_dir");
} else {
if ($key_location eq 'use_sshd') {
do_log ("INFO: skipped check since public key location is determined by sshd [$hostname]")
do_log ("INFO: host is under SSH control via $access_dir");
} else {
do_log ("ERROR: host is not under SSH keys only control [$hostname]")
and exit (1);
}
}
# do we have a blacklist file? (optional) (not for global preview)
unless ($preview and $global) {
do_log ("INFO: checking for keys blacklist file ...");
if (-f $blacklist_file) {
open (BLACKLIST, "<", $blacklist_file) or \
do_log ("ERROR: cannot read keys blacklist file [$! $hostname]")
and exit (1);
@blacklist = <BLACKLIST>;
close (BLACKLIST);
do_log ("INFO: keys blacklist file found with ".scalar (@blacklist)." entr(y|ies) on $hostname");
print Dumper (\@blacklist) if $debug;
} else {
do_log ("WARN: no keys blacklist file found [$hostname]");
}
}
@ -317,49 +289,6 @@ if ($use_fqdn) {
do_log ("INFO: runtime info: ".getpwuid ($<)."; ${hostname}\@${run_dir}; Perl v$]");
# -----------------------------------------------------------------------------
# handle blacklist file
# -----------------------------------------------------------------------------
# do we have a blacklist file? (optional) (not for global preview)
unless ($preview and $global) {
do_log ("INFO: checking for keys blacklist file ...");
if (-f $blacklist_file) {
open (BLACKLIST, "<", $blacklist_file) or \
do_log ("ERROR: cannot read keys blacklist file [$!/$hostname]")
and exit (1);
@blacklist = <BLACKLIST>;
close (BLACKLIST);
do_log ("INFO: keys blacklist file found with ".scalar (@blacklist)." entr(y|ies) on $hostname");
print Dumper (\@blacklist) if $debug;
} else {
do_log ("WARN: no keys blacklist file found [$hostname]");
}
}
# -----------------------------------------------------------------------------
# resolve and check key location
# -----------------------------------------------------------------------------
if ($key_location eq 'use_sshd') {
# get sshd setting but only take 1st path into account
$authorizedkeys_option = qx#sshd -T | grep "authorizedkeysfile" 2>/dev/null | cut -f2 -d' '#;
chomp ($authorizedkeys_option);
if (defined ($authorizedkeys_option)) {
do_log ("INFO: AuthorizedkeysFile resolves to $authorizedkeys_option [$hostname]");
} else {
do_log ("ERROR: unable to get AuthorizedkeysFile value from sshd [$hostname]")
and exit (1);
}
} else {
# for SSH controls native logic we require an absolute path
if ($authorizedkeys_option =~ /^\//) {
do_log ("ERROR: option \$access_dir requires and absolute path [$hostname]")
and exit (1);
}
do_log ("DEBUG: applied default setting: key_location=${key_location}");
}
# -----------------------------------------------------------------------------
# collect user accounts via getpwent()
# result: @accounts
@ -381,14 +310,14 @@ do_log ("INFO: ".scalar (@accounts)." user accounts found on $hostname");
print Dumper (\@accounts) if $debug;
# -----------------------------------------------------------------------------
# read aliases for teams, servers and users (and resolve group definitions)
# read aliases for teams, servers and users
# result: %aliases
# -----------------------------------------------------------------------------
do_log ("INFO: reading 'alias' file ...");
open (ALIASES, "<", "${run_dir}/alias")
or do_log ("ERROR: cannot read 'alias' file [$!/$hostname]") and exit (1);
or do_log ("ERROR: cannot read 'alias' file [$! $hostname]") and exit (1);
while (<ALIASES>) {
my ($key, $value, @values);
@ -405,45 +334,13 @@ close (ALIASES);
do_log ("DEBUG: dumping unexpanded aliases:");
print Dumper (\%aliases) if $debug;
# resolve aliases recursively to a maxium of $max_recursion
while ($recursion_count <= $max_recursion) {
# crawl over all items in the hash %aliases
foreach my $key (keys (%aliases)) {
# crawl over all items in the array @{aliases{$key}}
my @new_array; my @filtered_array; # these are the working stashes
do_log ("DEBUG: expanded alias $key before recursion $recursion_count [$hostname]");
print Dumper (\@{$aliases{$key}}) if $debug;
