hostkey-rotate.sh revision 285031
1144518Sdavidxu# $OpenBSD: hostkey-rotate.sh,v 1.2 2015/03/03 17:53:40 djm Exp $ 2144518Sdavidxu# Placed in the Public Domain. 3144518Sdavidxu 4144518Sdavidxutid="hostkey rotate" 5144518Sdavidxu 6144518Sdavidxu# Need full names here since they are used in HostKeyAlgorithms 7144518SdavidxuHOSTKEY_TYPES="ecdsa-sha2-nistp256 ssh-ed25519 ssh-rsa ssh-dss" 8144518Sdavidxu 9144518Sdavidxurm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig 10144518Sdavidxu 11144518Sdavidxugrep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig 12144518Sdavidxuecho "UpdateHostkeys=yes" >> $OBJ/ssh_proxy 13144518Sdavidxurm $OBJ/known_hosts 14144518Sdavidxu 15144518Sdavidxutrace "prepare hostkeys" 16144518Sdavidxunkeys=0 17144518Sdavidxuall_algs="" 18144518Sdavidxufor k in `ssh -Q key-plain` ; do 19144518Sdavidxu ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" 20144518Sdavidxu echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig 21144518Sdavidxu nkeys=`expr $nkeys + 1` 22144518Sdavidxu test "x$all_algs" = "x" || all_algs="${all_algs}," 23144518Sdavidxu all_algs="${all_algs}$k" 24144518Sdavidxudone 25144518Sdavidxu 26144518Sdavidxudossh() { 27144518Sdavidxu # All ssh should succeed in this test 28144518Sdavidxu ${SSH} -F $OBJ/ssh_proxy "$@" x true || fail "ssh $@ failed" 29144518Sdavidxu} 30144518Sdavidxu 31144518Sdavidxuexpect_nkeys() { 32162061Sdavidxu _expected=$1 33144518Sdavidxu _message=$2 34144518Sdavidxu _n=`wc -l $OBJ/known_hosts | awk '{ print $1 }'` || fatal "wc failed" 35212077Sdavidxu [ "x$_n" = "x$_expected" ] || fail "$_message (got $_n wanted $_expected)" 36212077Sdavidxu} 37162061Sdavidxu 38234372Sdavidxucheck_key_present() { 39179970Sdavidxu _type=$1 40216641Sdavidxu _kfile=$2 41179970Sdavidxu test "x$_kfile" = "x" && _kfile="$OBJ/hkr.${_type}.pub" 42161680Sdavidxu _kpub=`awk "/$_type /"' { print $2 }' < $_kfile` || \ 43179970Sdavidxu fatal "awk failed" 44163334Sdavidxu fgrep "$_kpub" $OBJ/known_hosts > /dev/null 45161680Sdavidxu} 46161680Sdavidxu 47161680Sdavidxucp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 48163334Sdavidxu 49212077Sdavidxu# Connect to sshd with StrictHostkeyChecking=no 50212077Sdavidxuverbose "learn hostkey with StrictHostKeyChecking=no" 51173801Sdavidxu>$OBJ/known_hosts 52162061Sdavidxudossh -oHostKeyAlgorithms=ssh-ed25519 -oStrictHostKeyChecking=no 53173801Sdavidxu# Verify no additional keys learned 54178647Sdavidxuexpect_nkeys 1 "unstrict connect keys" 55216641Sdavidxucheck_key_present ssh-ed25519 || fail "unstrict didn't learn key" 56216641Sdavidxu 57178647Sdavidxu# Connect to sshd as usual 58164877Sdavidxuverbose "learn additional hostkeys" 59164902Sdavidxudossh -oStrictHostKeyChecking=yes 60164902Sdavidxu# Check that other keys learned 61164902Sdavidxuexpect_nkeys $nkeys "learn hostkeys" 62164902Sdavidxucheck_key_present ssh-rsa || fail "didn't learn keys" 63162061Sdavidxu 64177850Sdavidxu# Check each key type 65177850Sdavidxufor k in `ssh -Q key-plain` ; do 66177850Sdavidxu verbose "learn additional hostkeys, type=$k" 67177850Sdavidxu dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs 68212076Sdavidxu