From 96c1c6a94904b9a408ecfa87e0f488acdc724422 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 29 Mar 2017 22:18:07 -0300 Subject: Adds SSH key rotation action --- README.md | 1 - kvmx | 16 ++++++++++++++++ kvmx-create | 2 +- kvmx-keygen | 27 +++++++++++++++++++++++++++ 4 files changed, 44 insertions(+), 2 deletions(-) create mode 100755 kvmx-keygen diff --git a/README.md b/README.md index 7085aa0..5410818 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,6 @@ If no folder is specified, the current folder is assumed as the project home. ## Further development -* Command to rotate SSH client keys. * Remount shared folders and reinitialize spice-vdagent upon resume from disk. * More params (memory, cpus, ssh, serial console, additional shared folders, etc). * Integration with [image-bootstrap](https://github.com/hartwork/image-bootstrap). diff --git a/kvmx b/kvmx index 2d78897..0402053 100755 --- a/kvmx +++ b/kvmx @@ -671,6 +671,22 @@ function kvmx_log { tail -F $logs } +# Rotate SSH keys +function kvmx_rotate_sshkeys { + # Generate new keypair + SSHKEY="$STORAGE/$VM.key" + $DIRNAME/kvmx-keygen $SSHKEY.new "$user@`basename $image .img`" + + # Replace pubkey on server + echo "touch ~/.ssh/authorized_keys.new && chmod 600 ~/.ssh/authorized_keys.new" | kvmx_ssh + cat $SSHKEY.new.pub | kvmx_ssh "tee ~/.ssh/authorized_keys.new &> /dev/null" + echo "mv ~/.ssh/authorized_keys.new ~/.ssh/authorized_keys" | kvmx_ssh + + # Replace keypair locally + mv $SSHKEY.new $SSHKEY + mv $SSHKEY.new.pub $SSHKEY.pub +} + # Dispatch if type kvmx_$ACTION 2> /dev/null | grep -q 'function'; then __kvmx_initialize diff --git a/kvmx-create b/kvmx-create index 7f9270d..204f2e0 100755 --- a/kvmx-create +++ b/kvmx-create @@ -248,7 +248,7 @@ function kvmx_create_custom { if [ "$ssh_custom" == "y" ]; then privkey="`dirname $image`/`basename $image .img`.key" pubkey="${privkey}.pub" - ssh-keygen -t rsa -b 4096 -f $privkey -N '' -C "user@`basename $image .img`" + $DIRNAME/kvmx-keygen $privkey "$user@`basename $image .img`" else pubkey="$DIRNAME/share/ssh/insecure_private_key.pub" fi diff --git a/kvmx-keygen b/kvmx-keygen new file mode 100755 index 0000000..3784e52 --- /dev/null +++ b/kvmx-keygen @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# +# kvmx-keygen -- ssh-keygen wrapper for kvmx +# +# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published +# by the Free Software Foundation, either version 3 of the License, +# or any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +# Parameters +BASENAME="`basename $0`" +PRIVKEY="$1" +COMMENT="$2" + +# Generate a keypair +ssh-keygen -t rsa -b 4096 -f $PRIVKEY -N '' -C $COMMENT -- cgit v1.2.3