readme update

README.md

@@ -18,6 +18,12 @@ step ca init --ssh --acme
 
 ## SSH Certificates
 
+Install script:
+
+```bash
+bash <(curl -sL https://gitea.john-stream.com/john/janus/raw/branch/main/scripts/ssh-server-check.sh)
+```
+
 ### Server
 
 Use step-ca to sign an existing public key to produce a signed certificate with some principals on it.

scripts/ssh-client.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+
+#
+# Env vars
+#
+
+SSH_CFG_PATH="$(readlink -f ~/.ssh)"
+SSH_USER_KEY="$SSH_CFG_PATH/id_ed25519"
+SSH_USER_PUBLIC_KEY="$SSH_USER_KEY.pub"
+SSH_USER_CERT="$SSH_USER_KEY-cert.pub"
+
+GREEN_CHECK="\e[32m✔\e[0m"
+RED_X="\e[31m✗\e[0m"
+YELLOW_BANG="\e[33m!\e[0m"
+MAGENTA_QUESTION="\e[35m?\e[0m"
+UP_ONE_LINE="\e[1A"
+
+#
+# Function Definitions
+#
+
+reset_line() {
+    echo -en "\r\e[K"
+}
+
+title_msg() {
+    local title="\e[1m${1:-Title}:\e[0m"
+    local prompt="${2:-Prompt for the user}"
+    # printf "%b %b" "$title" "$prompt"
+    echo -e "$title $prompt"
+}
+
+prompt_user() {
+    full_prompt_msg="$(title_msg "${1}" "${2}")"
+    echo -n -e "$MAGENTA_QUESTION $full_prompt_msg"
+    read -p " (y/n) " -r
+}
+
+update_prompt() {
+    local icon="$1"
+    case $# in
+        1) msg="$full_prompt_msg $REPLY";;
+        2) msg="$2";;
+        3) msg="$(title_msg "${2}" "${3}")";;
+        *) msg="Too many arguments";;
+    esac
+
+    reset_line
+    echo -e "$icon $msg"
+}
+
+reupdate_prompt() {
+    # echo -en "$UP_ONE_LINE"
+    echo -en "$UP_ONE_LINE"
+    update_prompt "$@"
+}
+
+icon_msg() {
+    local icon="$1"
+    echo -en "$icon "
+    title_msg "${@:2}"
+}
+
+success_msg() {
+    icon_msg "${GREEN_CHECK}" "$@"
+}
+
+warn_msg() {
+    icon_msg "${YELLOW_BANG}" "$@"
+}
+
+check_user_private_key() {
+    if [[ -e "$SSH_USER_KEY" ]]; then
+        success_msg "SSH User" "Private key: $SSH_USER_KEY"
+    else
+        prompt_user "SSH User" "Private key missing: ${SSH_USER_KEY}. Create?"
+        if [[ $REPLY =~ ^[Yy]$ ]]; then
+            reupdate_prompt $YELLOW_BANG "SSH User" "Creating private key"
+            ERROR_MSG=$(ssh-keygen -t ed25519 -f "$SSH_USER_KEY" -N "" 2>&1)
+            if [[ $? -eq 0 ]]; then
+                reupdate_prompt $GREEN_CHECK "SSH User" "Created private key: ${SSH_USER_KEY}"
+            else
+                reupdate_prompt $RED_X "SSH User" "Failed to create key: ${SSH_USER_KEY}"
+                echo -e "Error: $ERROR_MSG"
+            fi
+        elif [[ $REPLY =~ ^[Nn]$ ]]; then
+            reupdate_prompt $YELLOW_BANG "SSH User" "Continuing without private key"
+        fi
+    fi
+}
+
+check_user_cert() {
+    if [[ -e "$SSH_USER_CERT" ]]; then
+        success_msg "SSH User" "Certificate: $SSH_USER_CERT"
+    else
+        prompt_user "SSH User" "Cert missing. Renew cert?"
+        if [[ $REPLY =~ ^[Yy]$ ]]; then
+            if renew_user_cert; then
+                update_prompt $GREEN_CHECK "SSH User" "Renewed cert"
+            else
+                update_prompt $RED_X "SSH User" "Failed to renew cert"
+            fi
+        elif [[ $REPLY =~ ^[Nn]$ ]]; then
+            reupdate_prompt $RED_X "SSH User" "Declined to renew cert"
+        fi
+    fi
+}
+
+renew_user_cert() {
+    step ssh certificate --sign \
+        --principal root --principal john \
+        --provisioner admin \
+        john@john-pc-ubuntu ~/.ssh/id_ed25519.pub < /dev/tty
+}
+
+#
+# Run Process
+#
+
+check_user_private_key
+check_user_cert