expect_nkeys $nkeys "learn hostkeys $k" 69212076Sdavidxu check_key_present $k || fail "didn't learn $k" 70212076Sdavidxudone 71212076Sdavidxu 72212076Sdavidxu# Change one hostkey (non primary) and relearn 73144518Sdavidxuverbose "learn changed non-primary hostkey" 74161680Sdavidxumv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old 75161680Sdavidxurm -f $OBJ/hkr.ssh-rsa 76161680Sdavidxu${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k" 77161680Sdavidxudossh -oStrictHostKeyChecking=yes 78161680Sdavidxu# Check that the key was replaced 79161680Sdavidxuexpect_nkeys $nkeys "learn hostkeys" 80163334Sdavidxucheck_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" 81161680Sdavidxucheck_key_present ssh-rsa || fail "didn't learn changed key" 82161680Sdavidxu 83161680Sdavidxu# Add new hostkey (primary type) to sshd and connect 84165206Sdavidxuverbose "learn new primary hostkey" 85165206Sdavidxu${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa-new -N '' || fatal "ssh-keygen $k" 86179970Sdavidxu( cat $OBJ/sshd_proxy.orig ; echo HostKey $OBJ/hkr.ssh-rsa-new ) \ 87165206Sdavidxu > $OBJ/sshd_proxy 88179970Sdavidxu# Check new hostkey added 89179970Sdavidxudossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs 90179970Sdavidxuexpect_nkeys `expr $nkeys + 1` "learn hostkeys" 91179970Sdavidxucheck_key_present ssh-rsa || fail "current key missing" 92165206Sdavidxucheck_key_present ssh-rsa $OBJ/hkr.ssh-rsa-new.pub || fail "new key missing" 93165206Sdavidxu 94165206Sdavidxu# Remove old hostkey (primary type) from sshd 95165206Sdavidxuverbose "rotate primary hostkey" 96161680Sdavidxucp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 97161680Sdavidxumv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old 98179970Sdavidxumv $OBJ/hkr.ssh-rsa-new.pub $OBJ/hkr.ssh-rsa.pub 99161680Sdavidxumv $OBJ/hkr.ssh-rsa-new $OBJ/hkr.ssh-rsa 100179970Sdavidxu# Check old hostkey removed 101161680Sdavidxudossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs 102161680Sdavidxuexpect_nkeys $nkeys "learn hostkeys" 103161680Sdavidxucheck_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" 104216641Sdavidxucheck_key_present ssh-rsa || fail "didn't learn changed key" 105216641Sdavidxu 106216641Sdavidxu# Connect again, forcing rotated key 107216641Sdavidxuverbose "check rotate primary hostkey" 108216641Sdavidxudossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa 109216641Sdavidxuexpect_nkeys 1 "learn hostkeys" 110216641Sdavidxucheck_key_present ssh-rsa || fail "didn't learn changed key" 111216641Sdavidxu 112161680Sdavidxu# $OpenBSD: hostkey-rotate.sh,v 1.2 2015/03/03 17:53:40 djm Exp $ 113161680Sdavidxu# Placed in the Public Domain. 114161680Sdavidxu 115179970Sdavidxutid="hostkey rotate" 116161680Sdavidxu 117179970Sdavidxu# Prepare hostkeys file with one key 118161680Sdavidxu 119161680Sdavidxu# Connect to sshd 120161680Sdavidxu 121161680Sdavidxu# Check that other keys learned 122161680Sdavidxu 123234372Sdavidxu# Change one hostkey (non primary) 124234372Sdavidxu 125234372Sdavidxu# Connect to sshd 126161680Sdavidxu 127161680Sdavidxu# Check that the key was replaced 128177850Sdavidxu 129177850Sdavidxu