ssh-pubkeymgr

Der ssh-pubkeymgr ist leicht modifiziert. Ein Blick auf das Skript zeigt, inwiefern es für den Einsatz im Echtbetrieb der Nutzerumgebung geeignet ist. Das Originalskript in der Source-Distribution ssh-3.2.0 war jedenfalls fehlerhaft.

Folgende Aufgaben löst der Manager:


#!/bin/sh
#
# ssh-pubkeymgr - A user public key manager for Secure Shell
#
# Author: Anne Carasik 
#         Olaf Jörk  (Anpassung an RM-Systeme)
#
# Copyright (C) 2000 SSH Communications Security Corp, Helsinki, Finland
# All rights reserved.
#
# It's too much of a pain to create the public key files like identification
# and authorization. This quick little script runs ssh-keygen2, then creates
# the identification and authorization files. Then it runs scp to the remote
# system to copy the public keys there.

######################### ChangeLog ###########################################
# 18 August 2000 - removed downloading hostkeys because you get them anyway
# during the first connection :)
#
# 12 February 2001 - removed hostname -s because too many bugs were being
# reported from it. Also added config file checks for publickey authentication.
# And comments. Many, many, many more comments.
#
# 18 June 2001 - fixed stupid bug where it should have been $keypair
# instead of $user-$host. duh.
#
# 3 Jan 2003 - handles different echos (SysV/Linux), fixed upload bug,
# removed some unnecessary messages (Jörk)
#
######################### ChangeLog ###########################################

ssh2config=/etc/ssh2/ssh2_config
sshd2config=/etc/ssh2/sshd2_config

############################################################
#               Some basic checks...                       #
############################################################

## Set the default keypair to id_dsa_1024_a for
keypair="id_dsa_1024_a"

## Check for compatibility for the $LOGNAME instead of $USER
if [ -z "$USER" ]
then
  if [ -n "$LOGNAME" ]
  then
    USER=$LOGNAME
  else
    USER=`whoami`
  fi
fi

## discovery the system running on
system=`uname -s`
case $system in
  Linux )       echostr='echo -e';;
  ReliantUNIX-N ) echostr='echo';;
  * )           echostr='echo';;
esac

## Set the hostname
if [ -z "$HOSTNAME" ]; then
        HOSTNAME=`uname -n`
        $echostr "Setting host to $HOSTNAME"
fi

############################################################
#               Check the command line options.            #
############################################################

if [ $# -eq 0 ]
then
  $echostr "Running ssh-pubkeymgr .. "
else
  while [ -n "$1" ]
  do
    case $1 in
      -k) keypair="$2"
      $echostr "Running ssh-pubkeymgr with keypair ($keypair) .."
      shift 2
      ;;
      -h) $echostr "SSH Secure Shell user public key manager"
      $echostr "Usage: ssh-pubkeymgr [-k keypair]\n"
      $echostr "Type man ssh-pubkeymgr for more information."
      exit
      ;;
      *)  $echostr "Usage: ssh-pubkeymgr [-k keypair]\n"
      $echostr "Type man ssh-pubkeymgr for more information."
      exit
    esac
  done
fi
#############################################################################
# Checking the configuration files to make sure so publickey authentication #
# will work. Otherwise, program will exit with the return status of 1.      #
#############################################################################
## Need to check ~/.ssh2/ssh2_config as well..
clientconfigcontains=`egrep '^[^#].*(AllowedAuth|RequiredAuth).*publickey' $ssh2config`

# Commented out because user may not want to allow server to have publickey
# authentication.
#
serverconfigcontains=`egrep '^[^#].*(AllowedAuth|RequiredAuth).*publickey' $sshd2config`

$echostr "Checking for publickey authentication to be enabled in the client config.. \c"
if [ -z "$clientconfigcontains" ]
then
  $echostr "no."
  $echostr "Nothing found in $ssh2config. Add publickey"
  $echostr "authentication to AllowedAuthentications or RequiredAuthentications"
  $echostr "then restart ssh-pubkeymgr."
  exit 1
else
  $echostr "yes."
fi

