Shell script to correct authorized key file permissions in large number of hosts
up vote
1
down vote
favorite
I have a large number of systems that I need to connect to (hosts.txt) and update permissions of the authorized key file prior to pushing keys out to the systems.
I inherited the files that can push the keys, check sub-nets for hosts that respond to 22 with a set of usernames/passwords and check if ssh can connect with our key. Most of these are written in expect.
I now need to take the list and push the permissions (0700 or 0600?) if needed to the hosts that responded in the sub-net scan so we can push keys out to systems en masse.
I can figure out the do/while read hosts.txt part. The part I'm stuck with is the programming of the ssh to the target system (use sshpass or expect for password automation) with execute of the chmod 0700 ~/.ssh/authorized_key file.
I'd really like to see some return codes when failures happen (the old sysadmins sometimes make root the owner of the ~/.ssh directory or even the ~ directory for the standard user we are adjusting.
I can manually do ssh user@host. The user (and password) will stay the same just the host changes according to the hosts.txt file we will be loading. I'm just trying to avoid doing this hundreds of times manually. Once this is done I'll be able to use the pushkey.exp to automatically (do/while) update all the corrected systems.
Here is what I've got up to this point:
#!/bin/bash
# Permissions fix authorized_keys, using bash
#
# Usage: ./manage_host.sh
# -----------------------------------------------------------------------------
file="/home/user1/bin/hosts.txt"
while IFS= read -r host
do
expect -f
spawn ssh remoteuser@$host
expect "assword:"
send "ourpasswordherer"
if [ ! -d "~/.ssh"]; then mkdir -p ~/.ssh fi
if [ ! -f "~/.ssh/authorized_keys."]; then touch ~/.ssh/authorized_keys. fi
chown -R remoteuser:remoteuser ~/.ssh
# store exit status of chown
status=$?
# Error checking subroutine to post failures on manager server
if [ $status -ne 0 ]; then echo "'$host' ownership could not be set to svcsis." >> results.txt; fi
chmod 600 ~/.ssh/authorized_keys
exit
./push_key.exp remoteuser@$host
./keycheck.sh $host >>response.txt
done
shell-script expect sshpass
edited 2 days ago
Rui F Ribeiro
38.2k1475125
asked Feb 20 '17 at 1:37
KevinJ
63
add a comment |
up vote
1
down vote
favorite
I have a large number of systems that I need to connect to (hosts.txt) and update permissions of the authorized key file prior to pushing keys out to the systems.
I inherited the files that can push the keys, check sub-nets for hosts that respond to 22 with a set of usernames/passwords and check if ssh can connect with our key. Most of these are written in expect.
I now need to take the list and push the permissions (0700 or 0600?) if needed to the hosts that responded in the sub-net scan so we can push keys out to systems en masse.
I can figure out the do/while read hosts.txt part. The part I'm stuck with is the programming of the ssh to the target system (use sshpass or expect for password automation) with execute of the chmod 0700 ~/.ssh/authorized_key file.
I'd really like to see some return codes when failures happen (the old sysadmins sometimes make root the owner of the ~/.ssh directory or even the ~ directory for the standard user we are adjusting.
I can manually do ssh user@host. The user (and password) will stay the same just the host changes according to the hosts.txt file we will be loading. I'm just trying to avoid doing this hundreds of times manually. Once this is done I'll be able to use the pushkey.exp to automatically (do/while) update all the corrected systems.
Here is what I've got up to this point:
#!/bin/bash
# Permissions fix authorized_keys, using bash
#
# Usage: ./manage_host.sh
# -----------------------------------------------------------------------------
file="/home/user1/bin/hosts.txt"
while IFS= read -r host
do
expect -f
spawn ssh remoteuser@$host
expect "assword:"
send "ourpasswordherer"
if [ ! -d "~/.ssh"]; then mkdir -p ~/.ssh fi
if [ ! -f "~/.ssh/authorized_keys."]; then touch ~/.ssh/authorized_keys. fi
chown -R remoteuser:remoteuser ~/.ssh
# store exit status of chown
status=$?
