Add revoke command
This commit is contained in:
parent
24522541ad
commit
9e75968acc
@ -27,7 +27,7 @@ fi
|
||||
cassh_command=$2
|
||||
needs_agent=false
|
||||
case $cassh_command in
|
||||
issue)
|
||||
issue|revoke)
|
||||
needs_agent=true
|
||||
;;
|
||||
esac
|
||||
|
||||
38
cassh.1
38
cassh.1
@ -38,6 +38,12 @@
|
||||
.Ic known_hosts
|
||||
.Op hostnames ...
|
||||
.Ek
|
||||
.Nm
|
||||
.Bk -words
|
||||
.Cm revoke
|
||||
.Op Fl qv
|
||||
.Ar
|
||||
.Ek
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a small utility for issuing and revoking OpenSSH Certificates.
|
||||
@ -56,9 +62,14 @@ A Certification Authority directory consists of a
|
||||
.Pa ./ca.pub
|
||||
file corresponding to the public key of it, a
|
||||
.Pa ./pubkeys/
|
||||
directory which holds the public keys to be signed, and an optional
|
||||
directory which holds the public keys to be signed, an optional
|
||||
.Pa ./krl
|
||||
file corresponding to the last issued Key Revocation List, and optional
|
||||
.Pa ./serial.txt
|
||||
file holding the current serial number for the issued certificates.
|
||||
and
|
||||
.Pa ./krl_serial.txt
|
||||
files corresponding to the current serial number for the issued certificates
|
||||
and Key Revocation Lists.
|
||||
.Pp
|
||||
The following commands are available to
|
||||
.Nm :
|
||||
@ -128,15 +139,34 @@ are concatenated with commas and copied verbatim to the output.
|
||||
See
|
||||
.Xr sshd 8 SSH_KNOWN_HOSTS FILE FORMAT
|
||||
for details.
|
||||
.It Cm revoke Oo Fl qv Oc Ar
|
||||
Generates a Key Revocation List for the current Certification Authority.
|
||||
All recognized options are passed down to
|
||||
.Xr ssh-keygen 1
|
||||
process.
|
||||
See
|
||||
.Xr ssh-keygen 1 KEY REVOCATION LISTS
|
||||
for details on the file format for input files.
|
||||
If
|
||||
.Pa ./krl
|
||||
exists,
|
||||
.Cm revoke
|
||||
will update.
|
||||
.Pa ./krl
|
||||
can be synced back with the input files by first removing it.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width MMMMMMMMMMMMMM -compact
|
||||
.Bl -tag -width MMMMMMMMMMMMMMMMMM -compact
|
||||
.It Pa ./ca.pub
|
||||
Certification Authority public key
|
||||
.It Pa ./pubkeys/
|
||||
Directory containing the public keys to be signed
|
||||
.It Pa ./krl
|
||||
Key Revocation List
|
||||
.It Pa ./serial.txt
|
||||
Last issued serial
|
||||
Last issued serial for certificates
|
||||
.It Pa ./krl_serial.txt
|
||||
Last issued serial for KRLs
|
||||
.El
|
||||
.Sh EXIT STATUS
|
||||
.Ex -std
|
||||
|
||||
33
cassh.sh
33
cassh.sh
@ -205,10 +205,42 @@ main_mkfile()
|
||||
cat "$PATH_CA_PUB"
|
||||
}
|
||||
|
||||
main_revoke()
|
||||
{
|
||||
qflag=
|
||||
vflag=
|
||||
while getopts fqv flag; do
|
||||
case $flag in
|
||||
q) qflag=-q ;;
|
||||
v) vflag=${vflag:--}v ;;
|
||||
*) usage ;;
|
||||
esac
|
||||
done
|
||||
shift $(($OPTIND - 1))
|
||||
|
||||
if [ ! -f "$PATH_KRL_SERIAL" ]; then
|
||||
echo 1 >"$PATH_KRL_SERIAL"
|
||||
fi
|
||||
read -r serial <"$PATH_KRL_SERIAL"
|
||||
|
||||
uflag=
|
||||
if [ -f "$PATH_KRL" ]; then
|
||||
uflag=-u
|
||||
fi
|
||||
|
||||
ssh-keygen -kf "$PATH_KRL" -Us "$PATH_CA_PUB" -z "$serial" \
|
||||
$qflag $vflag $uflag "$@" || exit 1
|
||||
|
||||
serial=$(($serial + 1))
|
||||
echo $serial >"$PATH_KRL_SERIAL"
|
||||
}
|
||||
|
||||
set -u
|
||||
|
||||
PATH_CA_PUB=./ca.pub
|
||||
PATH_CA_SERIAL=./serial.txt
|
||||
PATH_KRL=./krl
|
||||
PATH_KRL_SERIAL=./krl_serial.txt
|
||||
PATH_PUBKEYS_DIR=./pubkeys
|
||||
|
||||
if [ $# -lt 1 ]; then
|
||||
@ -220,5 +252,6 @@ shift
|
||||
case $cmd in
|
||||
issue) main_issue "$@" ;;
|
||||
mkfile) main_mkfile "$@" ;;
|
||||
revoke) main_revoke "$@" ;;
|
||||
*) usage ;;
|
||||
esac
|
||||
|
||||
Loading…
Reference in New Issue
Block a user