Der ssh-pubkeymgr ist leicht modifiziert. Ein Blick auf das Skript zeigt,
inwiefern es für den Einsatz im Echtbetrieb der Nutzerumgebung geeignet ist.
Das Originalskript in der Source-Distribution ssh-3.2.0 war jedenfalls fehlerhaft.
Folgende Aufgaben löst der Manager:
generiert den lokalen Nutzerschlüssel (nur beim ersten Mal)
legt die identification-Datei an (nur beim ersten Mal)
prüft ob publickey zu den AllowedAuthentications zählt (ssh2_config / sshd2_config )
trägt ferne Nutzer/Rechner-Paare in die authorization-Datei ein
überträgt den öffenlichen Teil des lokalen Nutzerschlüssels an den entfernten Rechner unter $HOME/.ssh2
#!/bin/sh
#
# ssh-pubkeymgr - A user public key manager for Secure Shell
#
# Author: Anne Carasik
# Olaf Jörk (Anpassung an RM-Systeme)
#
# Copyright (C) 2000 SSH Communications Security Corp, Helsinki, Finland
# All rights reserved.
#
# It's too much of a pain to create the public key files like identification
# and authorization. This quick little script runs ssh-keygen2, then creates
# the identification and authorization files. Then it runs scp to the remote
# system to copy the public keys there.
######################### ChangeLog ###########################################
# 18 August 2000 - removed downloading hostkeys because you get them anyway
# during the first connection :)
#
# 12 February 2001 - removed hostname -s because too many bugs were being
# reported from it. Also added config file checks for publickey authentication.
# And comments. Many, many, many more comments.
#
# 18 June 2001 - fixed stupid bug where it should have been $keypair
# instead of $user-$host. duh.
#
# 3 Jan 2003 - handles different echos (SysV/Linux), fixed upload bug,
# removed some unnecessary messages (Jörk)
#
######################### ChangeLog ###########################################
ssh2config=/etc/ssh2/ssh2_config
sshd2config=/etc/ssh2/sshd2_config
############################################################
# Some basic checks... #
############################################################
## Set the default keypair to id_dsa_1024_a for
keypair="id_dsa_1024_a"
## Check for compatibility for the $LOGNAME instead of $USER
if [ -z "$USER" ]
then
if [ -n "$LOGNAME" ]
then
USER=$LOGNAME
else
USER=`whoami`
fi
fi
## discovery the system running on
system=`uname -s`
case $system in
Linux ) echostr='echo -e';;
ReliantUNIX-N ) echostr='echo';;
* ) echostr='echo';;
esac
## Set the hostname
if [ -z "$HOSTNAME" ]; then
HOSTNAME=`uname -n`
$echostr "Setting host to $HOSTNAME"
fi
############################################################
# Check the command line options. #
############################################################
if [ $# -eq 0 ]
then
$echostr "Running ssh-pubkeymgr .. "
else
while [ -n "$1" ]
do
case $1 in
-k) keypair="$2"
$echostr "Running ssh-pubkeymgr with keypair ($keypair) .."
shift 2
;;
-h) $echostr "SSH Secure Shell user public key manager"
$echostr "Usage: ssh-pubkeymgr [-k keypair]\n"
$echostr "Type man ssh-pubkeymgr for more information."
exit
;;
*) $echostr "Usage: ssh-pubkeymgr [-k keypair]\n"
$echostr "Type man ssh-pubkeymgr for more information."
exit
esac
done
fi
#############################################################################
# Checking the configuration files to make sure so publickey authentication #
# will work. Otherwise, program will exit with the return status of 1. #
#############################################################################
## Need to check ~/.ssh2/ssh2_config as well..
clientconfigcontains=`egrep '^[^#].*(AllowedAuth|RequiredAuth).*publickey' $ssh2config`
# Commented out because user may not want to allow server to have publickey
# authentication.
#
serverconfigcontains=`egrep '^[^#].*(AllowedAuth|RequiredAuth).*publickey' $sshd2config`
$echostr "Checking for publickey authentication to be enabled in the client config.. \c"
if [ -z "$clientconfigcontains" ]
then
$echostr "no."