# Error checking subroutine to post failures on manager server
if [ $status -ne 0 ]; then echo "'$host' ownership could not be set to svcsis." >> results.txt; fi
chmod 600 ~/.ssh/authorized_keys
exit
./push_key.exp remoteuser@$host
./keycheck.sh $host >>response.txt
done
shell-script expect sshpass
edited 2 days ago
Rui F Ribeiro
38.2k1475125
asked Feb 20 '17 at 1:37
KevinJ
63
Does your local system support ssh-copy-id? It would make your script much simpler if it does. Then you just need to use expect to supply the password when requested, and capture the exit code to create a list of hosts where it fails.
– Warwick
Feb 20 '17 at 2:41
Don't reinvent the wheel! Usesshpassand a parallel SSH executor such as pssh or mussh. Search this site for examples.
– Gilles
Feb 21 '17 at 1:31
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have a large number of systems that I need to connect to (hosts.txt) and update permissions of the authorized key file prior to pushing keys out to the systems.
I inherited the files that can push the keys, check sub-nets for hosts that respond to 22 with a set of usernames/passwords and check if ssh can connect with our key. Most of these are written in expect.
I now need to take the list and push the permissions (0700 or 0600?) if needed to the hosts that responded in the sub-net scan so we can push keys out to systems en masse.
I can figure out the do/while read hosts.txt part. The part I'm stuck with is the programming of the ssh to the target system (use sshpass or expect for password automation) with execute of the chmod 0700 ~/.ssh/authorized_key file.
I'd really like to see some return codes when failures happen (the old sysadmins sometimes make root the owner of the ~/.ssh directory or even the ~ directory for the standard user we are adjusting.
I can manually do ssh user@host. The user (and password) will stay the same just the host changes according to the hosts.txt file we will be loading. I'm just trying to avoid doing this hundreds of times manually. Once this is done I'll be able to use the pushkey.exp to automatically (do/while) update all the corrected systems.
Here is what I've got up to this point:
#!/bin/bash
# Permissions fix authorized_keys, using bash
#
# Usage: ./manage_host.sh
# -----------------------------------------------------------------------------
file="/home/user1/bin/hosts.txt"
while IFS= read -r host
do
expect -f
spawn ssh remoteuser@$host
expect "assword:"
send "ourpasswordherer"
if [ ! -d "~/.ssh"]; then mkdir -p ~/.ssh fi
if [ ! -f "~/.ssh/authorized_keys."]; then touch ~/.ssh/authorized_keys. fi
chown -R remoteuser:remoteuser ~/.ssh
# store exit status of chown
status=$?
# Error checking subroutine to post failures on manager server
if [ $status -ne 0 ]; then echo "'$host' ownership could not be set to svcsis." >> results.txt; fi
chmod 600 ~/.ssh/authorized_keys
exit
./push_key.exp remoteuser@$host
./keycheck.sh $host >>response.txt
done
shell-script expect sshpass
edited 2 days ago
Rui F Ribeiro
38.2k1475125
asked Feb 20 '17 at 1:37
KevinJ
63
I have a large number of systems that I need to connect to (hosts.txt) and update permissions of the authorized key file prior to pushing keys out to the systems.
I inherited the files that can push the keys, check sub-nets for hosts that respond to 22 with a set of usernames/passwords and check if ssh can connect with our key. Most of these are written in expect.
I now need to take the list and push the permissions (0700 or 0600?) if needed to the hosts that responded in the sub-net scan so we can push keys out to systems en masse.
I can figure out the do/while read hosts.txt part. The part I'm stuck with is the programming of the ssh to the target system (use sshpass or expect for password automation) with execute of the chmod 0700 ~/.ssh/authorized_key file.
I'd really like to see some return codes when failures happen (the old sysadmins sometimes make root the owner of the ~/.ssh directory or even the ~ directory for the standard user we are adjusting.
