manage_ssh.sh script

This script only has one client configuration file which is either manage_ssh.conf or manage_ssh.conf.local. The latter can be used as a local override. Typically this configuration can be the same across an entire server park if you have a homogeneous environment. Following settings should be defined, for example:

# name of the user account performing the SSH controls copies
# (leave blank for current user)
SSH_TRANSFER_USER=""

# name of the OS group that should own the SSH controls files
SSH_OWNER_GROUP="sshadmin"

# whether a 'chmod' needs to be executed after each sftp transfer [0=Yes; 1=No]
DO_SFTP_CHMOD=0

# extra arguments/options for the SFTP command
SFTP_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -b - "

# extra arguments/options for the SSH command
SSH_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -n"

# location of the local SSH controls directory
LOCAL_DIR="/etc/ssh_master"

# location of the remote SSH controls directory
REMOTE_DIR="/etc/ssh_controls/holding"

# name of the user account performing the SSH controls update
# (leave blank for current user but user should have remote sudo root privs)
SSH_UPDATE_USER=""

# options to pass to manage_ssh.sh when executing a key update
SSH_UPDATE_OPTS="--verbose --remove"

# path to the ssh-keyscan too
SSH_KEYSCAN_BIN="/usr/bin/ssh-keyscan"

# extra arguments/options for the ssh-keyscan command
# by default -f <file> is used by manage_ssh.sh to supply hostnames, do not add here
SSH_KEYSCAN_ARGS="-t rsa"

# whether to start an SSH agent process for the master->client operations [0=No; 1=Yes]
DO_SSH_AGENT=0

# location of the SSH private key that should be added to the SSH agent process
# must be a passphrase-less key (required when using DO_SSH_AGENT)
SSH_PRIVATE_KEY="$HOME/.ssh/id_rsa"

# maximum number of background process to spawn (~maxuprc, ~nstrpty etc)
MAX_BACKGROUND_PROCS=30

# location of the backup directory (for configuration & key files)
BACKUP_DIR="${LOCAL_DIR}/backup"

# location of log directory (default), see --log-dir)
LOG_DIR="/var/log"

# type of fingerpint (md5, sha256)
FINGERPRINT_TYPE="md5"

Keep in mind that the manage_ssh.conf file will be always be copied from the SSH master when distributing keys. To specify a truly local configuration for certain hosts, you can use local override manage_ssh.conf.local file.

update_ssh.pl script

This script also only has one client configuration file which is either update_ssh.conf or update_ssh.conf.local. The latter can be used as a local override. Typically this configuration can be the same across an entire server park if you have a homogeneous environment. Following settings should be defined, for example:

# use short hostnames or FQDN (0=short names; 1=FQDN) [default: 0]
use_fqdn=1

# target directory for allowed SSH key files
access_dir=/etc/ssh_controls/keys.d

# toggle to specify the final location of public keys by allowing to override
# the value of $access_dir with the 'AuthorizedKeysFile' in sshd (=enables the
# use of $HOME/.ssh for public keys for example):
#   'use_controls': take the value from the configured 'access_dir' option
#   'use_sshd'    : use the value from 'AuthorizedKeysFile' setting in sshd
# [default: use_controls]
key_location=use_controls

# location of the keys blacklist file
blacklist_file=/etc/ssh_controls/keys.blacklisted

If /etc/ssh_controls is the path to the local SSH controls repository on all your client systems, then you can leave this file as-is. Keep in mind that the update_ssh.conf file will be always be copied from the SSH master when distributing keys. To specify a truly local configuration for certain hosts, you can use local override update_ssh.conf.local file.

:pushpin: SSH Controls will not create parent nor intermediate directories in the public key file path if they are missing ( for example when using $HOME/.ssh as target location).

Updated:

Leave a comment