Key Manager Code
Status: Beta
Brought to you by:
zapman449
Menu
▾
▴
[r1]: / trunk / USAGE Maximize Restore History
207 lines (143 with data), 8.2 kB
Covered in this document:
1) Summary of Root key-manager commands
2) Summary of master user key-manager commands
3) Summary of the included 'helper functions'
4) Detailed overview of each root key-manager command
5) Detailed overview of each master user key-manager command
Root Commands:
-S Syncronize database to all local users
-s Syncronize database for a specific user
-n create New group
-N Bulk create new groups (requires a formated file)
-d delete group
-D delete group (force delete, even if group is not empty)
-p Print a specific password/passphrase
-P Print all user names, passwords and passphrases.
-l Generates a list of each group, and which logins are associated with it.
-h Print this message and exit
Master User Commands:
-i Initialize a login on a server (bring it under mgmt)
-I Force initialize a login on a server (useful if server is rebuilt)
-J Bulk Initialize (requires a formated file)
-a Add a login to a group
-A Bulk Add a login to a group (requires a formated file)
-r Remove a login from a group
-R Revoke a server (attempt to login, clean keys, remove server from mgmt)
-B Revoke all servers (attempt to login, clean keys, remove each server
from mgmt)
-k Regenerate all keys (does not change passwords/passphrases)
-K Regenerate all keys (creates new passwords/passphrases)
-s Sync database to current user
-l Generates a list of each group, and which logins are associated with it.
-h Print this message and exit
INCLUDED 'HELPER' PROGRAMS:
km_access_audit: goes through each access_*.txt file and attempts to log in to
each one, using your key. Assumes ssh-agent is invoked. It reports an error
for each host/user pair it can't reach.
km_update_known_hosts: This will remove your .ssh/known_hosts file, and
rebuild it based on the access_*.txt files. Any host listed in them will
be querried with ssh-keyscan for it's name (FQDN), it's short name, and
it's IP address. Since an 'unknown key' error can really mess with
km_batch_copy/execute, this is a good thing to play with first.
km_batch_copy: Take a single file, and copy it to all machines under that
group's management. Parses the access_*.txt files, and distributes the file.
You can specify a remote directory as well (optionally). Designed to be
used with km_batch_execute.
km_batch_execute: You specify an output directory, and a command. The
command will be run on each machine under management. The output will be
placed in a file named servername.datetimestamp in the output directory.
An additional file will be made called 'details-report.datetimestamp' which
will contain the command run.
NOTE: Some suggestions:
1) If the command is complicated, wrap it up in
a script, and push it out with km_batch_copy, then run it with
km_batch_execute. There are limits to passing weird pipes and quotes
through bash's $@ to ssh's remote command syntax.
2) Think about how you want output, and code it into your script.
3) These programs are just simple shell scripts. There are a
million ways to work within the key-manager framework. Key-manager is
designed to make this stuff possible. Using that framework is pretty
straightforward, so feel free to write your own version of the scripts
if these don't work how you need them to. That's why these are shell
scripts... easy to hack and modify and read and understand.
ROOT FUNCTIONS:
-s syncronize database for a specific user
Reset the users password on the local host. Also, reset the access_*.txt
files
-S syncronize database to all local users
Reset ALL management users on the local host. Passwords and access_*.txt.
NOTE: MUST BE USED AFTER 'key-manager -k' or 'key-manager -K' (as mgrall)
-n create New group
Create a new (empty) group on the management server.
-N Bulk create new groups (requires a formated file)
Create lots of new groups on the management server. This command will
ask for a file of new groups. Each group name must be listed, one per
line. Note: a new management user is created for each group.
-d delete group
Delete a group. Note: this will NOT remove the user. You will have to
do this manaually after the fact. NOTE2: If a group has remote logons
associated with it, the delete will fail. Please 'key-manager -r' as
mgrall each logon from the group.
-D delete group (force delete, even if group is not empty)
Force delete a group, even if it has logon's associated with it. USE
WITH CAUTION
-p Print a specific password/passphrase
This will ask for a group name, and it will print the password and ssh
passphrase for that group.
-P Print all user names, passwords and passphrases.
This will print the password/ssh passphrase for all users.
-l Generates a list of each group, and which logins are associated with it.
This generates a list of all groups, and the logon's associated with them.
-h Print this message and exit
Print root's available options.
MASTER USER FUNCTIONS:
-i Initialize a login on a server (bring it under mgmt)
Bring a remote username/server pair (a logon) under management. If
the key-manager belives the logon to be already under management, it
will fail.
-I Force initialize a login on a server (useful if server is rebuilt)
Force initialization of a logon. Ignore the usual checks.
-J Bulk Initialize (requires a formated file)
Bulk initialize lots of remote logons. This will ask you for a file.
The file should be formatted like this:
servername remoteusername password
one line per logon.
-a Add a login to a group
Add a single logon which is already under management to a group.
-A Bulk Add a login to a group (requires a formated file)
Bulk add several logons to several groups. The format of the file is:
servername remoteusername groupname
one line per setup. If you are adding a logon to multiple groups,
each one needs to be specified on one line.
-r Remove a login from a group
Remove a logon from a group. It will ask for a server, a user, and (if
the logon is under management, it will remove the ability for that group
to use that logon.
-R Revoke a server (attempt to login, clean keys, remove server from mgmt)
This will log on to the remote server (AS EACH USER UNDER MANAGEMENT),
remove the key-manager keys, and remove the server (and all associated
users) from the key-manager database. This is useful if a server is
decommissioned.
-B Revoke all servers (attempt to login, clean keys, remove each server
from mgmt)
This is useful for cleaning up a badly out of date key-manager database.
-k Regenerate all keys (does not change passwords/passphrases)
This will re-generate all ssh-keys, but won't chage the passwords or
passphrases on them. This is a good thing to set up as a cronjob to
protect the integrity of the private keys, without affecting the users
of them. Note: this also propigates all keys out to all servers that
can be reached. If a server can't be reached, it must be MANUALLY
re-initialized with -I. NOTE: YOU NEED TO SYNC EACH USER AS ROOT ( -S )
AFTER DOING THIS, OTHERWISE STUFF WILL NOT WORK.
-K Regenerate all keys (creates new passwords/passphrases)
This will regenerate all keys, passwords and passphrases for all groups,
and distributes the new keys to all users. This is designed to enforce
a password expiration policy. The same issues with -k apply.
-s Sync database to current user
sync the current user. Reset their password, syncs the ssh public and
private keys with the 'official' versions, and rebuilds the access_*.txt
files.
-l Generates a list of each group, and which logins are associated with it.
This generates a list of all groups, and the logon's associated with them.
-h Print this message and exit
Print master users's available options.