$echostr "Nothing found in $ssh2config. Add publickey"
$echostr "authentication to AllowedAuthentications or RequiredAuthentications"
$echostr "then restart ssh-pubkeymgr."
exit 1
else
$echostr "yes."
fi
$echostr "Checking for publickey authentication to be enabled in the server config.. \c"
if [ -z "$serverconfigcontains" ]
then
$echostr "no."
$echostr "Nothing found in $sshd2config. Add publickey"
$echostr "authentication to AllowedAuthentications or RequiredAuthentications"
$echostr "then restart ssh-pubkeymgr."
exit 1
else
$echostr "yes."
fi
#############################################################################
# Checking DSA public keys. Currently, there is no support for PGP or RSA #
# public keys; however that will change. #
#############################################################################
$echostr "Checking for existing user public keys.. \c"
## Check for the user's DSA keypair
if [ -s "$HOME/.ssh2/$keypair" -a "$HOME/.ssh2/$keypair.pub" ]
then
$echostr "already have one."
else
$echostr "Couldn't find your DSA keypair.. I'll generate you a new set.."
$echostr "Running ssh-keygen2... don't forget to give it a passphrase!\n"
ssh-keygen2
fi
#############################################################################
# Setup the identification file. This is so when you login, the client #
# recognizes which private key you're using. #
#############################################################################
## Check for $HOME/.ssh2/identification
if [ -s "$HOME/.ssh2/identification" ]
then
$echostr "You already have an identity file, skipping.."
else
$echostr "Creating your identity file.."
$echostr IdKey $keypair > $HOME/.ssh2/identification
fi
#############################################################################
# Setup the authorization file. This is so when you login, the server #
# recognizes your public key. #
#############################################################################
## Check for $HOME/.ssh2/authorization
if [ -s "$HOME/.ssh2/authorization" ]
then
$echostr "You already have an authorization file, skipping.."
else
$echostr "Creating your authorization file.."
touch $HOME/.ssh2/authorization
fi
## Ask the user for the hostname of which remote hosts to add.
# $echostr "The next section allows you to add hosts that you wish to login from"
# $echostr "using public key authentication.\n"
$echostr "Do you want to add any hosts to your authorization file? (y[es]) \c"
while read addhosts
do
case "$addhosts" in
"" | [yY] | [yY][eE][sS])
$echostr "\nType in their hostname, press return after each one."
$echostr "Add which user?"
read user
$echostr "Add which host?"
read host
$echostr Key $user-$host.pub >> $HOME/.ssh2/authorization
$echostr "You added $user at $host as a trusted login."
$echostr "Press return to continue or Ctrl-D to exit."
;;
[nN] | [nN][oO])
$echostr "Skipping editing the authorization file.."
break
esac
done
$echostr "All the new files are in your $HOME/.ssh2 directory."
###########################################################################
# Send your public key to remote servers so you can login to them. #
# Don't forget that you need to add this key to the ~/.ssh2/authorization #
# file on the remote server. #
###########################################################################
# $echostr"Nowthat you have your public keypair generated, you can copy your public"
# $echostr "key up to remote hosts so you can login to them using public key"
# $echostr"authentication. You also need to add this key," $USER"@"$HOSTNAME".pub,"
# $echostr "to the ~/.ssh2/authorization file on the server.\n"
$echostr "Do you want to upload " $USER"@"$HOSTNAME" key to a remote host? (y[es]) \c"
while read uploadhost
do
case "$uploadhost" in
"" | [yY] | [yY][eE][sS])
$echostr "Upload to which host?"
read host
$echostr "Which user account?"
read user
$echostr "Where is the " $user"'s home directory? "
$echostr "(e.g. /home/anne, /u/ahc, etc.)"
read homedir
# Run scp2 to copy the file
$echostr "Now running scp2 to connect to "$host".."
$echostr "Most likely you'll have to type a password :)"
scp2 $HOME/.ssh2/$keypair.pub \
$user@$host:$homedir/.ssh2/$USER-$HOSTNAME.pub
$echostr "\nPress return to upload to more hosts or Ctrl-D to exit."
;;
[nN] | [nN][oO])
$echostr "Skipping local user public key uploads.."
break ;;
esac
done
$echostr "$0 finished."