diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2017-03-29 22:18:07 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2017-03-29 22:18:07 -0300 |
| commit | 96c1c6a94904b9a408ecfa87e0f488acdc724422 (patch) | |
| tree | 20a8639bb510ae04c5965c7b9418f4cad015f677 | |
| parent | 3e675f63676e2a0a7e3e9b787d38a926685c9a04 (diff) | |
| download | kvmx-96c1c6a94904b9a408ecfa87e0f488acdc724422.tar.gz kvmx-96c1c6a94904b9a408ecfa87e0f488acdc724422.tar.bz2 | |
Adds SSH key rotation action
| -rw-r--r-- | README.md | 1 | ||||
| -rwxr-xr-x | kvmx | 16 | ||||
| -rwxr-xr-x | kvmx-create | 2 | ||||
| -rwxr-xr-x | kvmx-keygen | 27 |
4 files changed, 44 insertions, 2 deletions
@@ -46,7 +46,6 @@ If no folder is specified, the current folder is assumed as the project home. ## Further development -* Command to rotate SSH client keys. * Remount shared folders and reinitialize spice-vdagent upon resume from disk. * More params (memory, cpus, ssh, serial console, additional shared folders, etc). * Integration with [image-bootstrap](https://github.com/hartwork/image-bootstrap). @@ -671,6 +671,22 @@ function kvmx_log { tail -F $logs } +# Rotate SSH keys +function kvmx_rotate_sshkeys { + # Generate new keypair + SSHKEY="$STORAGE/$VM.key" + $DIRNAME/kvmx-keygen $SSHKEY.new "$user@`basename $image .img`" + + # Replace pubkey on server + echo "touch ~/.ssh/authorized_keys.new && chmod 600 ~/.ssh/authorized_keys.new" | kvmx_ssh + cat $SSHKEY.new.pub | kvmx_ssh "tee ~/.ssh/authorized_keys.new &> /dev/null" + echo "mv ~/.ssh/authorized_keys.new ~/.ssh/authorized_keys" | kvmx_ssh + + # Replace keypair locally + mv $SSHKEY.new $SSHKEY + mv $SSHKEY.new.pub $SSHKEY.pub +} + # Dispatch if type kvmx_$ACTION 2> /dev/null | grep -q 'function'; then __kvmx_initialize diff --git a/kvmx-create b/kvmx-create index 7f9270d..204f2e0 100755 --- a/kvmx-create +++ b/kvmx-create @@ -248,7 +248,7 @@ function kvmx_create_custom { if [ "$ssh_custom" == "y" ]; then privkey="`dirname $image`/`basename $image .img`.key" pubkey="${privkey}.pub" - ssh-keygen -t rsa -b 4096 -f $privkey -N '' -C "user@`basename $image .img`" + $DIRNAME/kvmx-keygen $privkey "$user@`basename $image .img`" else pubkey="$DIRNAME/share/ssh/insecure_private_key.pub" fi diff --git a/kvmx-keygen b/kvmx-keygen new file mode 100755 index 0000000..3784e52 --- /dev/null +++ b/kvmx-keygen @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# +# kvmx-keygen -- ssh-keygen wrapper for kvmx +# +# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published +# by the Free Software Foundation, either version 3 of the License, +# or any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +# Parameters +BASENAME="`basename $0`" +PRIVKEY="$1" +COMMENT="$2" + +# Generate a keypair +ssh-keygen -t rsa -b 4096 -f $PRIVKEY -N '' -C $COMMENT |