manage_ssh.sh script
This script only has one client configuration file which is either manage_ssh.conf or manage_ssh.conf.local. The latter can be used as a local override. Typically this configuration can be the same across an entire server park if you have a homogeneous environment. Following settings should be defined, for example:
# name of the user account performing the SSH controls copies
# (leave blank for current user)
SSH_TRANSFER_USER=""
# name of the OS group that should own the SSH controls files
SSH_OWNER_GROUP="sshadmin"
# whether a 'chmod' needs to be executed after each sftp transfer [0=Yes; 1=No]
DO_SFTP_CHMOD=0
# extra arguments/options for the SFTP command
SFTP_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -b - "
# extra arguments/options for the SSH command
SSH_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -n"
# location of the local SSH controls directory
LOCAL_DIR="/etc/ssh_master"
# location of the remote SSH controls directory
REMOTE_DIR="/etc/ssh_controls/holding"
# name of the user account performing the SSH controls update
# (leave blank for current user but user should have remote sudo root privs)
SSH_UPDATE_USER=""
# options to pass to manage_ssh.sh when executing a key update
SSH_UPDATE_OPTS="--verbose --remove"
# path to the ssh-keyscan too
SSH_KEYSCAN_BIN="/usr/bin/ssh-keyscan"
# extra arguments/options for the ssh-keyscan command
# by default -f <file> is used by manage_ssh.sh to supply hostnames, do not add here
SSH_KEYSCAN_ARGS="-t rsa"
# whether to start an SSH agent process for the master->client operations [0=No; 1=Yes]
DO_SSH_AGENT=0
# location of the SSH private key that should be added to the SSH agent process
# must be a passphrase-less key (required when using DO_SSH_AGENT)
SSH_PRIVATE_KEY="$HOME/.ssh/id_rsa"
# maximum number of background process to spawn (~maxuprc, ~nstrpty etc)
MAX_BACKGROUND_PROCS=30
# location of the backup directory (for configuration & key files)
BACKUP_DIR="${LOCAL_DIR}/backup"
# location of log directory (default), see --log-dir)
LOG_DIR="/var/log"
# type of fingerpint (md5, sha256)
FINGERPRINT_TYPE="md5"Keep in mind that the manage_ssh.conf file will be always be copied from the SSH master when distributing keys. To specify a truly local configuration for certain hosts, you can use local override manage_ssh.conf.local file.
update_ssh.pl script
This script also only has one client configuration file which is either update_ssh.conf or update_ssh.conf.local. The latter can be used as a local override. Typically this configuration can be the same across an entire server park if you have a homogeneous environment. Following settings should be defined, for example:
# use short hostnames or FQDN (0=short names; 1=FQDN) [default: 0]
use_fqdn=1
# target directory for allowed SSH key files
access_dir=/etc/ssh_controls/keys.d
# toggle to specify the final location of public keys by allowing to override
# the value of $access_dir with the 'AuthorizedKeysFile' in sshd (=enables the
# use of $HOME/.ssh for public keys for example):
# 'use_controls': take the value from the configured 'access_dir' option
# 'use_sshd' : use the value from 'AuthorizedKeysFile' setting in sshd
# [default: use_controls]
key_location=use_controls
# location of the keys blacklist file
blacklist_file=/etc/ssh_controls/keys.blacklistedIf /etc/ssh_controls is the path to the local SSH controls repository on all your client systems, then you can leave this file as-is. Keep in mind that the update_ssh.conf file will be always be copied from the SSH master when distributing keys. To specify a truly local configuration for certain hosts, you can use local override update_ssh.conf.local file.
SSH Controls will not create parent nor intermediate directories in the public key file path if they are missing ( for example when using $HOME/.ssh as target location).
Leave a comment