foreach my $item (@{$aliases{$key}}) {
# is it a group?
if ($item =~ /^\@/) {
# expand the group if it exists
if ($aliases{$item}) {
# add current and new items to the working stash
if (@new_array) {
push (@new_array, @{$aliases{$item}});
} else {
@new_array = (@{$aliases{$key}}, @{$aliases{$item}});
}
# remove the original group item from the working stash
@filtered_array = grep { $_ ne $item } @new_array;
@new_array = @filtered_array;
} else {
do_log ("WARN: unable to resolve alias $item [$hostname]");
}
# no group, just add the item as-is to working stash
} else {
push (@new_array, $item);
}
}
# filter out dupes
my %seen;
@filtered_array = grep { not $seen{$_}++ } @new_array;
# re-assign working stash back to our original hash key
@{$aliases{$key}} = @filtered_array;
do_log ("DEBUG: expanded alias $key after recursion $recursion_count [$hostname]");
print Dumper (\@{$aliases{$key}}) if $debug;
}
$recursion_count++;
# we can nest aliases one level deep, so do a one-level recursive sort of lookup
# of the remaining '@' aliases. Input should be passed as comma-separated
# string to resolve_aliases so don't forget to smash everything back together
# first.
foreach my $key (keys (%aliases)) {
$aliases{$key} = [resolve_aliases (join (",", @{$aliases{$key}}))];
}
do_log ("INFO: ".scalar (keys (%aliases))." aliases found on $hostname");
@ -467,7 +364,7 @@ if (-d "${run_dir}/keys.d" && -f "${run_dir}/keys") {
if (-d "${run_dir}/keys.d") {
do_log ("INFO: local 'keys' are stored in a DIRECTORY on $hostname");
opendir (KEYS_DIR, "${run_dir}/keys.d")
or do_log ("ERROR: cannot open 'keys.d' directory [$!/$hostname]")
or do_log ("ERROR: cannot open 'keys.d' directory [$! $hostname]")
and exit (1);
while (my $key_file = readdir (KEYS_DIR)) {
next if ($key_file =~ /^\./);
@ -485,7 +382,7 @@ if (-d "${run_dir}/keys.d") {
# process 'keys' files
foreach my $key_file (@key_files) {
open (KEYS, "<", $key_file)
or do_log ("ERROR: cannot read 'keys' file [$!/$hostname]") and exit (1);
or do_log ("ERROR: cannot read 'keys' file [$! $hostname]") and exit (1);
do_log ("INFO: reading public keys from file: $key_file");
while (<KEYS>) {
@ -523,7 +420,7 @@ print Dumper(\%keys) if $debug;
do_log ("INFO: reading 'access' file ...");
open (ACCESS, "<", "${run_dir}/access")
or do_log ("ERROR: cannot read 'access' file [$!/$hostname]") and exit (1);
or do_log ("ERROR: cannot read 'access' file [$! $hostname]") and exit (1);
while (<ACCESS>) {
my ($who, $where, $what, @who, @where, @what);
@ -576,7 +473,7 @@ if ($preview && $global) {
do_log ("INFO: display GLOBAL configuration ....");
open (ACCESS, "<", "${run_dir}/access")
or do_log ("ERROR: cannot read 'access' file [$!/$hostname]") and exit (1);
or do_log ("ERROR: cannot read 'access' file [$! $hostname]") and exit (1);
while (<ACCESS>) {
my ($who, $where, $what, @who, @where, @what);
@ -611,8 +508,7 @@ if ($preview && $global) {
}
# -----------------------------------------------------------------------------
# distribute keys into authorized_keys files
# (defined by $key_location and/or $access_dir)
# distribute keys into authorized_keys files in $access_dir
# -----------------------------------------------------------------------------
do_log ("INFO: applying SSH access rules ....");
@ -648,18 +544,6 @@ unless ($preview) {
$linux_version = 7;
last SWITCH_RELEASE;
};
$release_string =~ m/release 8/i && do {
$linux_version = 8;
last SWITCH_RELEASE;
};
$release_string =~ m/release 9/i && do {
$linux_version = 9;
last SWITCH_RELEASE;
};
$release_string =~ m/release 10/i && do {
$linux_version = 8;
last SWITCH_RELEASE;
};
}
}
# use fall back in case we cannot determine the version
@ -681,62 +565,17 @@ unless ($preview) {
# only add authorized_keys for existing accounts,
# otherwise revoke access if needed
SET_KEY: foreach my $account (sort (@accounts)) {
foreach my $account (sort (@accounts)) {
my ($access_file, $authorizedkeys_file, $uid, $gid, $home_dir, $login_shell) = (undef, undef, undef, undef, undef, undef);
# set $access_file when using SSH controls logic
if ($key_location eq 'use_sshd' and defined ($authorizedkeys_option)) {
# use sshd logic (replacing %u,%h, %%)
$authorizedkeys_file = $authorizedkeys_option;
$authorizedkeys_file =~ s/%u/$account/g;
$authorizedkeys_file =~ s/%h/$hostname/g;
$authorizedkeys_file =~ s/%%/%/g;
# check relative path (assume $HOME needs to be added)
if ($authorizedkeys_file !~ /^\//) {
($uid, $gid, $home_dir, $login_shell) = (getpwnam($account))[2,3,7,8];