scripts/ssh-server-check.sh

@@ -15,8 +15,13 @@ GREEN_CHECK="\e[32m✔\e[0m"
 RED_X="\e[31m✗\e[0m"
 YELLOW_BANG="\e[33m!\e[0m"
 
+CREATE_USER_CA=0
+CREATE_HOST_CERT=0
+NEEDS_RESTART=0
+
+
 #
-# Function Definition
+# Function Definitions
 #
 
 # This test loads the sshd config to see what values actually get parsed.
@@ -32,27 +37,31 @@ ssh_config_val() {
     echo $(sshd -T 2>/dev/null | grep -i "^$field " | head -1 | awk '{print $2}')
 }
 
-prompt_user() {
-    local title="\e[1m${1:-Title}\e[0m"
+title_msg() {
+    local title="\e[1m${1:-Title}:\e[0m"
     local prompt="${2:-Prompt for the user}"
-    local msg="$title: $prompt"
-
-    echo -n -e "$YELLOW_BANG  $msg"
-    read -p " (y/n) " -n 1 -r
-    echo
-
-    update_prompt() {
-        echo -en "\e[1A\r\e[K"
-        echo -e "$1  $msg  $REPLY"
-    }
-
-    if [[ $REPLY =~ ^[Yy]$ ]]; then
-        update_prompt $GREEN_CHECK
-    elif [[ $REPLY =~ ^[Nn]$ ]]; then
-        update_prompt $RED_X
-    fi
+    # printf "%b %b" "$title" "$prompt"
+    echo -e "$title $prompt"
 }
 
+prompt_user() {
+    full_prompt_msg="$(title_msg "${1}" "${2}")"
+    echo -n -e "$YELLOW_BANG $full_prompt_msg"
+    read -p " (y/n) " -n 1 -r
+}
+
+update_prompt() {
+    local icon="$1"
+    case $# in
+        1) msg="$full_prompt_msg $REPLY";;
+        2) msg="$2";;
+        3) msg="$(title_msg "${2}" "${3}")";;
+        *) msg="Too many arguments";;
+    esac
+
+    echo -en "\r\e[K"
+    echo -e "$icon $msg"
+}
 
 sign_host_cert() {
     local if="eth0"
@@ -67,7 +76,7 @@ sign_host_cert() {
 }
 
 
-check_ssh_files() {
+check_ssh_config_files() {
     row_success() {
         local key="$1"
         local path="$2"
@@ -112,22 +121,14 @@ check_ssh_files() {
 
     row_process "hostkey"
     row_process "hostcertificate"
+    case "$status" in
+        missing) CREATE_HOST_CERT=1;;
+    esac
     row_process "trustedusercakeys"
     case "$status" in
-        success) return ;;
-        missing)
-            # Do something if trustedusercakeys is missing
-            prompt_user "User CA" "Created the trusted keys file?"
-
-            # read -p "Create the trusted keys file? (y/n) " -n 1 -r
-            # echo
-            if [[ $REPLY =~ ^[Yy]$ ]]; then
-                (step ssh config --roots > "$path")
-                echo -e "$GREEN_CHECK  Created public key file for SSH user CA"
-            fi
-            ;;
-        unconfigured) return;;
+        missing) CREATE_USER_CA=1;;
     esac
+    echo
 }
 
