#!/usr/bin/env bash # # Author: Georg Voell - georg.voell@standby.cloud # Version: @(#)key-management 3.2.1 10.10.2024 (c)2024 Standby.cloud # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ # # This script can be used free of charge. Use it as is or customize as needed. It is not guaranteed to be # error free and you will not be reimbursed for any damage it may cause. # #@ Manage the ssh keys. #@ #@Usage: key-management [options] action [action-parameter] #@ Options: #@ -h, --help : Displays helptext. #@ -v, --version : Displays the version of the script. #@ -f, --force : Don't ask questions. #@ -u, --username : Name of user e.g. "name@org.com". #@ -p, --passphrase : Passphrase for key encryption. #@ Action: #@ list : List all local user with keys. #@ delete : Delete all the keys for user specified by username. #@ install : Install 'get-authkeys' software. Need to be root to proceed. #@ remove : Remove 'get-authkeys' software. Need to be root to proceed. #@ create [local] : Create private and public keypair for ssh and putty. If optional paramter "local" is given, don't use internet API. #@ change : Change old passphrase specified by option to new passphrase "newpass". #@ show : Display keys or fingerprint. Allowed values: "pub", "ssh", "api", "pk8", "ppk", 'fp' or vaultsecret ocid. #@ check : Display type of key. #@ import : Import a private key (and create all ather key formats) from file. #@ push : Copy keys to destination ("hostname" specified in ".ssh/config" with parameter "Host" e.g. "Linux7"). #@ add : Adding public key to $HOME/.ssh/authorized_keys file. #@ subtract : Delete public key from $HOME/.ssh/authorized_keys file. #@ Format: #@ pub | public : Display ssh public key (username required). #@ rsa | priv | ssh: Display ssh private key (username required). #@ api | pem : Display public key in PEM format (OCI API key - username required). #@ pk8 | pkcs8 : Display private key in PEM format (PKCS#8 - username required). #@ ppk | putty : Display putty private key (PPK V2 - username required). #@ pp3 : Display putty private key version 3 (PPK V3 - username required). #@ fp | fingerprint: Display fingerprint of private key (username required). #@ : Display vaultsecret. Specify a vaultsecret ocid e.g. ocid1.vaultsecret.oc1.. #@ #@Examples: #@ key-management create --username "opc" #@ Create keys for user "opc" #@ key-management list #@ Show all user (which have keys created with this tool) #@ key-management show api --username "opc" #@ Display OCI API public key in PEM format. #@ key-management show ssh --username "opc" #@ Display ssh private key. #@ key-management show fp --username "opc" #@ Display fingerprint for ssh private key (needed by OCI). # # Exit codes: # 01: Unknown or wrong parameter. # 02: No username specified. # 03: Error while creating / changing / deleting keys. # 04: Key (or user) does not exist. # 05: No second parameter given. # 06: Could not copy keys to destination. # 07: Could not read keyfile. # 08: Could not import keyfile. # 09: Passphrase needed. # 10: Could not install 'get-authkeys'. # 99: User interrupt. # # See also: # **install-scripts**(1) # # ToDo: # # Known bugs: # # Update history: # # V 3.0.0 11.06.2020 New version # V 3.0.1 22.06.2020 Only use print-table if tcsh is available (obsolete now - print-table was rewritten using bash) # V 3.0.2 25.06.2020 New function: Import private key from file # V 3.0.3 09.07.2020 New function: Install (get-authkeys) # V 3.0.4 11.07.2020 New function: Show secret key (vaultsecret) from oci vault # V 3.0.5 16.09.2020 Use new download URL: https://standby.cloud/download # V 3.0.6 28.09.2020 New action "add" # V 3.0.7 17.10.2020 Enter passphrase if it wa not given by import # V 3.0.8 17.01.2021 Invoking get-authkey rather then installing it # V 3.0.9 23.03.2021 New action "subtract" # V 3.0.10 16.12.2021 Small changes # V 3.1.0 05.06.2023 New copyright # V 3.1.1 28.08.2023 openssl V3.x is fips enabled # V 3.1.2 07.09.2023 Fix username with blanks and new parameter --force # V 3.1.3 15.11.2023 Convert Winows CR+LF to Linux LF # V 3.2.0 12.08.2024 New minor version # V 3.2.1 10.10.2024 Import unencrypted id_rsa without puttygen # # Find executable bash library and source it lib=`which lib.bash 2>/dev/null | sed 's|^no 'lib.bash' in .