cfg/bin/vault-rotate-sshkey-passphrase

#!/bin/bash
set -euo pipefail

source "${HOME}/bin/script_framework.sh"

keyname=${1:-}

[ -z "${keyname}" ] && fail "Key name not provided"

if [ ! -e "/tmp/${keyname}" ]; then
	vault read -field=private "/secret/ssh-key/${keyname}" >"/tmp/${keyname}"
	chmod 0600 \
		"/tmp/${keyname}"
fi

function cleanup() {
	rm -f \
		"/tmp/${keyname}"
}
trap cleanup EXIT

OLDPASS=$(vault read -field=passphrase "/secret/ssh-key/${keyname}") || fail "Unable to retrieve old passphrase"
NEWPASS=$(password get -l 64) || fail "Unable to generate a new passphrase"

[ -z "${NEWPASS}" ] && fail "Unable to generate a new passphrase"

ssh-keygen -p -P "${OLDPASS}" -N "${NEWPASS}" -f "/tmp/${keyname}" || fail "Was not able to modify key with new passphrase"
vault-patch --log-level=warn "/secret/ssh-key/${keyname}" \
	passphrase="${NEWPASS}" \
	private=@/tmp/${keyname} \
	passphrase_changed=$(date +%Y-%m-%dT%H:%M:%S%z)

echo "Everything was fine, key has been changed."
Adjust to work only with vault hosted keys Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-29 11:11:18 +00:00			`#!/bin/bash`
			`set -euo pipefail`
add local scripts 2016-07-21 13:48:49 +00:00
Adjust to work only with vault hosted keys Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-29 11:11:18 +00:00			`source "${HOME}/bin/script_framework.sh"`
add local scripts 2016-07-21 13:48:49 +00:00
Adjust to work only with vault hosted keys Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-29 11:11:18 +00:00			`keyname=${1:-}`
add local scripts 2016-07-21 13:48:49 +00:00
Adjust to work only with vault hosted keys Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-29 11:11:18 +00:00			`[ -z "${keyname}" ] && fail "Key name not provided"`
add local scripts 2016-07-21 13:48:49 +00:00
Adjust to work only with vault hosted keys Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-29 11:11:18 +00:00			`if [ ! -e "/tmp/${keyname}" ]; then`
			`vault read -field=private "/secret/ssh-key/${keyname}" >"/tmp/${keyname}"`
			`chmod 0600 \`
			`"/tmp/${keyname}"`
add local scripts 2016-07-21 13:48:49 +00:00			`fi`

Adjust to work only with vault hosted keys Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-29 11:11:18 +00:00			`function cleanup() {`
			`rm -f \`
			`"/tmp/${keyname}"`
			`}`
			`trap cleanup EXIT`
add local scripts 2016-07-21 13:48:49 +00:00
Adjust to work only with vault hosted keys Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-29 11:11:18 +00:00			`OLDPASS=$(vault read -field=passphrase "/secret/ssh-key/${keyname}") \|\| fail "Unable to retrieve old passphrase"`
			`NEWPASS=$(password get -l 64) \|\| fail "Unable to generate a new passphrase"`
add local scripts 2016-07-21 13:48:49 +00:00
Adjust to work only with vault hosted keys Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-29 11:11:18 +00:00			`[ -z "${NEWPASS}" ] && fail "Unable to generate a new passphrase"`
add local scripts 2016-07-21 13:48:49 +00:00
Adjust to work only with vault hosted keys Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-29 11:11:18 +00:00			`ssh-keygen -p -P "${OLDPASS}" -N "${NEWPASS}" -f "/tmp/${keyname}" \|\| fail "Was not able to modify key with new passphrase"`
			`vault-patch --log-level=warn "/secret/ssh-key/${keyname}" \`
			`passphrase="${NEWPASS}" \`
			`private=@/tmp/${keyname} \`
			`passphrase_changed=$(date +%Y-%m-%dT%H:%M:%S%z)`
add local scripts 2016-07-21 13:48:49 +00:00
			`echo "Everything was fine, key has been changed."`