 ssh_fingerprint() {
@@ -159,52 +160,71 @@ check_cert_config() {
 
     install_cert_config() {
         mkdir -p $(dirname $cfg_path)
-
         cat <<EOF > $cfg_path
 TrustedUserCAKeys $SSH_USER_CA
 HostKey $SSH_HOST_KEY
 HostCertificate $SSH_HOST_CERT
 EOF
-
-        echo -e "$GREEN_CHECK  Configured sshd to use and accept SSH certs."
     }
 
     if [[ ! -e $cfg_path ]]; then
-        prompt_user "sshd config" "Do you want to configure sshd?"
+        prompt_user "sshd" "Currently unconfigured for certs. Do you want to configure?"
         if [[ $REPLY =~ ^[Yy]$ ]]; then
             install_cert_config
-            restart_sshd
+            update_prompt $GREEN_CHECK "sshd" "Configured to use and accept certs"
+            NEEDS_RESTART=1
         fi
     fi
 }
 
 restart_sshd() {
-    if systemctl is-active --quiet sshd; then
+    if [[ $NEEDS_RESTART -eq 0 ]]; then return; fi
+    echo -en "$YELLOW_BANG Restarting sshd..."
+    systemctl restart sshd
+    if [[ $? -eq 0 ]]; then
         local sshd_pid=$(systemctl show --property MainPID --value sshd)
-        echo "Restarting sshd service..."
-        systemctl restart sshd
-        echo -e "$GREEN_CHECK  Restarted sshd service on PID: $sshd_pid"
+        update_prompt $GREEN_CHECK "sshd" "Restarted sshd.service on PID: $sshd_pid"
     else
-        echo -e "$YELLOW_BANG  Not running sshd service"
-        read -p "Do you want to start sshd? (y/n) " -n 1 -r
-        echo
+        update_prompt $RED_X "sshd" "Failed to restart sshd.service"
+        exit 1
+    fi
+    echo
+}
+
+create_files() {
+    if [[ $CREATE_HOST_CERT -eq 1 ]]; then
+        prompt_user "SSH Host" "Cert missing. Sign the ssh host cert?"
         if [[ $REPLY =~ ^[Yy]$ ]]; then
-            systemctl start sshd
-            echo -e "$GREEN_CHECK  Started sshd"
+            update_prompt $YELLOW_BANG "Signing ssh host cert"
+            sign_host_cert
+            NEEDS_RESTART=1
+        else
+            update_prompt $RED_X
+        fi
+    fi
+
+    if [[ $CREATE_USER_CA -eq 1 ]]; then
+        prompt_user "SSH Host" "Create the trusted keys file?"
+        if [[ $REPLY =~ ^[Yy]$ ]]; then
+            (step ssh config --roots > "$path")
+            update_prompt $GREEN_CHECK "SSH Host" "Created the trusted keys file for the SSH host."
+            NEEDS_RESTART=1
+        else
+            update_prompt $RED_X
         fi
     fi
 }
 
-#
+
 # Run Process
-#
 
-# check_cert_config "certs.conf"
-# check_ssh_files
+check_cert_config "certs.conf"
+check_ssh_config_files
+create_files
+restart_sshd
 
-# echo ""
-# echo "Host key fingerprint"
-# ssh_fingerprint hostkey
-
-
-prompt_user
+title_msg "SSH Host Cert" "$SSH_HOST_CERT"
+CERT_INFO=$(ssh-keygen -Lf "$SSH_HOST_CERT")
+echo -e "$CERT_INFO" | grep "Public key"
+echo -e "$CERT_INFO" | grep "Valid"
+echo -e "$CERT_INFO" | grep -A3 "Principals"