mng_key_ssh 4.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230
  1. #!/bin/sh
  2. #set -x
  3. clear
  4. ###
  5. #
  6. # Author: Stéphane HUC
  7. # mail: devs@stephane-huc.net
  8. #
  9. # License: BSD Simplified
  10. #
  11. # Github: https://github.com/hucste/tools
  12. #
  13. ###
  14. ### MEMO
  15. #
  16. # Configure your file /etc/ssh/sshd_config, and your personal ~/.ssh/config
  17. # ssh -Q (cipher|cipher auth|mac|kex|key)
  18. #
  19. ### KexAlgorithms
  20. #
  21. # KexAlgorithms diffie-hellman-group-exchange-sha256
  22. #
  23. # => If >= v 6.5
  24. # KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  25. #
  26. ### Ciphers
  27. # => DO NOT USE Ciphers *.cbc!
  28. #
  29. # Ciphers aes256-ctr,aes192-ctr,aes128-ctr
  30. #
  31. # => If >= v 6.5
  32. # Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  33. #
  34. ### HMAC
  35. # => If OpenSSH < v5.9
  36. # MACs hmac-sha1
  37. #
  38. # => If >= v 5.9
  39. # MACs hmac-sha2-512,hmac-sha2-256
  40. #
  41. # => If >= v 6.3: use ETM encryption
  42. # MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
  43. #
  44. # => If >= v 6.6:
  45. # MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
  46. #
  47. ###
  48. openssl_algo="-aes256"
  49. openssl_bits=4096
  50. pkbdf_algo="des3" #
  51. ssh_algo="ed25519" # rsa | ed25519 ; DO NOT USE dsa | ecdsa!
  52. ssh_bits=4096 # minimal value for rsa : 2048 ; max value : 16384
  53. ssh_dir="$HOME/.ssh"
  54. ssh_round=1000
  55. ###
  56. #
  57. # FUNCTIONS
  58. #
  59. ###
  60. build_public_key() {
  61. # BEFORE, USE: create_openssl_private_key
  62. ssh-keygen -y -f "$ssh_dir/$ssh_id_file" > "$ssh_dir/$ssh_id_file.pub"
  63. }
  64. convert_to_pkcs8() (
  65. if [ -f "$ssh_dir/$ssh_id_file" ]; then
  66. openssl pkcs8 -topk8 -v2 "$pkdbf_algo" -in "$ssh_dir/$ssh_id_file" -out "$ssh_dir/$ssh_id_file.pkcs8"
  67. fi
  68. )
  69. create_oldier_key_ssh() {
  70. if [ "$ssh_algo" = "ed25519" ]; then
  71. ssh-keygen -t "$ssh_algo" -f "$ssh_dir/$ssh_id_file" -C "$ssh_comment"
  72. else
  73. ssh-keygen -t "$ssh_algo" -b "$ssh_bits" -f "$ssh_dir/$ssh_id_file" -C "$ssh_comment"
  74. fi
  75. }
  76. create_openssl_private_key() {
  77. openssl genrsa "$openssl_algo" -passout stdin -rand /dev/urandom "$openssl_bits" > "$ssh_dir/$ssh_id_file"
  78. #openssl genpkey -algorithm RSA -pass stdin -out "$ssh_dir/$ssh_id_file.pem" -outform PEM -pkeyopt rsa_keygen_bits:"$openssl_bits"
  79. }
  80. create_pkbdf_key_ssh() {
  81. if [ "$ssh_algo" = "ed25519" ]; then
  82. ssh-keygen -t "$ssh_algo" -f "$ssh_dir/$ssh_id_file" -C "$ssh_comment" -o -a "$ssh_round"
  83. else
  84. ssh-keygen -t "$ssh_algo" -b "$ssh_bits" -f "$ssh_dir/$ssh_id_file" -C "$ssh_comment" -o -a "$ssh_round"
  85. fi
  86. }
  87. get_id_comment_ssh() {
  88. echo -n "Tape a comment for your file id ssh? "
  89. read ssh_comment
  90. }
  91. get_id_filename_ssh() {
  92. #echo -n "Tape a filename desired for your ssh id? "
  93. #read ssh_id_file
  94. #if [ -z "$ssh_id_file" ]; then ssh_id_file="id_rsa"; fi
  95. #if [ -n "$ssh_id_file" ]; then ssh_id_file="$ssh_id_file_$(date +%Y-%m-%d)"; fi
  96. ssh_id_file="id_${ssh_algo}"
  97. }
  98. get_ssh_version() {
  99. ssh -V 2> ssh_info.txt
  100. ssh_info="$(cat ssh_info.txt)"
  101. rm ssh_info.txt
  102. }
  103. made_ssh_key() {
  104. get_ssh_version
  105. if [ -n "$ssh_info" ]; then
  106. printf "%s\n" "info: $ssh_info"
  107. ssh_version="$(expr substr "$ssh_info" 9 3)"
  108. printf "%s\n" "version: $ssh_version"
  109. get_id_filename_ssh
  110. get_id_comment_ssh
  111. bool="$(echo "6.5" "$ssh_version" | awk '{if ($1 < $2) print 0; else print 1}')"
  112. if [ $bool -ne 0 ]; then
  113. create_oldier_key_ssh
  114. umask 0077
  115. convert_to_pkcs8
  116. mv_converted_to_id
  117. else
  118. create_pkbdf_key_ssh
  119. fi
  120. protect_key
  121. fi
  122. }
  123. mv_converted_to_id() {
  124. if [ -f "$ssh_dir/$ssh_id_file.pkcs8" ]; then
  125. mv "$ssh_dir/$ssh_id_file.pkcs8" "$ssh_dir/$ssh_id_file"
  126. fi
  127. }
  128. protect_key() {
  129. if [ -f "$ssh_dir/$ssh_id_file" ]; then
  130. chmod 0400 "$ssh_dir/$ssh_id_file"
  131. fi
  132. }
  133. upgrade_to_pkbdf() {
  134. if [ -d "$ssh_dir/" ]; then
  135. ssh-keygen -o -p -f "$ssh_dir/id_rsa" -a "$ssh_rounds"
  136. fi
  137. }
  138. reverse_from_pkcs8() {
  139. mv "$ssh_dir/$ssh_id_file" "$ssh_dir/$ssh_id_file.pkcs8"
  140. openssl pkcs8 -in "$ssh_dir/$ssh_id_file.pkcs8" -out "$ssh_dir/$ssh_id_file"
  141. protect_key
  142. ssh-keygen -f "$ssh_dir/$ssh_id_file" -p
  143. }
  144. verify_softs_needed() {
  145. if [ ! -x $(which ssh) ]; then
  146. printf "[ \\33[1;31m%s\\33[0;39m ] %s $0\n" "KO" "SSH is needed! Please install-it!"
  147. exit 1
  148. fi
  149. if [ ! -x $(which openssl) ]; then
  150. printf "[ \\33[1;31m%s\\33[0;39m ] %s $0\n" "KO" "OpenSSL is needed! Please install-it!"
  151. exit 1
  152. fi
  153. }
  154. verify_softs_needed
  155. choice="$(echo "$1" | awk '{print tolower($0)}')"
  156. case "$choice" in
  157. create)
  158. made_ssh_key
  159. ;;
  160. reverse)
  161. reverse_from_pkcs8
  162. ;;
  163. upgrade)
  164. upgrade_to_pkbdf
  165. ;;
  166. *)
  167. clear
  168. N="service ${0##*/}"
  169. echo "Usage: $N {create|upgrade}" >&2
  170. exit 1
  171. ;;
  172. esac
  173. unset choice