Lucas/cassh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add revoke command

Browse Source
This commit is contained in:
Lucas 2022-04-20 16:44:37 +00:00
parent 24522541ad
commit 9e75968acc
3 changed files with 68 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cassh-keyfile.sh
View File

@ -27,7 +27,7 @@ fi
cassh_command=$2 cassh_command=$2
needs_agent=false needs_agent=false
case $cassh_command in case $cassh_command in
issue) issue|revoke)
needs_agent=true needs_agent=true
;; ;;
esac esac

38
cassh.1
View File

@ -38,6 +38,12 @@
.Ic known_hosts .Ic known_hosts
.Op hostnames ... .Op hostnames ...
.Ek .Ek
.Nm
.Bk -words
.Cm revoke
.Op Fl qv
.Ar
.Ek
.Sh DESCRIPTION .Sh DESCRIPTION
.Nm .Nm
is a small utility for issuing and revoking OpenSSH Certificates. is a small utility for issuing and revoking OpenSSH Certificates.
@ -56,9 +62,14 @@ A Certification Authority directory consists of a
.Pa ./ca.pub .Pa ./ca.pub
file corresponding to the public key of it, a file corresponding to the public key of it, a
.Pa ./pubkeys/ .Pa ./pubkeys/
directory which holds the public keys to be signed, and an optional directory which holds the public keys to be signed, an optional
.Pa ./krl
file corresponding to the last issued Key Revocation List, and optional
.Pa ./serial.txt .Pa ./serial.txt
file holding the current serial number for the issued certificates. and
.Pa ./krl_serial.txt
files corresponding to the current serial number for the issued certificates
and Key Revocation Lists.
.Pp .Pp
The following commands are available to The following commands are available to
.Nm : .Nm :
@ -128,15 +139,34 @@ are concatenated with commas and copied verbatim to the output.
See See
.Xr sshd 8 SSH_KNOWN_HOSTS FILE FORMAT .Xr sshd 8 SSH_KNOWN_HOSTS FILE FORMAT
for details. for details.
.It Cm revoke Oo Fl qv Oc Ar
Generates a Key Revocation List for the current Certification Authority.
All recognized options are passed down to
.Xr ssh-keygen 1
process.
See
.Xr ssh-keygen 1 KEY REVOCATION LISTS
for details on the file format for input files.
If
.Pa ./krl
exists,
.Cm revoke
will update.
.Pa ./krl
can be synced back with the input files by first removing it.
.El .El
.Sh FILES .Sh FILES
.Bl -tag -width MMMMMMMMMMMMMM -compact .Bl -tag -width MMMMMMMMMMMMMMMMMM -compact
.It Pa ./ca.pub .It Pa ./ca.pub
Certification Authority public key Certification Authority public key
.It Pa ./pubkeys/ .It Pa ./pubkeys/
Directory containing the public keys to be signed Directory containing the public keys to be signed
.It Pa ./krl
Key Revocation List
.It Pa ./serial.txt .It Pa ./serial.txt
Last issued serial Last issued serial for certificates
.It Pa ./krl_serial.txt
Last issued serial for KRLs
.El .El
.Sh EXIT STATUS .Sh EXIT STATUS
.Ex -std .Ex -std

33
cassh.sh
View File

@ -205,10 +205,42 @@ main_mkfile()
cat "$PATH_CA_PUB" cat "$PATH_CA_PUB"
} }
main_revoke()
{
qflag=
vflag=
while getopts fqv flag; do
case $flag in
q) qflag=-q ;;
v) vflag=${vflag:--}v ;;
*) usage ;;
esac
done
shift $(($OPTIND - 1))
if [ ! -f "$PATH_KRL_SERIAL" ]; then
echo 1 >"$PATH_KRL_SERIAL"
fi
read -r serial <"$PATH_KRL_SERIAL"
uflag=
if [ -f "$PATH_KRL" ]; then
uflag=-u
fi
ssh-keygen -kf "$PATH_KRL" -Us "$PATH_CA_PUB" -z "$serial" \
$qflag $vflag $uflag "$@" || exit 1
serial=$(($serial + 1))
echo $serial >"$PATH_KRL_SERIAL"
}
set -u set -u
PATH_CA_PUB=./ca.pub PATH_CA_PUB=./ca.pub
PATH_CA_SERIAL=./serial.txt PATH_CA_SERIAL=./serial.txt
PATH_KRL=./krl
PATH_KRL_SERIAL=./krl_serial.txt
PATH_PUBKEYS_DIR=./pubkeys PATH_PUBKEYS_DIR=./pubkeys
if [ $# -lt 1 ]; then if [ $# -lt 1 ]; then
@ -220,5 +252,6 @@ shift
case $cmd in case $cmd in
issue) main_issue "$@" ;; issue) main_issue "$@" ;;
mkfile) main_mkfile "$@" ;; mkfile) main_mkfile "$@" ;;
revoke) main_revoke "$@" ;;
*) usage ;; *) usage ;;
esac esac