polynomialspace · September 23, 2019 20:29
diff --git a/ssh-keysign.sh b/ssh-keysign.sh
 #!/bin/sh

 print_help() {
 	echo "A script to copy ssh host keys via SCP and sign them with a local SSH CA"
 	echo
 	echo "Simple usage: ${0} -h <host>"
 	echo "The following options are accepted:"
 	echo " -h: specify the host"
 	echo " -H: override the hostname for SCP (default: same as -h)"
 	echo " -s: override location of CA privkey (default: /etc/ssh/ca)"
 	echo " -i: override identity of key to be signed (default: same as -h)"
 	echo " -n: override principals of key to be signed (default: same as -h)"
 	echo " -V: specify validity period of key to be signed (default: -1m:forever)"
 	echo
 	echo "If specifying -H, -i, and -n, you needn't specify -h"
 }

 CAFILE="/etc/ssh/ca"
 VALIDITY="-1m:forever"

 while getopts "h:H:s:i:n:V:" opt; do
 	case ${opt} in
 		h)
 		  HOST="${OPTARG}"
 		  ;;
 		H)
 		  SCPHOST="${OPTARG}"
 		  ;;
 		s)
 		  CAFILE="${OPTARG}"
 		  ;;
 		i)
 		  IDENTITY="${OPTARG}"
 		  ;;
 		n)
 		  PRINCIPALS="${OPTARG}"
 		  ;;
 		V)
 		  VALIDITY="${OPTARG}"
 		  ;;
 		\?)
 		  print_help
 		  exit
 		  ;;
 	esac
 done

 if [ -n "${HOST}" ]; then
 	if [ -z "${SCPHOST}" ]; then
 		SCPHOST="${HOST}"
 	fi
 	if [ -z "${IDENTITY}" ]; then
 		IDENTITY="${HOST}"
 	fi
 	if [ -z "${PRINCIPALS}" ]; then
 		PRINCIPALS="${HOST}"
 	fi
 elif [ -n "${SCPHOST}" ] && [ -n "${IDENTITY}" ] && [ -n "${PRINCIPALS}" ]; then
 	continue
 else
 	print_help
 	exit 1
 fi


 umask 77
 TMPDIR=$(mktemp -d)

 cd ${TMPDIR}

 scp ${SCPHOST}:'/etc/ssh/*.pub' ./ && \
 sudo ssh-keygen -s ${CAFILE} -h -I "${IDENTITY}" -n "${PRINCIPALS}" \
 	-V "${VALIDITY}" ./* && \
 echo "signed keys for ${HOST:-$IDENTITY} in ${TMPDIR}"
	#!/bin/sh

	print_help() {
	echo "A script to copy ssh host keys via SCP and sign them with a local SSH CA"
	echo
	echo "Simple usage: ${0} -h <host>"
	echo "The following options are accepted:"
	echo " -h: specify the host"
	echo " -H: override the hostname for SCP (default: same as -h)"
	echo " -s: override location of CA privkey (default: /etc/ssh/ca)"
	echo " -i: override identity of key to be signed (default: same as -h)"
	echo " -n: override principals of key to be signed (default: same as -h)"
	echo " -V: specify validity period of key to be signed (default: -1m:forever)"
	echo
	echo "If specifying -H, -i, and -n, you needn't specify -h"
	}

	CAFILE="/etc/ssh/ca"
	VALIDITY="-1m:forever"

	while getopts "h:H:s:i:n:V:" opt; do
	case ${opt} in
	h)
	HOST="${OPTARG}"
	;;
	H)
	SCPHOST="${OPTARG}"
	;;
	s)
	CAFILE="${OPTARG}"
	;;
	i)
	IDENTITY="${OPTARG}"
	;;
	n)
	PRINCIPALS="${OPTARG}"
	;;
	V)
	VALIDITY="${OPTARG}"
	;;
	\?)
	print_help
	exit
	;;
	esac
	done

	if [ -n "${HOST}" ]; then
	if [ -z "${SCPHOST}" ]; then
	SCPHOST="${HOST}"
	fi
	if [ -z "${IDENTITY}" ]; then
	IDENTITY="${HOST}"
	fi
	if [ -z "${PRINCIPALS}" ]; then
	PRINCIPALS="${HOST}"
	fi
	elif [ -n "${SCPHOST}" ] && [ -n "${IDENTITY}" ] && [ -n "${PRINCIPALS}" ]; then
	continue
	else
	print_help
	exit 1
	fi


	umask 77
	TMPDIR=$(mktemp -d)

	cd ${TMPDIR}

	scp ${SCPHOST}:'/etc/ssh/*.pub' ./ && \
	sudo ssh-keygen -s ${CAFILE} -h -I "${IDENTITY}" -n "${PRINCIPALS}" \
	-V "${VALIDITY}" ./* && \
	echo "signed keys for ${HOST:-$IDENTITY} in ${TMPDIR}"