Add revoke command

This commit is contained in:
Lucas 2022-04-20 16:44:37 +00:00
parent 24522541ad
commit 9e75968acc
3 changed files with 68 additions and 5 deletions

View File

@ -27,7 +27,7 @@ fi
cassh_command=$2
needs_agent=false
case $cassh_command in
issue)
issue|revoke)
needs_agent=true
;;
esac

38
cassh.1
View File

@ -38,6 +38,12 @@
.Ic known_hosts
.Op hostnames ...
.Ek
.Nm
.Bk -words
.Cm revoke
.Op Fl qv
.Ar
.Ek
.Sh DESCRIPTION
.Nm
is a small utility for issuing and revoking OpenSSH Certificates.
@ -56,9 +62,14 @@ A Certification Authority directory consists of a
.Pa ./ca.pub
file corresponding to the public key of it, a
.Pa ./pubkeys/
directory which holds the public keys to be signed, and an optional
directory which holds the public keys to be signed, an optional
.Pa ./krl
file corresponding to the last issued Key Revocation List, and optional
.Pa ./serial.txt
file holding the current serial number for the issued certificates.
and
.Pa ./krl_serial.txt
files corresponding to the current serial number for the issued certificates
and Key Revocation Lists.
.Pp
The following commands are available to
.Nm :
@ -128,15 +139,34 @@ are concatenated with commas and copied verbatim to the output.
See
.Xr sshd 8 SSH_KNOWN_HOSTS FILE FORMAT
for details.
.It Cm revoke Oo Fl qv Oc Ar
Generates a Key Revocation List for the current Certification Authority.
All recognized options are passed down to
.Xr ssh-keygen 1
process.
See
.Xr ssh-keygen 1 KEY REVOCATION LISTS
for details on the file format for input files.
If
.Pa ./krl
exists,
.Cm revoke
will update.
.Pa ./krl
can be synced back with the input files by first removing it.
.El
.Sh FILES
.Bl -tag -width MMMMMMMMMMMMMM -compact
.Bl -tag -width MMMMMMMMMMMMMMMMMM -compact
.It Pa ./ca.pub
Certification Authority public key
.It Pa ./pubkeys/
Directory containing the public keys to be signed
.It Pa ./krl
Key Revocation List
.It Pa ./serial.txt
Last issued serial
Last issued serial for certificates
.It Pa ./krl_serial.txt
Last issued serial for KRLs
.El
.Sh EXIT STATUS
.Ex -std

View File

@ -205,10 +205,42 @@ main_mkfile()
cat "$PATH_CA_PUB"
}
main_revoke()
{
qflag=
vflag=
while getopts fqv flag; do
case $flag in
q) qflag=-q ;;
v) vflag=${vflag:--}v ;;
*) usage ;;
esac
done
shift $(($OPTIND - 1))
if [ ! -f "$PATH_KRL_SERIAL" ]; then
echo 1 >"$PATH_KRL_SERIAL"
fi
read -r serial <"$PATH_KRL_SERIAL"
uflag=
if [ -f "$PATH_KRL" ]; then
uflag=-u
fi
ssh-keygen -kf "$PATH_KRL" -Us "$PATH_CA_PUB" -z "$serial" \
$qflag $vflag $uflag "$@" || exit 1
serial=$(($serial + 1))
echo $serial >"$PATH_KRL_SERIAL"
}
set -u
PATH_CA_PUB=./ca.pub
PATH_CA_SERIAL=./serial.txt
PATH_KRL=./krl
PATH_KRL_SERIAL=./krl_serial.txt
PATH_PUBKEYS_DIR=./pubkeys
if [ $# -lt 1 ]; then
@ -220,5 +252,6 @@ shift
case $cmd in
issue) main_issue "$@" ;;
mkfile) main_mkfile "$@" ;;
revoke) main_revoke "$@" ;;
*) usage ;;
esac