*||'` if [ "$lib" != "" ]; then source "$lib" else progdir=`dirname "$0"` if [ -r "${progdir}/lib.bash" ]; then source "${progdir}/lib.bash" else echo "Unexpected error: Unable to locate bash library 'lib.bash'." exit 1 fi fi # Set some deaults baseurl="https://standby.cloud/download" keygenurl="https://standby.cloud/ssh-keygen/keygen.pl" bits=4096 # 2048 is less secure sshstr=".ssh" authkeysstr="authorized_keys" configstr="config" keysstr="keys" infostr="info.txt" ppstr="passphrase.txt" keybasename="id_rsa" puttybasename="id_putty" apibasename="api_pub" sshdfolder="/etc/ssh" sshdconfig="${sshdfolder}/sshd_config" getauthkeys="get-authkeys" sshfolder="${REALHOME}/$sshstr" keysfolder="${sshfolder}/$keysstr" sshconfig="${sshfolder}/$configstr" ppfile="${keysfolder}/$ppstr" # Do extra cleanup function ExtraCleanup() { filecheck -rm ${scratchfile}.keys filecheck -rm ${scratchfile}.user filecheck -rm ${scratchfile}.fp } # Returns a URI string for passing to curl (or transfer) function UriEncode() { # Check if he have jq in path jq=`filecheck -x jq` # We can do translation only if we have jq in PATH if [ "$jq" != "" ]; then $jq -nr --arg v "$1" '$v|@uri' else echo "$1" fi } # Return the key type function KeyType() { local privkey=${1} # Preset local keytype="" local keysignature="" local result="" local encrypted="" # Possible results: # # UNKNOWN or INVALID # # RSA-PRIVATE-KEY NONE or RSA-PRIVATE-KEY CIPHER # PRIVATE-KEY NONE or PRIVATE-KEY CIPHER # OPENSSH-PRIVATE-KEY-Vx NONE or OPENSSH-PRIVATE-KEY-Vx CIPHER # PUTTY-PRIVATE-KEY-Vx NONE or PUTTY-PRIVATE-KEY-Vx CIPHER # # SSH-RSA-PUBLIC-KEY # SSH # RSA-PUBLIC-KEY # RSA # PUBLIC-KEY # API if [ -r "$privkey" ]; then # Get first non empty line and last non empty line from key and delete Windows CR keysignature=`grep . "$privkey" | head -n 1 | tr -d '\15\32'` result=`grep . "$privkey" | tail -n 1 | tr -d '\15\32'` case "$keysignature" in "-----BEGIN RSA PUBLIC KEY-----") if [ "$result" = "-----END RSA PUBLIC KEY-----" ]; then keytype="RSA-PUBLIC-KEY" else keytype="INVALID" fi ;; "-----BEGIN RSA PRIVATE KEY-----") if [ "$result" = "-----END RSA PRIVATE KEY-----" ]; then encrypted=`grep "ENCRYPTED" "$privkey"` if [ "$encrypted" != "" ]; then result=`grep "^DEK-Info: " "$privkey" | cut -d' ' -f2 | cut -d',' -f1` keytype="RSA-PRIVATE-KEY $result" else keytype="RSA-PRIVATE-KEY NONE" fi else keytype="INVALID" fi ;; "-----BEGIN OPENSSH PRIVATE KEY-----") if [ "$result" = "-----END OPENSSH PRIVATE KEY-----" ]; then # result=`ssh-keygen -y -P "" -f "$privkey" 2>/dev/null` result=`grep -v "^-----" "$privkey" | head -n 1 | base64 -d 2>/dev/null | sed 's|^openssh-key-||' \ | tr '[:lower:]' '[:upper:]' | tr '\n' ' ' | tr '\06' ' ' | tr '\04' ' '` encrypted=`echo "$result" | cut -d ' ' -f2` result=`echo $result | cut -d ' ' -f1` keytype="OPENSSH-PRIVATE-KEY-$result $encrypted" else keytype="INVALID" fi ;; "-----BEGIN PUBLIC KEY-----") if [ "$result" = "-----END PUBLIC KEY-----" ]; then keytype="PUBLIC-KEY" else keytype="INVALID" fi ;; "-----BEGIN PRIVATE KEY-----") if [ "$result" = "-----END PRIVATE KEY-----" ]; then keytype="PRIVATE-KEY NONE" else keytype="INVALID" fi ;; "-----BEGIN ENCRYPTED PRIVATE KEY-----") if [ "$result" = "-----END ENCRYPTED PRIVATE KEY-----" ]; then if [ "$openssl" != "" ]; then result=`$openssl asn1parse -inform PEM -offset 50 -in "$privkey" | head -n 1 | cut -d':' -f4 | toupper` else result="UNKNOWN" fi keytype="PRIVATE-KEY $result" else keytype="INVALID" fi ;; "PuTTY-User-Key-File-2: ssh-rsa" | "PuTTY-User-Key-File-3: ssh-rsa") encrypted=`grep '^Encryption: ' "$privkey" | cut -d ' ' -f2- | toupper` result=`echo "$result" | grep '^Private-MAC: ' | cut -d ' ' -f2-` if [ "$result" = "" ]; then keytype="INVALID" else result=`echo "$keysignature" | sed 's|^PuTTY-User-Key-File-|V|' | sed 's|: ssh-rsa$||'` keytype="PUTTY-PRIVATE-KEY-$result $encrypted" fi ;; *) if [ "$keysignature" = "$result" ]; then # Just one line in file result=`echo "$keysignature" | grep '^ssh-rsa '` if [ "$result" != "" ]; then # Line begins with ssh-rsa result=`echo "$keysignature" | cut -d' ' -f2` if [ "$result" != "" ]; then # We have a key behind ssh-rsa signature keytype="SSH-RSA-PUBLIC-KEY" else keytype="INVALID" fi fi else keytype="UNKNOWN" fi esac fi echo "$keytype" } # Get the fingerprint from public api key or private key function GetFingerprint() { local privkey=${1} local pp=${2} # Preset local fp="" local addparams="" local encrypted="" local result="" local stat=1 if [ -r "$privkey" -a "$openssl" != "" ]; then result=`KeyType "$privkey"` encrypted=`echo "$result" | cut -d ' ' -f2` result=`echo "$result" | cut -d ' ' -f1` if [ "$result" = "PUBLIC-KEY" ]; then $openssl pkey -pubin -in "$privkey" -pubout -outform DER -out ${scratchfile}.fp 2>/dev/null stat=$? else if [ "$encrypted" = "NONE" ]; then $openssl rsa -inform PEM -in "$privkey" -pubout -outform DER -out ${scratchfile}.fp 2>/dev/null stat=$? else if [ "$pp" != "" ]; then $openssl rsa -inform PEM -in "$privkey" -passin "pass:$pp" -pubout -outform DER -out ${scratchfile}.fp 2>/dev/null stat=$? fi fi fi if [ $stat -eq 0 ]; then if [ "$fipsenabled" = "true" ]; then addparams="-non-fips-allow" fi if [ -f "${scratchfile}.fp" ]; then fp=`cat "${scratchfile}.fp" | $openssl md5 -c $addparams 2>/dev/null | sed 's|(stdin)= ||g'` fi fi # Cleanup filecheck -rm ${scratchfile}.fp fi # Return result echo "$fp" } # Check if cipher is valid function CheckCipher() { local cipher=${1} # Preset if [ "$cipher" != "" ]; then # lowercase cipher string cipher=`echo "$cipher" | tolower | sed 's|-cbc$||' | sed 's|-ctr$||' | sed 's|des-ede3|des3|' | sed 's|-||'` fi case "$cipher" in des | des3) cipher="$cipher" ;; aes128 | aes192 | aes256) cipher="$cipher" ;; idea | seed) cipher="$cipher" ;; camellia128 | camellia192 | camellia256) cipher="$cipher" ;; *) # Default cipher="des3" esac echo "$cipher" } # Change private key passphrase function ChangeRSAPassphrase() { local useputty=${1} local privkey=${2} local oldpp=${3} local newpp=${4} local cipher=${5} # Preset local stat=1 local puttygen="" if [ "$useputty" != "" ]; then # lowercase useputty string useputty=`echo "$useputty" | tolower` fi if [ -r "$privkey" ]; then touch $scratchfile chmod 600 $scratchfile if [ "$useputty" = "true" ]; then puttygen=`filecheck -x puttygen` if [ "$puttygen" != "" ]; then echo "" > ${scratchfile}.empty if [ "$oldpp" != "" ]; then # Create decrypted key mv -f "$privkey" "${privkey}.enc" echo "$oldpp" > $scratchfile $puttygen "${privkey}.enc" -P --old-passphrase $scratchfile --new-passphrase ${scratchfile}.empty \ -O private-openssh -o "$privkey" 2>/dev/null stat=$? if [ $stat -gt 0 ]; then mv -f "${privkey}.enc" "$privkey" fi fi if [ "$newpp" != "" ]; then echo "$newpp" > $scratchfile $puttygen "$privkey" -P --old-passphrase $scratchfile --new-passphrase $scratchfile -O private-openssh \ -o "${privkey}.enc" 2>/dev/null stat=$? if [ $stat -eq 0 ]; then # Encrypt private key ChangeRSAPassphrase "false" "$privkey" "" "$newpp" "des3" stat=$? fi else filecheck -rm "${privkey}.enc" fi rm -f ${scratchfile}.empty fi else if [ "$openssl" != "" ]; then if [ "$newpp" = "" ]; then $openssl rsa -inform PEM -in "$privkey" -passin "pass:$oldpp" -outform PEM -out $scratchfile \ -passout "pass:$newpp" 2>/dev/null stat=$? else cipher=`CheckCipher "$cipher"` $openssl rsa -$cipher -inform PEM -in "$privkey" -passin "pass:$oldpp" -outform PEM -out $scratchfile \ -passout "pass:$newpp" 2>/dev/null stat=$? fi if [ $stat -eq 0 ]; then mv -f "$scratchfile" "$privkey" fi fi fi # Cleanup filecheck -rm $scratchfile fi return $stat } # Create putty private keys function CreatePrivatePuttyKeys() { local username=${1} local privkey=${2} local pp=${3} # Preset local stat=1 local result="" local puttygen=`filecheck -x puttygen` local puttyfile="${keysfolder}/${username}/$puttybasename" if [ "$puttygen" != "" ]; then # Take encrypted rsa private key if it exists if [ -r "${privkey}.enc" ]; then privkey="${privkey}.enc" fi if [ -r "$privkey" ]; then touch $scratchfile chmod 600 $scratchfile echo "$pp" > $scratchfile # Check version of puttygen result=`check-version "$puttygen" | cut -d' ' -f2` result=`compare-version "$result" "0.76"` if [ "$result" != "newer" ]; then $puttygen "$privkey" -P --old-passphrase $scratchfile --new-passphrase $scratchfile -C "$username" \ --ppk-param version=2 -O private -o "${puttyfile}.ppk" 2>/dev/null stat=$? if [ $stat -eq 0 ]; then $puttygen -q "$privkey" -P --old-passphrase $scratchfile --new-passphrase $scratchfile -C "$username" \ --ppk-param version=3 -O private -o "${puttyfile}.pp3" 2>/dev/null stat=$? fi else $puttygen -q "$privkey" -P --old-passphrase $scratchfile --new-passphrase $scratchfile -C "$username" \ -O private -o "${puttyfile}.ppk" 2>/dev/null stat=$? fi # Cleanup filecheck -rm $scratchfile fi fi return $stat } # Generate public key in PEM format function CreatePublicApiKey() { local privkey=${1} local pp=${2} # Preset local stat=1 local apifile="${keysfolder}/${username}/$apibasename" if [ -r "$privkey" -a "$openssl" != "" ]; then $openssl rsa -inform PEM -in "$privkey" -passin "pass:$pp" -pubout -outform PEM -out "${apifile}.pem" 2>/dev/null stat=$? fi return $stat } # Create private key with PKCS#8 format function CreatePrivatePkcs8Key() { local privkey=${1} local pp=${2} # Preset local stat=1 if [ -r "$privkey" -a "$openssl" != "" ]; then touch "${keyfile}.pk8" chmod 600 "${keyfile}.pk8" if [ "$pp" != "" ]; then $openssl pkcs8 -topk8 -v2 aes-256-cbc -inform PEM -in "$privkey" -passin "pass:$pp" -passout "pass:$pp" \ -outform PEM -out "${privkey}.pk8" 2>/dev/null stat=$? else $openssl pkcs8 -topk8 -inform PEM -in "$privkey" -outform PEM -nocrypt -out "${privkey}.pk8" 2>/dev/null stat=$? fi if [ $stat -gt 0 ]; then # Could not create key filecheck -rm "${privkey}.pk8" fi fi return $stat } # Create SSH-RSA public key from private key function CreateRSAPublicKey { local useputty=${1} local username=${2} local privkey=${3} local pp=${4} # Preset local stat=1 local keygen="" local result="" if [ "$useputty" != "" ]; then # lowercase useputty string useputty=`echo "$useputty" | tolower` fi if [ "$username" != "" -a "$privkey" != "" ]; then if [ "$useputty" = "true" ]; then keygen=`filecheck -x puttygen` if [ "$keygen" != "" ]; then touch $scratchfile chmod 600 $scratchfile echo "$pp" > $scratchfile $keygen -q "$privkey" -P --old-passphrase $scratchfile --new-passphrase $scratchfile -O public-openssh \ -C "$username" -o "${privkey}.pub" 2>/dev/null stat=$? rm -f $scratchfile fi else keygen=`filecheck -x ssh-keygen` if [ "$keygen" != "" ]; then result=`$keygen -y -f "$privkey" -P "$pp" 2>/dev/null` stat=$? if [ $stat -eq 0 ]; then echo "$result $username" > "${privkey}.pub" fi fi fi fi return $stat } # Create private and public RSA keys - If