openssh-ca-scripts/add-signed-new-key at master · clefru/openssh-ca-scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/bin/sh
# Replaces a CA-signed pubkey in the SSH agent with freshly generated
# and freshly signed key with a fresh validity.

TMPDIR=""
KEYNAME="$(hostname -s)-key"
VALIDITY="+1d"
CAKEY=$HOME/.ssh/user-ca-key

source $(dirname $0)/common

TMPFILES="$TMPDIR/$KEYNAME $TMPDIR/$KEYNAME.pub $TMPDIR/$KEYNAME-cert.pub $TMPDIR/oldkey.pub $TMPDIR/fd1 $TMPDIR/fd2"
TMPDIR=$(mktemp -d /dev/shm/ssh-key.XXXXX)

# Search agent keys for one with $KEYNAME and remove it.
ssh-add -L | awk '$3 ~ /'$KEYNAME'/ { print $0 }' |
    (while read key; do
         # Extract the pubkey from the ssh-agent as deletion via
         # "ssh-add -d" can't go by name reference alone.
	 echo $key > $TMPDIR/oldkey.pub
	 ssh-add -d $TMPDIR/oldkey.pub 2> /dev/null
     done)

umask 077
# Generate new key
ss_lf ssh-keygen -N "" -f $TMPDIR/$KEYNAME
# Sign key
ss_lf ssh-keygen -s $CAKEY -I $(basename $TMPDIR) -V $VALIDITY $TMPDIR/$KEYNAME.pub
# Add key to agent
ss_lf ssh-add $TMPDIR/$KEYNAME