This script activates SSH public keys on the client host into the designated repository based on the configuration in the access, alias and keys configuration files.


$ pod2text update_ssh.pl

	  update_ssh.pl [-d|--debug]
			([-p|--preview] [-g|--global]) | [-r|--remove]

:pushpin: update_ssh.pl requires a correctly configured update_ssh.conf or update_ssh.conf.local in order to work.

:pushpin: this script should only be run on the client hosts (unless the SSH master is also its own client) and requires root privileges


This script is the administrative wrapper script and performs basic functions for SSH controls such as:

  • distribute the SSH controls files (copy)
  • trigger a SSH keys update locally or remote (apply)
  • create SSH key fingerprints
  • discover SSH host keys

:pushpin: manage_ssh.sh requires a correctly configured manage_ssh.conf or manage_ssh.conf.local in order to work.


$ manage_ssh.sh --help

**** manage_ssh.sh ****
**** (c) KUDOS BVBA - Patrick Van der Veken ****

Performs basic functions for SSH controls: update SSH keys locally or
remote, create SSH key fingerprints or copy/distribute the SSH controls files

Syntax: ./manage_ssh.sh [--help] | (--backup | --check-syntax | --preview-global | --make-finger | --update ) |
    (--apply [--slave] [--remote-dir=<remote_directory>] [--targets=<host1>,<host2>,...]) |
    ((--copy|--distribute) [--slave] [--remote-dir=<remote_directory> [--targets=<host1>,<host2>,...]]) |
    (--discover [--targets=<host1>,<host2>,...]) |
    ([--fix-local --fix-dir=<repository_dir> [--fix-user=<unix_account>] [--create-dir]] |
 	[--fix-remote [--slave] [--create-dir] [--targets=<host1>,<host2>,...]])
    [--local-dir=<local_directory>] [--no-log] [--log-dir=<log_directory>] [--debug]


--alias             : name of the alias to process
--apply|-a          : apply SSH controls remotely (~targets)
--backup|-b         : create a backup of the SSH controls repository (SSH master)
--check-syntax|-s   : do basic syntax checking on SSH controls configuration
                      (access, alias & keys files)
--copy|-c           : copy SSH control files to remote host (~targets)
--create-dir        : also create missing directories when fixing the SSH controls
                      repository (see also --fix-local/--fix-remote)
--debug             : print extra status messages on STDERR
--discover|-d       : discover SSH host keys (STDOUT)
--distribute        : same as --copy
--fix-dir           : location of the local SSH controls client repository
--fix-local         : fix permissions on the local SSH controls repository
                      (local SSH controls repository given by --fix-dir)
--fix-remote        : fix permissions on the remote SSH controls repository
--fix-user          : UNIX account to own SSH controls files [default: current user]
--help|-h           : this help text
--local-dir         : location of the SSH control files on the local filesystem.
                      [default: see LOCAL_DIR setting]
--log-dir           : specify a log directory location.
--no-log            : do not log any messages to the script log file.
--make-finger|-m    : create (local) key fingerprints file
--preview-global|-p : dump the global access namespace (after alias resolution)
--remote-dir        : directory where SSH control files are/should be
                      located/copied on/to the target host
                      [default: see REMOTE_DIR setting]
--resolve-alias|-r  : resolve an alias into its individual components
--slave             : perform actions in master->slave mode
--targets           : comma-separated list of target hosts or @groups to operate on.
                      Overrides hosts/@groups contained in the 'targets' file.
--update|-u         : apply SSH controls locally
--version|-V        : show the script version/release/fix

Note 1: copy and apply actions are run in parallel across a maximum of clients
        at the same time [default: see MAX_BACKGROUND_PROCS setting]
Note 2: for fix and apply actions: make sure correct 'sudo' rules are setup
        on the target systems to allow the SSH controls script to run with
        elevated privileges.
Note 3: only GLOBAL configuration files will be distributed to target hosts.


This helper script converts a standard public key into the format required by the SSH Controls framework.

$ pod2text convert_pubkey.pl

	update_ssh.pl -f|--file=<public_key> -l|--label=<label_name>


  • public_key: represents the OpenSSH or RFC4716 public key file. (See also the FAQ on key formats)
  • label_name : represent a label that denotes the key in the access & alias master configuration files.

:pushpin: convert_pubkey.pl only support RSA keys.