encrypted: AES-128-CBC (ssh-keygen) or DES-EDE3-CBC (puttygen) function CreateRSAKeys() { local useputty=${1} local username=${2} local privkey=${3} local pp=${4} # Preset local stat=1 local keygen="" if [ "$useputty" != "" ]; then # lowercase useputty string useputty=`echo "$useputty" | tolower` fi if [ "$username" != "" -a "$privkey" != "" ]; then if [ ! -r "$privkey" -a ! -r "${privkey}.pub" ]; then if [ "$useputty" = "true" ]; then keygen=`filecheck -x puttygen` if [ "$keygen" != "" ]; then # Create standard rsa private key with puttygen touch $scratchfile chmod 600 $scratchfile echo "" > $scratchfile $keygen -q -t rsa -b $bits -P --old-passphrase $scratchfile --new-passphrase $scratchfile -O private-openssh \ -C "$username" -o "$privkey" 2>/dev/null stat=$? if [ $stat -eq 0 ]; then # Create ssh-rsa public key CreateRSAPublicKey "false" "$username" "$privkey" "" stat=$? if [ $stat -eq 0 -a "$pp" != "" ]; then # Create encrypted RSA key with puttygen echo "$pp" > $scratchfile $keygen -q "$privkey" -P --old-passphrase $scratchfile --new-passphrase $scratchfile -O private-openssh \ -C "$username" -o "${privkey}.enc" 2>/dev/null stat=$? fi fi rm -f $scratchfile fi else # Create unencrypted keys with ssh-keygen keygen=`filecheck -x ssh-keygen` if [ "$keygen" != "" ]; then $keygen -q -t rsa -N "" -b $bits -C "$username" -m PEM -f "$privkey" 2>/dev/null # PEM not pem or PKCS8 stat=$? fi fi if [ $stat -eq 0 -a "$pp" != "" ]; then # Encrypt private key ChangeRSAPassphrase "false" "$privkey" "" "$pp" "des3" stat=$? fi fi fi return $stat } # Create an info file with all values function CreateInfoFile() { local user=${1} local fp=${2} local stat=0 if [ "$user" != "" ]; then infofile="${keysfolder}/${user}/$infostr" printf " Public Key file (ssh): '%s'\n\n" "${keybasename}.pub" > "$infofile" printf " Private Key file (ssh): '%s'\n" "$keybasename" >> "$infofile" printf " Private Key file (PKCS#8): '%s'\n" "${keybasename}.pk8" >> "$infofile" if [ -f "${keysfolder}/${user}/${puttybasename}.ppk" ]; then printf "\n Private Key file (putty): '%s' (older format v2)\n" "${puttybasename}.ppk" >> "$infofile" fi if [ -f "${keysfolder}/${user}/${puttybasename}.pp3" ]; then printf " Private Key file (putty): '%s' (newer format v3)\n" "${puttybasename}.pp3" >> "$infofile" fi printf "\n Public Key file (OCI-API): '%s'\n" "${apibasename}.pem" >> "$infofile" printf " Fingerprint: '%s'\n" "$fp" >> "$infofile" else stat=1 fi return $stat } # Create PK8, API and PPK keys function CreateSpecialKeys() { local useputty=${1} local username=${2} local privkey=${3} local pp=${4} local stat=0 local fp="" if [ "$useputty" != "" ]; then # lowercase useputty string useputty=`echo "$useputty" | tolower` fi if [ "$useputty" = "true" ]; then CreatePrivatePuttyKeys "$username" "$privkey" "$pp" stat=$? fi if [ $stat -eq 0 ]; then CreatePrivatePkcs8Key "$privkey" "$pp" stat=$? if [ $stat -eq 0 ]; then CreatePublicApiKey "$privkey" "$pp" stat=$? if [ $stat -eq 0 ]; then fp=`GetFingerprint "$privkey" "$pp"` CreateInfoFile "$username" "$fp" stat=$? fi fi fi if [ -f "${privkey}.enc" ]; then mv -f "${privkey}.enc" "$privkey" fi return $stat } # Write a new entrry to passphrase file function WriteToPassphraseFile() { local username=${1} local passphrase=${2} # Create passphrase file - if does not exists yet if [ ! -f "$ppfile" ]; then printf "username\tpassphrase\n" > "$ppfile" chmod 600 "$ppfile" fi # Write username and passphrase to ppfile printf "%s\t%s\n" "$username" "$passphrase" >> "$ppfile" } # Delete an entrry from passphrase file function DeleteFromPassphraseFile() { local username=${1} if [ -r "$ppfile" ]; then mv -f "$ppfile" $scratchfile grep -v "^$username " $scratchfile > "$ppfile" rm -f $scratchfile chmod 600 "$ppfile" fi } # Delete an entrry from passphrase file function GetFromPassphraseFile() { local username=${1} local pp="" if [ -r "$ppfile" ]; then pp=`grep "^$username " "$ppfile" | cut -d$'\t' -f2` fi echo "$pp" } # Change passphrase of any private key function ChangePassphrase() { local username=${1} local oldpp=${2} local newpp=${3} # Preset local stat=0 local encrypted="" local keytype="" local useputty="false" if [ "$username" = "" ]; then stat=2 else if [ -d "${keysfolder}/$username" ]; then keyfile="${keysfolder}/${username}/$keybasename" if [ -r "$keyfile" ]; then keytype=`KeyType "$keyfile"` encrypted=`echo "$keytype" | cut -d ' ' -f2` keytype=`echo "$keytype" | cut -d ' ' -f1 | cut -d '-' -f1-3` # Check if key is a private key if [ "$keytype" != "PUTTY-PRIVATE-KEY" -a "$keytype" != "OPENSSH-PRIVATE-KEY" -a "$keytype" != "RSA-PRIVATE-KEY" -a "$keytype" != "PRIVATE-KEY" ]; then stat=3 else # Check if we have a passphrase for encryption if [ "$encrypted" != "NONE" -a "$oldpp" = "" ]; then while [ "$oldpp" = "" ]; do printf "Enter the private key passphrase for keyfile '$keyfile': " read -s inp printf "\n" if [ "$inp" != "" ]; then oldpp="$inp" fi done fi # Change passphrase if [ "$keytype" = "PUTTY-PRIVATE-KEY" \ -o "$keytype" = "RSA-PRIVATE-KEY" -a "$encrypted" = "DES-EDE3-CBC" \ -o "$keytype" = "RSA-PRIVATE-KEY" -a "$encrypted" = "NONE" ]; then useputty="true" fi ChangeRSAPassphrase "$useputty" "$keyfile" "$oldpp" "$newpp" "des3" stat=$? if [ $stat -eq 0 ]; then CreateSpecialKeys "$useputty" "$username" "$keyfile" "$newpp" stat=$? fi fi else stat=7 fi else stat=8 fi fi return $stat } # Import any private key function ImportPrivateKey() { local privkey=${1} local username=${2} local passphrase=${3} # Preset local stat=0 local encrypted="" local keytype="" local useputty="false" if [ "$username" = "" ]; then stat=2 else if [ -r "$privkey" ]; then keytype=`KeyType "$privkey"` encrypted=`echo "$keytype" | cut -d ' ' -f2` keytype=`echo "$keytype" | cut -d ' ' -f1 | cut -d '-' -f1-3` # Check if key is a private key if [ "$keytype" != "PUTTY-PRIVATE-KEY" -a "$keytype" != "OPENSSH-PRIVATE-KEY" -a "$keytype" != "RSA-PRIVATE-KEY" -a "$keytype" != "PRIVATE-KEY" ]; then stat=3 else # Cleanup key - remove empty lines beginning of file or end of file iconv=`filecheck -x iconv` if [ "$iconv" != "" ]; then $iconv -c -f UTF-8 -t ASCII "$privkey" | grep -v '^$' | sed '/^DEK-Info:.*/G' > $scratchfile else cat "$privkey" | tr -d '\15\32' | grep -v '^$' | sed '/^DEK-Info:.*/G' > $scratchfile fi diff -q "$privkey" $scratchfile >/dev/null stat=$? if [ $stat -eq 0 ]; then filecheck -rm $scratchfile chmod 600 "$privkey" else errormsg 0 "Keyfile '$privkey' altered. Found 'UTF-8' chars or empty lines." mv -f $scratchfile "$privkey" chmod 600 "$privkey" stat=0 fi # Check if we have a passphrase for encryption if [ "$encrypted" != "NONE" -a "$passphrase" = "" ]; then while [ "$passphrase" = "" ]; do printf "Enter the private key passphrase for keyfile '$privkey': " read -s inp printf "\n" if [ "$inp" != "" ]; then passphrase="$inp" fi done fi if [ ! -d "${keysfolder}/$username" ]; then # User does not exist yet mkdir -m 0700 -p "${keysfolder}/$username" keyfile="${keysfolder}/${username}/$keybasename" # Cpy private key to destination cp -f "$privkey" "$keyfile" chmod 600 "$keyfile" # Change passphrase if [ "$keytype" = "PUTTY-PRIVATE-KEY" -o "$keytype" = "RSA-PRIVATE-KEY" -a "$encrypted" = "DES-EDE3-CBC" ]; then useputty="true" fi if [ "$encrypted" != "NONE" ]; then ChangeRSAPassphrase "$useputty" "$keyfile" "$passphrase" "$passphrase" "des3" stat=$? fi if [ $stat -eq 0 ]; then # Create public key CreateRSAPublicKey "false" "$username" "$keyfile" "$passphrase" stat=$? if [ $stat -eq 0 ]; then CreateSpecialKeys "$useputty" "$username" "$keyfile" "$passphrase" stat=$? if [ $stat -eq 0 ]; then WriteToPassphraseFile "$username" "$passphrase" printf "Keys imported in folder '${keysfolder}/$username'.\n" fi fi fi if [ $stat -gt 0 ]; then # Key import wasn't successful - delete user key folder rm -fR "${keysfolder}/$username" fi else stat=8 fi fi else stat=7 fi fi return $stat } # Get the fingerprint from infofile function GetFingerprintFromInfo() { local username=${1} fingerprint="" if [ "$username" != "" ]; then infofile="${keysfolder}/${username}/$infostr" if [ -r "$infofile" ]; then fingerprint=`grep "Fingerprint:" "$infofile" | cut -d':' -f2- | sed 's|^ *||' | tr -d "'"` fi fi echo "$fingerprint" } # Generate tab separated list with infos function WriteToKeylist() { local username=${1} # Preset local folder="${keysfolder}/${username}" local keyfile="${folder}/$keybasename" local pubfile="${folder}/$apibasename" local figerprint="" local pp="" if [ -d "$folder" -a -r "$keyfile" ]; then fingerprint="`GetFingerprintFromInfo "$username"`" if [ "$fingerprint" = "" ]; then # Try to get fingerprint from api public key if [ -r "${pubfile}.pem" ]; then fingerprint=`GetFingerprint "${pubfile}.pem"` else if [ -r "${keyfile}.pem" ]; then fingerprint=`GetFingerprint "${keyfile}.pem"` fi fi if [ "$fingerprint" = "" ]; then # That did not work so far - get fingerprint from private key pp=`GetFromPassphraseFile "$username"` if [ -r "${keyfile}.pk8" ]; then fingerprint=`GetFingerprint "${keyfile}.pk8" "$pp"` else fingerprint=`GetFingerprint "$keyfile" "$pp"` fi fi fi encrypted=`grep "ENCRYPTED" "$keyfile"` if [ "$encrypted" = "" ]; then havepassphrase="false" else havepassphrase="true" fi printf "%s\t%s\t%s\t%s\n" "$username" "$havepassphrase" "$fingerprint" "$keyfile" >> ${scratchfile}.keys fi } # Copy keys to another host function PushKeys() { local username=${1} local destination=${2} local action=${3} local errcode=0 if [ ! -r "$sshconfig" ]; then printf "No '$sshconfig' found. Exiting.\n" errcode=6 else result=`cat "$sshconfig" | grep "^Host $destination$"` if [ "$result" = "" ]; then printf "Please specify the destination 'hostname' specified in '$sshconfig' with parameter 'Host'. Exiting.