aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2017-03-29 22:18:07 -0300
committerSilvio Rhatto <rhatto@riseup.net>2017-03-29 22:18:07 -0300
commit96c1c6a94904b9a408ecfa87e0f488acdc724422 (patch)
tree20a8639bb510ae04c5965c7b9418f4cad015f677
parent3e675f63676e2a0a7e3e9b787d38a926685c9a04 (diff)
downloadkvmx-96c1c6a94904b9a408ecfa87e0f488acdc724422.tar.gz
kvmx-96c1c6a94904b9a408ecfa87e0f488acdc724422.tar.bz2
Adds SSH key rotation action
-rw-r--r--README.md1
-rwxr-xr-xkvmx16
-rwxr-xr-xkvmx-create2
-rwxr-xr-xkvmx-keygen27
4 files changed, 44 insertions, 2 deletions
diff --git a/README.md b/README.md
index 7085aa0..5410818 100644
--- a/README.md
+++ b/README.md
@@ -46,7 +46,6 @@ If no folder is specified, the current folder is assumed as the project home.
## Further development
-* Command to rotate SSH client keys.
* Remount shared folders and reinitialize spice-vdagent upon resume from disk.
* More params (memory, cpus, ssh, serial console, additional shared folders, etc).
* Integration with [image-bootstrap](https://github.com/hartwork/image-bootstrap).
diff --git a/kvmx b/kvmx
index 2d78897..0402053 100755
--- a/kvmx
+++ b/kvmx
@@ -671,6 +671,22 @@ function kvmx_log {
tail -F $logs
}
+# Rotate SSH keys
+function kvmx_rotate_sshkeys {
+ # Generate new keypair
+ SSHKEY="$STORAGE/$VM.key"
+ $DIRNAME/kvmx-keygen $SSHKEY.new "$user@`basename $image .img`"
+
+ # Replace pubkey on server
+ echo "touch ~/.ssh/authorized_keys.new && chmod 600 ~/.ssh/authorized_keys.new" | kvmx_ssh
+ cat $SSHKEY.new.pub | kvmx_ssh "tee ~/.ssh/authorized_keys.new &> /dev/null"
+ echo "mv ~/.ssh/authorized_keys.new ~/.ssh/authorized_keys" | kvmx_ssh
+
+ # Replace keypair locally
+ mv $SSHKEY.new $SSHKEY
+ mv $SSHKEY.new.pub $SSHKEY.pub
+}
+
# Dispatch
if type kvmx_$ACTION 2> /dev/null | grep -q 'function'; then
__kvmx_initialize
diff --git a/kvmx-create b/kvmx-create
index 7f9270d..204f2e0 100755
--- a/kvmx-create
+++ b/kvmx-create
@@ -248,7 +248,7 @@ function kvmx_create_custom {
if [ "$ssh_custom" == "y" ]; then
privkey="`dirname $image`/`basename $image .img`.key"
pubkey="${privkey}.pub"
- ssh-keygen -t rsa -b 4096 -f $privkey -N '' -C "user@`basename $image .img`"
+ $DIRNAME/kvmx-keygen $privkey "$user@`basename $image .img`"
else
pubkey="$DIRNAME/share/ssh/insecure_private_key.pub"
fi
diff --git a/kvmx-keygen b/kvmx-keygen
new file mode 100755
index 0000000..3784e52
--- /dev/null
+++ b/kvmx-keygen
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+#
+# kvmx-keygen -- ssh-keygen wrapper for kvmx
+#
+# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published
+# by the Free Software Foundation, either version 3 of the License,
+# or any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Parameters
+BASENAME="`basename $0`"
+PRIVKEY="$1"
+COMMENT="$2"
+
+# Generate a keypair
+ssh-keygen -t rsa -b 4096 -f $PRIVKEY -N '' -C $COMMENT