I can manually do ssh user@host. The user (and password) will stay the same just the host changes according to the hosts.txt file we will be loading. I'm just trying to avoid doing this hundreds of times manually. Once this is done I'll be able to use the pushkey.exp to automatically (do/while) update all the corrected systems.
Here is what I've got up to this point:
#!/bin/bash
# Permissions fix authorized_keys, using bash
#
# Usage: ./manage_host.sh
# -----------------------------------------------------------------------------
file="/home/user1/bin/hosts.txt"
while IFS= read -r host
do
expect -f
spawn ssh remoteuser@$host
expect "assword:"
send "ourpasswordherer"
if [ ! -d "~/.ssh"]; then mkdir -p ~/.ssh fi
if [ ! -f "~/.ssh/authorized_keys."]; then touch ~/.ssh/authorized_keys. fi
chown -R remoteuser:remoteuser ~/.ssh
# store exit status of chown
status=$?
# Error checking subroutine to post failures on manager server
if [ $status -ne 0 ]; then echo "'$host' ownership could not be set to svcsis." >> results.txt; fi
chmod 600 ~/.ssh/authorized_keys
exit
./push_key.exp remoteuser@$host
./keycheck.sh $host >>response.txt
done
shell-script expect sshpass
shell-script expect sshpass
edited 2 days ago
Rui F Ribeiro
38.2k1475125
asked Feb 20 '17 at 1:37
KevinJ
63
edited 2 days ago
Rui F Ribeiro
38.2k1475125
asked Feb 20 '17 at 1:37
KevinJ
63
edited 2 days ago
Rui F Ribeiro
38.2k1475125
edited 2 days ago
Rui F Ribeiro
38.2k1475125
edited 2 days ago
Rui F Ribeiro
38.2k1475125
38.2k1475125
asked Feb 20 '17 at 1:37
KevinJ
63
asked Feb 20 '17 at 1:37
KevinJ
63
asked Feb 20 '17 at 1:37
KevinJ
63
63
Does your local system support ssh-copy-id? It would make your script much simpler if it does. Then you just need to use expect to supply the password when requested, and capture the exit code to create a list of hosts where it fails.
– Warwick
Feb 20 '17 at 2:41
Don't reinvent the wheel! Usesshpassand a parallel SSH executor such as pssh or mussh. Search this site for examples.
– Gilles
Feb 21 '17 at 1:31
add a comment |
Does your local system support ssh-copy-id? It would make your script much simpler if it does. Then you just need to use expect to supply the password when requested, and capture the exit code to create a list of hosts where it fails.
– Warwick
Feb 20 '17 at 2:41
Don't reinvent the wheel! Usesshpassand a parallel SSH executor such as pssh or mussh. Search this site for examples.
– Gilles
Feb 21 '17 at 1:31
Does your local system support ssh-copy-id? It would make your script much simpler if it does. Then you just need to use expect to supply the password when requested, and capture the exit code to create a list of hosts where it fails.
– Warwick
Feb 20 '17 at 2:41
Does your local system support ssh-copy-id? It would make your script much simpler if it does. Then you just need to use expect to supply the password when requested, and capture the exit code to create a list of hosts where it fails.
– Warwick
Feb 20 '17 at 2:41
Don't reinvent the wheel! Use
sshpass and a parallel SSH executor such as pssh or mussh. Search this site for examples.– Gilles
Feb 21 '17 at 1:31
Don't reinvent the wheel! Use
sshpass and a parallel SSH executor such as pssh or mussh. Search this site for examples.– Gilles
Feb 21 '17 at 1:31
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f346205%2fshell-script-to-correct-authorized-key-file-permissions-in-large-number-of-hosts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Does your local system support ssh-copy-id? It would make your script much simpler if it does. Then you just need to use expect to supply the password when requested, and capture the exit code to create a list of hosts where it fails.
– Warwick
Feb 20 '17 at 2:41
Don't reinvent the wheel! Use
sshpassand a parallel SSH executor such as pssh or mussh. Search this site for examples.– Gilles
Feb 21 '17 at 1:31