# do not accept invalid $HOME or shells
if (defined ($home_dir)) {
if (grep( /^$home_dir$/, @disallowed_homes) or grep( /^$login_shell/, @disallowed_shells)) {
do_log ("DEBUG: invalid HOME or SHELL for $account [$hostname]");
next SET_KEY;
} else {
$authorizedkeys_file = $home_dir."/".$authorizedkeys_file;
do_log ("DEBUG: adding $home_dir to public key path for $account [$hostname]");
}
} else {
do_log ("ERROR: unable to get HOME for $account [$hostname]");
next SET_KEY;
}
}
$access_file = $authorizedkeys_file;
} else {
# use native SSH controls logic
$access_file = "$access_dir/$account";
}
do_log ("DEBUG: public key location for $account resolves to $access_file [$hostname]");
my $access_file = "$access_dir/$account";
# only add authorised_keys if there are access definitions
if ($access{$account}) {
unless ($preview) {
# create $HOME/.ssh if needed but only when we are root
if ($key_location eq 'use_sshd' and defined ($authorizedkeys_option)) {
if ($> == 0) {
if (! -d "$home_dir/.ssh") {
mkdir ("$home_dir/.ssh", 0700)
or do_log "ERROR: failed to create the $home_dir/.ssh directory [$!/$hostname]"
and next SET_KEY;
chown ($uid, $gid, "$home_dir/.ssh")
or do_log "ERROR: failed to set onwerships on the $home_dir/.ssh directory [$!/$hostname]"
and next SET_KEY;
do_log ("DEBUG: created directory $home_dir/.ssh for $account [$hostname]");
}
}
}
open (KEYFILE, "+>", $access_file)
or do_log ("ERROR: cannot open file for writing at $access_file [$!/$hostname]")
and next SET_KEY;
or do_log ("ERROR: cannot open file for writing in $access_dir [$! $hostname]")
and exit (1);
}
foreach my $person (sort (@{$access{$account}})) {
my $real_name = $person;
@ -753,13 +592,9 @@ SET_KEY: foreach my $account (sort (@accounts)) {
}
close (KEYFILE) unless $preview;
# set ownerships/permissions on public key file and check for SELinux context
# set permissions to world readable and check for SELinux context
unless ($preview) {
if ($key_location eq 'use_controls') {
set_file ($access_file, 0644, 0, 0);
} else {
set_file ($access_file, 0600, $uid, $gid);
}
# selinux labels
SWITCH: {
$os eq "Linux" && do {
@ -776,7 +611,7 @@ SET_KEY: foreach my $account (sort (@accounts)) {
if (-f $access_file) {
unless ($preview) {
unlink ($access_file)
or do_log ("ERROR: cannot remove obsolete access file $access_file [$!/$hostname]")
or do_log ("ERROR: cannot remove obsolete access file(s) [$! $hostname]")
and exit (1);
} else {
do_log ("INFO: removing obsolete access $access_file on $hostname");
@ -786,35 +621,32 @@ SET_KEY: foreach my $account (sort (@accounts)) {
}
# -----------------------------------------------------------------------------
# alert on/remove extraneous authorized_keys files (SSH controls logic only)
# alert on/remove extraneous authorized_keys files
# (access files for which no longer a valid UNIX account exists)
# -----------------------------------------------------------------------------
if ($key_location eq 'use_controls') {
do_log ("INFO: checking for extraneous access files ....");
do_log ("INFO: checking for extraneous access files ....");
opendir (ACCESS_DIR, $access_dir)
or do_log ("ERROR: cannot open directory $access_dir [$!/$hostname]")
opendir (ACCESS_DIR, $access_dir)
or do_log ("ERROR: cannot open directory $access_dir [$! $hostname]")
and exit (1);
while (my $access_file = readdir (ACCESS_DIR)) {
while (my $access_file = readdir (ACCESS_DIR)) {
next if ($access_file =~ /^\./);
unless (grep (/$access_file/, @accounts)) {
do_log ("WARN: found extraneous access file in $access_dir/$access_file [$hostname]");
push (@zombie_files, "$access_dir/$access_file");
}
}
closedir (ACCESS_DIR);
do_log ("INFO: ".scalar (@zombie_files)." extraneous access file(s) found on $hostname");
print Dumper (\@zombie_files) if $debug;
}
closedir (ACCESS_DIR);
do_log ("INFO: ".scalar (@zombie_files)." extraneous access file(s) found on $hostname");
print Dumper (\@zombie_files) if $debug;
# remove if requested and needed
if ($remove && @zombie_files) {
# remove if requested and needed
if ($remove && @zombie_files) {
my $count = unlink (@zombie_files)
or do_log ("ERROR: cannot remove extraneous access file(s) [$!/$hostname]")
or do_log ("ERROR: cannot remove extraneous access file(s) [$! $hostname]")
and exit (1);
do_log ("INFO: $count extraneous access files removed $hostname");
}
}
exit (0);
@ -837,7 +669,6 @@ update_ssh.pl - distributes SSH public keys in a desired state model.