\n" errcode=5 else if [ "$username" != "" ]; then if [ -d "${keysfolder}/$username" ]; then if [ "$action" = "push" ]; then # Copy user folder with keys to host scp -q -r "${keysfolder}/$username" "${destination}:/tmp" >/dev/null 2>&1 stat=$? else scp -q -r "${keysfolder}/${username}/${keybasename}.pub" "${destination}:/tmp/key.pub" >/dev/null 2>&1 stat=$? fi if [ $stat -eq 0 ]; then # Create move script echo 'if [ ! -d "$HOME/'$sshstr'" ]; then mkdir -m 0700 -p "$HOME/'$sshstr'"; fi' > $scratchfile echo 'if [ ! -d "$HOME/'$sshstr'/'$keysstr'" ]; then mkdir -m 0700 "$HOME/'$sshstr'/'$keysstr'"; fi' >> $scratchfile if [ "$action" = "push" ]; then echo 'if [ -d "$HOME/'$sshstr'/'$keysstr'/'$username'" ]; then' >> $scratchfile echo ' rm -fR "$HOME/'$sshstr'/'$keysstr'/'$username'"' >> $scratchfile echo 'fi' >> $scratchfile echo 'mv "/tmp/'$username'" "$HOME/'$sshstr'/'$keysstr'"' >> $scratchfile fi if [ "$action" = "add" ]; then echo 'pubkey="`cat "/tmp/key.pub"`"' >> $scratchfile echo 'result="`grep "$pubkey" "$HOME/'$sshstr'/'$authkeysstr'"`"' >> $scratchfile echo 'if [ "$result" = "" ]; then echo "$pubkey" >> "$HOME/'$sshstr'/'$authkeysstr'"; fi' >> $scratchfile echo 'rm -f /tmp/key.pub' >> $scratchfile fi if [ "$action" = "subtract" ]; then echo 'pubkey="`cat "/tmp/key.pub"`"' >> $scratchfile echo 'result="`grep "$pubkey" "$HOME/'$sshstr'/'$authkeysstr'"`"' >> $scratchfile echo 'if [ "$result" != "" ]; then' >> $scratchfile echo ' mv -f "$HOME/'$sshstr'/'$authkeysstr'" "$HOME/'$sshstr'/'$authkeysstr'.old"' >> $scratchfile echo ' cat "$HOME/'$sshstr'/'$authkeysstr'.old" | grep -v "$pubkey" > "$HOME/'$sshstr'/'$authkeysstr'"' >> $scratchfile echo ' chmod 600 "$HOME/'$sshstr'/'$authkeysstr'"' >> $scratchfile echo 'fi' >> $scratchfile echo 'rm -f /tmp/key.pub' >> $scratchfile fi echo "rm -f $scratchfile" >> $scratchfile scp -q "$scratchfile" "${destination}:$scratchfile" >/dev/null 2>&1 ssh "$destination" "cat $scratchfile | bash" >/dev/null 2>&1 stat=$? if [ $stat -eq 0 ]; then printf "Push keys (ssh) succeded. Action: '$action'.\n" else printf "Push keys (ssh) failed. Exiting.\n" errcode=6 fi else printf "Push keys (scp) failed. Exiting.\n" errcode=6 fi else printf "Keys do not exist in folder '${keysfolder}/$username'. Exiting.\n" errcode=4 fi else printf "Username not specified.\n" errcode=2 fi fi fi return $errcode } # Create keys if user folder doesn't exists function CreateKeys() { username=${1} passphrase=${2} errcode=0 if [ "$username" != "" ]; then if [ ! -d "${keysfolder}/$username" ]; then keyfile="${keysfolder}/${username}/$keybasename" myip=`get-ip ip` if [ "$myip" != "" -a "$param2" != "local" ]; then # We have internet access - get the keys from api uriusername=`UriEncode "$username"` if [ "$passphrase" != "" ]; then uripassphrase=`UriEncode "$passphrase"` myurl="${keygenurl}?username=${uriusername}&passphrase=${uripassphrase}" else myurl="${keygenurl}?username=${uriusername}" fi transfer --quiet "$myurl" --export "${keysfolder}/${username}.zip" stat=$? # If we got an error - remove zip file if it does exisits if [ $stat -ne 0 ]; then echo "transfer error" filecheck -rm "${keysfolder}/${username}.zip" fi # If we could download zip with keys - continue if [ -f "${keysfolder}/${username}.zip" ]; then unzip -q "${keysfolder}/${username}.zip" -d "$keysfolder" chmod 700 "${keysfolder}/$username" rm -f "${keysfolder}/${username}.zip" # Write username and passphrase to ppfile and create info file WriteToPassphraseFile "$username" "$passphrase" fingerprint=`GetFingerprintFromInfo "$username"` if [ "$fingerprint" = "" ]; then fingerprint=`GetFingerprint "${keyfile}.pk8" "$passphrase"` fi CreateInfoFile "$username" "$fingerprint" printf "Keys created in folder '${keysfolder}/$username'.\n" else printf "Keys could not be created.\n" errcode=3 fi else # No internet access - create the keys local # Create the user folder mkdir -m 0700 -p "${keysfolder}/$username" infofile="${keysfolder}/${username}/$infostr" # CreateRSAKeys "$keyfile" "$username" "$passphrase" CreateRSAKeys "$fipsenabled" "$username" "$keyfile" "$passphrase" errcode=$? if [ $errcode -eq 0 ]; then CreateSpecialKeys "true" "$username" "$keyfile" "$passphrase" errcode=$? if [ $errcode -eq 0 ]; then WriteToPassphraseFile "$username" "$passphrase" printf "Keys created local in folder '${keysfolder}/$username'.\n" fi fi if [ $errcode -gt 0 ]; then # Key creation wasn't successful - delete user key folder # rm -fR "${keysfolder}/$username" printf "Keys could not be created.\n" errcode=3 fi fi else printf "Keys exists in folder '${keysfolder}/$username'. Leaving keys unchanged.\n" errcode=3 fi else printf "Username not specified.