$echostr "Checking for publickey authentication to be enabled in the server config.. \c"
if [ -z "$serverconfigcontains" ]
then
  $echostr "no."
  $echostr "Nothing found in $sshd2config. Add publickey"
  $echostr "authentication to AllowedAuthentications or RequiredAuthentications"
  $echostr "then restart ssh-pubkeymgr."
  exit 1
else
  $echostr "yes."
fi

#############################################################################
# Checking DSA public keys. Currently, there is no support for PGP or RSA   #
# public keys; however that will change.                                    #
#############################################################################
$echostr "Checking for existing user public keys.. \c"

## Check for the user's DSA keypair
if [ -s "$HOME/.ssh2/$keypair" -a "$HOME/.ssh2/$keypair.pub" ]
then
  $echostr "already have one."
else
  $echostr "Couldn't find your DSA keypair.. I'll generate you a new set.."
  $echostr "Running ssh-keygen2... don't forget to give it a passphrase!\n"
  ssh-keygen2
fi

#############################################################################
# Setup the identification file. This is so when you login, the client      #
# recognizes which private key you're using.                                #
#############################################################################

## Check for $HOME/.ssh2/identification
if [ -s "$HOME/.ssh2/identification" ]
then
  $echostr "You already have an identity file, skipping.."
else
  $echostr "Creating your identity file.."
  $echostr IdKey $keypair > $HOME/.ssh2/identification
fi


#############################################################################
# Setup the authorization file. This is so when you login, the server       #
# recognizes your public key.                                               #
#############################################################################
## Check for $HOME/.ssh2/authorization
if [ -s "$HOME/.ssh2/authorization" ]
then
    $echostr "You already have an authorization file, skipping.."
else
    $echostr "Creating your authorization file.."
    touch $HOME/.ssh2/authorization
fi

## Ask the user for the hostname of which remote hosts to add.
# $echostr "The next section allows you to add hosts that you wish to login from"
# $echostr "using public key authentication.\n"

$echostr "Do you want to add any hosts to your authorization file? (y[es]) \c"
while read addhosts
do
  case "$addhosts" in
    "" | [yY] | [yY][eE][sS])
           $echostr "\nType in their hostname, press return after each one."
    $echostr "Add which user?"
    read user
    $echostr "Add which host?"
    read host
    $echostr Key $user-$host.pub >> $HOME/.ssh2/authorization
    $echostr "You added $user at $host as a trusted login."
    $echostr "Press return to continue or Ctrl-D to exit."
    ;;
    [nN] | [nN][oO])
    $echostr "Skipping editing the authorization file.."
    break
  esac
done
$echostr "All the new files are in your $HOME/.ssh2 directory."

###########################################################################
# Send your public key to remote servers so you can login to them.        #
# Don't forget that you need to add this key to the ~/.ssh2/authorization #
# file on the remote server.                                              #
###########################################################################
# $echostr"Nowthat you have your public keypair generated, you can copy your public"
# $echostr "key up to remote hosts so you can login to them using public key"
# $echostr"authentication. You also need to add this key," $USER"@"$HOSTNAME".pub,"
# $echostr "to the ~/.ssh2/authorization file on the server.\n"

$echostr "Do you want to upload " $USER"@"$HOSTNAME" key to a remote host? (y[es]) \c"
while read uploadhost
do
  case "$uploadhost" in
    "" | [yY] | [yY][eE][sS])
    $echostr "Upload to which host?"
    read host
    $echostr "Which user account?"
    read user
    $echostr "Where is the " $user"'s home directory? "
    $echostr "(e.g. /home/anne, /u/ahc, etc.)"
    read homedir
    # Run scp2 to copy the file
    $echostr "Now running scp2 to connect to "$host".."
    $echostr "Most likely you'll have to type a password :)"
     scp2 $HOME/.ssh2/$keypair.pub \
        $user@$host:$homedir/.ssh2/$USER-$HOSTNAME.pub
    $echostr "\nPress return to upload to more hosts or Ctrl-D to exit."
        ;;
    [nN] | [nN][oO])
     $echostr "Skipping local user public key uploads.."
    break ;;
  esac
done

$echostr "$0 finished."