update_ssh.pl[-d|--debug]
[-h|--help]
[-i|--ignore]
([-p|--preview] [-g|--global]) | [-r|--remove]
[-v|--verbose]
[-V|--version]
@ -846,11 +677,9 @@ update_ssh.pl - distributes SSH public keys in a desired state model.
=head1 DESCRIPTION
B<update_ssh.pl> distributes SSH keys to the appropriate files (.e. 'authorized_keys') into the C<$access_dir> repository based on the F<access>, F<alias> and F<keys> files.
Alternatively B<update_ssh.pl> can distribute public keys to the location specified in the AuthorizedkeysFile setting of F<sshd_config> (allowing public keys to be distributed
to the traditional location in a user's HOME directory). See C<key_location> setting in F<update_ssh.conf[.local]>for more information.
This script should be run on each host where SSH key authentication is the exclusive method of (remote) authentication.
Orginally SSH public keys must be stored in a generic F<keys> file within the same directory as B<update_ssh.pl> script.
For update SSH public keys must be stored in a generic F<keys> file within the same directory as B<update_ssh.pl> script.
Alternatively key files may be stored as set of individual key files within a called sub-directory called F<keys.d>.
Both methods are mutually exclusive and the latter always take precedence.
@ -874,12 +703,8 @@ Following settings must be configured:
=item * B<use_fqdn> : whether to use short or FQDN host names
=item * B<ignore_errors> : whether to ignore errors during key deployment
=item * B<access_dir> : target directory for allowed SSH public key files
=item * B<key_location> : whether or not to use AuthorizedkeysFile setting in sshd_config for overriding $access_dir
=item * B<blacklist_file> : location of the file with blacklisted SSH public keys
=back
@ -887,7 +712,7 @@ Following settings must be configured:
=head1 BLACKLISTING
Key blacklisting can be performed by adding a public key definition in its entirety to the blacklist keys file. When a blacklisted key is
found in the available F<keys> file(s) during SSH controls updates, an alert will be shown on STDOUT and the key will be ignored for the rest.
found in the available F<keys> file(s) during SSH control updates, an alert will be shown on STDOUT and the key will be ignored for the rest.
Examples:
@ -906,15 +731,11 @@ S< >Be I<very> verbose during execution; show array/hash dumps.
S< >Show the help page.
=item -i | --ignore
S< >Ignore errors during key deployment.
=item -p | --preview
S< >Do not actually distribute any SSH public keys, nor update/remove any 'authorized_keys' files.
=item -g | --global
=item -p | --global
S< >Must be used in conjunction with the --preview option. This will dump the global namespace/configuration to STDOUT.
@ -944,4 +765,12 @@ S< >Show version of the script.
=head1 AUTHOR
(c) KUDOS BV, Patrick Van der Veken
(c) KUDOS BVBA, Patrick Van der Veken
=head1 history
@(#) 2014-12-04: VRF 1.0.0: first version [Patrick Van der Veken]
@(#) 2014-12-16: VRF 1.0.1: added SELinux context, new config option 'selinux_context' [Patrick Van der Veken]
@(#) 2015-08-08: VRF 1.0.2: small fix for 'cut' command [Patrick Van der Veken]
@(#) 2015-08-15: VRF 1.1.0: replace uname/hostname syscalls, now support for FQDN via $use_fqdn, other fixes [Patrick Van der Veken]
@(#) 2015-08-26: VRF 1.2.0: replace read of /etc/passwd by pwgetent() call, small and not so small fixes [Patrick Van der Veken]