\n" errcode=2 fi return $errcode } # Restart sshd function RestartSSHD(){ case "$OS" in Linux) version_main=`get-platform version_main` if [ $version_main -gt 6 ]; then systemctl restart sshd else /etc/init.d/sshd reload service sshd restart fi ;; SunOS) svcadm restart ssh ;; Darwin) launchctl stop com.openssh.sshd launchctl start com.openssh.sshd ;; esac } # Install GetAuthkeys function InstallGetAuthkeys() { local errcode=0 local owner="" ga=`filecheck -x $getauthkeys` if [ "$ga" = "/usr/local/bin/$getauthkeys" ]; then owner=`ls -ld $ga | cut -d' ' -f3` fi if [ -f "$sshdconfig" -a "$owner" = "root" ]; then found=`grep '^#AuthorizedKeysCommand none$' "$sshdconfig"` if [ "$found" != "" ]; then cp -f "$sshdconfig" "${sshdconfig}.org" chmod 600 "${sshdconfig}.org" cat "${sshdconfig}.org" | sed 's|^#AuthorizedKeysCommand none$|AuthorizedKeysCommand '${progdir}/$getauthkeys' "%u"|' \ | sed 's|^#AuthorizedKeysCommandUser nobody$|AuthorizedKeysCommandUser root|' \ | sed 's|^#PubkeyAuthentication yes$|PubkeyAuthentication yes|' > "$sshdconfig" chmod 600 "$sshdconfig" # transfer --quiet ${baseurl}/latest/$getauthkeys --export "${sshdfolder}/$getauthkeys" # if [ -f "${sshdfolder}/$getauthkeys" ]; then # chmod 700 "${sshdfolder}/$getauthkeys" # chown root:root "${sshdfolder}/$getauthkeys" # if [ ! -x "${sshdfolder}/$getauthkeys" ]; then # errcode=4 # fi # else # errcode=3 # fi if [ $errcode -gt 0 ]; then mv -f "${sshdconfig}.org" "$sshdconfig" else RestartSSHD fi else errcode=2 fi else errcode=1 fi return $errcode } function RemoveGetAuthkeys() { errcode=0 if [ -f "${sshdconfig}.org" ]; then mv -f "${sshdconfig}.org" "$sshdconfig" RestartSSHD else errcode=1 fi return $errcode } # Preset force=false param1="" param2="" username="" passphrase="" # Check parameters: Loop until all parameters are used up while [ $# -gt 0 ]; do pname=${1} case "$pname" in -u | --username) shift if [ "$1" != "" ]; then username=${1} shift else errstr="Please specify a username (e.g. 'name@org.com') after parameter '$pname'." fi ;; -p | --passphrase) shift if [ "$1" != "" ]; then passphrase=${1} shift else errstr="Please specify a passphrase (e.g. 'MySecret') after parameter '$pname'." fi ;; -v | --version) shift showversion=true ;; -h | --help) shift showhelp=true ;; -f | --force) shift force=true ;; *) shift paramck=`echo "$pname" | grep '^-'` # Keys don't begin with '-' if [ "$paramck" != "" ]; then errstr="Unknown option '$pname'." else if [ "$param1" = "" ]; then param1=`echo "$pname" | tolower` else if [ "$param2" = "" ]; then param2="$pname" else errstr="Unknown additional parameter: '$pname'." fi fi fi esac done # Plausibility check if [ "$passphrase" != "" ]; then pwlen=`echo -n "$passphrase" | wc -m` if [ $pwlen -lt 5 ]; then errstr="Passphrase has to have at least 5 chars." fi fi # Display help or error message DisplayHelp ### Main # Create ssh folder if it doesn't exists if [ ! -d "$sshfolder" ]; then mkdir -m 0700 -p "$sshfolder" chown ${REALUSER}:$REALGROUP "$sshfolder" fi # Create keys folder if it doesn't exists if [ ! -d "$keysfolder" ]; then mkdir -m 0700 "$keysfolder" chown ${REALUSER}:$REALGROUP "$keysfolder" fi # Create ssh config if it doesn't exists if [ ! -f "$sshconfig" ]; then printf "# Created by tool '$progstr'.\n\n" > "$sshconfig" printf "# Default settings\n" >> "$sshconfig" printf 'Host *\n' >> "$sshconfig" printf '\tForwardAgent no\n' >> "$sshconfig" printf '\tForwardX11 no\n' >> "$sshconfig" printf '\tForwardX11Trusted no\n' >> "$sshconfig" printf '\tPort 22\n' >> "$sshconfig" printf '\tProtocol 2\n' >> "$sshconfig" printf '\tServerAliveInterval 60\n' >> "$sshconfig" printf '\tServerAliveCountMax 30\n' >> "$sshconfig" printf '\tStrictHostKeyChecking no\n' >> "$sshconfig" printf '\tUserKnownHostsFile /dev/null\n' >> "$sshconfig" printf '\tLogLevel error\n' >> "$sshconfig" chmod 600 "$sshconfig" chown ${REALUSER}:$REALGROUP "$sshconfig" fi # Create a list with all existing users and check if user already exists stat=0 ls "$keysfolder" > ${scratchfile}.user haveuser=`filecheck -s ${scratchfile}.user` if [ "$haveuser" != "" -a "$username" != "" ]; then user="`grep "^$username$" ${scratchfile}.user`" else user="" fi # If we don't have an action specified - list all keys if [ "$param1" = "" ]; then param1="list" fi # Check for openssl version openssl=`filecheck -x openssl` if [ "$openssl" != "" ]; then osslvers=`$openssl version | head -n 1 | cut -d' ' -f2` osslmain=`echo "$osslvers" | cut -d'.' -f1` fi # Check if we are on a fips enabled platform result=`sysctl crypto.fips_enabled 2>/dev/null` if [ "$result" = "crypto.fips_enabled = 1" ]; then fipsenabled="true" else # echo "$osslvers" if [ "$osslmain" -eq 1 ]; then # echo "fipsdisabled" fipsenabled="false" else fipsenabled="true" fi fi case "$param1" in check) if [ "$param2" = "" ]; then exitcode=5 errormsg $exitcode "($progstr) No keyfile specified." else if [ -r "$param2" ]; then # Check keys result=`KeyType "$param2"` echo "$result" else exitcode=7 errormsg $exitcode "($progstr) Could not read keyfile '$param2'." fi fi ;; import) if [ "$username" = "" ]; then exitcode=2 errormsg $exitcode "($progstr) No username specified." else if [ "$param2" = "" ]; then exitcode=5 errormsg $exitcode "($progstr) No keyfile specified." else if [ -r "$param2" ]; then if [ "$username" = "$user" ]; then # Keys already exist for user if [ "$force" = true ]; then exitcode=0 else confirm "Keys for username '$username' already exist. Do you want to renew?" --yes "y/yes" --no "n/[no]" exitcode=$? fi if [ $exitcode -eq 0 ]; then rm -fR "${keysfolder}/$username" DeleteFromPassphraseFile "$username" else printf "Leaving keys unchanged.