luzifer/cfg
1
0
Fork 0
Code Releases Activity
cfg/bin/vault-rotate-sshkey-passphrase
Knut Ahlers 4f19253c3f
add local scripts
2016-07-21 16:29:54 +02:00

35 lines
914 B
Bash
Executable file
Raw Blame History

#!/bin/bash -e
keyfile=$1
if [ -z "$keyfile" ] || [ ! -e "${keyfile}" ]; then
echo "Keyfile not provided or not found: '${keyfile}'"
exit 1
fi
KEYNAME=$(basename ${keyfile})
OLDPASS=$(vault read -field=passphrase "/secret/ssh-key/${KEYNAME}")
if [ $? -gt 0 ]; then
echo "Unable to retrieve old passphrase."
exit 1
fi
NEWPASS=$(password get -l 64)
if [ -z "$NEWPASS" ]; then
echo "Unable to generate a new passphrase"
exit 1
fi
vault write "/secret/ssh-key/${KEYNAME}" passphrase="${NEWPASS}"
if ! (ssh-keygen -p -P "${OLDPASS}" -N "${NEWPASS}" -f "${keyfile}"); then
echo "Key has not been changed successfully. Writing old secret back to vault."
echo "A backup of the new password has been written to 'tmp_passphrase' attribute."
vault write "/secret/ssh-key/${KEYNAME}" passphrase="${OLDPASS}" tmp_passphrase="${NEWPASS}"
exit 1
fi
echo "Everything was fine, key has been changed."
View git blame Copy permalink