\n" fi fi # Import key if [ $exitcode -eq 0 ]; then ImportPrivateKey "$param2" "$username" "$passphrase" exitcode=$? if [ $exitcode -gt 0 ]; then errormsg $exitcode "($progstr) Could not import key: '$param2'." fi else exitcode=3 fi else exitcode=7 errormsg $exitcode "($progstr) Could not read keyfile '$param2'." fi fi fi ;; change) if [ "$username" = "" ]; then exitcode=2 errormsg $exitcode "($progstr) No username specified." else if [ "$username" = "$user" ]; then # Keys exist for user if [ "$param2" != "" ]; then pwlen=`echo -n "$param2" | wc -m` if [ $pwlen -lt 5 ]; then exitcode=1 errormsg $exitcode "($progstr) New passphrase has to have at least 5 chars. Leaving keys unchanged." fi fi if [ $exitcode -eq 0 ]; then ChangePassphrase "$username" "$passphrase" "$param2" exitcode=$? if [ $exitcode -eq 0 ]; then DeleteFromPassphraseFile "$username" WriteToPassphraseFile "$username" "$param2" printf "Passphrase in keys changed for user '$username'.\n" else exitcode=3 errormsg $exitcode "($progstr) Could not change passphrase. Leaving keys unchanged." fi fi else exitcode=4 errormsg $exitcode "($progstr) Keys do not exist for username '$username'." fi fi ;; delete) if [ "$username" = "" ]; then exitcode=2 errormsg $exitcode "($progstr) No username specified." else if [ "$username" = "$user" ]; then # Keys exist for user if [ "$force" = true ]; then exitcode=0 else confirm "Are you sure to delete all keys for username '$username'?" --yes "y/yes" --no "n/[no]" exitcode=$? fi if [ $exitcode -eq 0 ]; then rm -fR "${keysfolder}/$username" DeleteFromPassphraseFile "$username" else exitcode=3 printf "Leaving keys unchanged.\n" fi else exitcode=4 errormsg $exitcode "($progstr) Keys do not exist for username '$username'." fi fi ;; create) if [ "$username" = "" ]; then exitcode=2 errormsg $exitcode "($progstr) No username specified." else if [ "$username" = "$user" ]; then # Keys already exist for user if [ "$force" = true ]; then exitcode=0 else confirm "Keys for username '$username' already exist. Do you want to renew?" --yes "y/yes" --no "n/[no]" exitcode=$? fi if [ $exitcode -eq 0 ]; then rm -fR "${keysfolder}/$username" DeleteFromPassphraseFile "$username" else printf "Leaving keys unchanged.\n" fi fi if [ $exitcode -eq 0 ]; then CreateKeys "$username" "$passphrase" exitcode=$? else exitcode=3 fi fi ;; push | add | subtract) if [ "$username" = "" ]; then exitcode=2 errormsg $exitcode "($progstr) No username specified." else if [ "$username" = "$user" ]; then # Keys exist for user PushKeys "$username" "$param2" "$param1" exitcode=$? else exitcode=4 errormsg $exitcode "($progstr) Keys do not exist for username '$username'." fi fi ;; install) if [ "$USER" = "root" ]; then InstallGetAuthkeys stat=$? else stat=5 fi if [ $stat -gt 0 ]; then exitcode=10 errormsg $exitcode "($progstr) Could not install '$getauthkeys'." "Code: $stat" else printf "\nScript '$getauthkeys' installed in '$sshdconfig'.\n" fi ;; remove) if [ "$USER" = "root" ]; then RemoveGetAuthkeys stat=$? else stat=5 fi if [ $stat -gt 0 ]; then exitcode=10 errormsg $exitcode "($progstr) Could not remove '$getauthkeys'." "Code: $stat" else printf "\nScript '$getauthkeys' removed from '$sshdconfig'.\n" fi ;; list) if [ "$haveuser" != "" ]; then printf "username\tencrypted\tfingerprint\tprivate-key\n" > ${scratchfile}.keys if [ "$username" != "" ]; then if [ "$username" = "$user" ]; then WriteToKeylist "$username" else exitcode=4 errormsg $exitcode "($progstr) Keys do not exist for username '$username'." fi else # List all user while read -r username; do WriteToKeylist "$username" done < ${scratchfile}.user fi # Print result if [ $exitcode -eq 0 ]; then printf "\n" print-table --import ${scratchfile}.keys printf "\n" fi else printf "No keys created yet.\n" fi ;; show) if [ "$param2" != "" ]; then result=`echo "$param2" | grep '^ocid1.vaultsecret.'` else result="" fi if [ "$result" != "" ]; then # OCI vault secret was specified - get key from vault oci secrets secret-bundle get --secret-id "$param2" > $scratchfile result=`filecheck -sl $scratchfile` if [ "$result" != "" ]; then encoding=`cat $scratchfile | browse-json secretBundleContent/contentType --select 1 --quiet` if [ "$encoding" = "BASE64" ]; then printf "\n" cat $scratchfile | browse-json secretBundleContent/content --select 1 --quiet | base64 -d printf "\n" fi else exitcode=4 errormsg $exitcode "($progstr) Key does not exist for ocid '$param2'." fi filecheck -rm $scratchfile else if [ "$username" = "" ]; then exitcode=2 errormsg $exitcode "($progstr) No username specified." else if [ "$username" = "$user" ]; then if [ "$param2" != "" ]; then # Keys exist for user case "$param2" in rsa | priv | ssh) keyfile="${keysfolder}/${username}/$keybasename" if [ -r "$keyfile" ]; then printf "\n" cat "$keyfile" printf "\n" else exitcode=4 fi ;; api | pem) keyfile="${keysfolder}/${username}/${keybasename}.pem" if [ -r "$keyfile" ]; then printf "\n" cat "$keyfile" printf "\n" else keyfile="${keysfolder}/${username}/${apibasename}.pem" if [ -r "$keyfile" ]; then printf "\n" cat "$keyfile" printf "\n" else exitcode=4 fi fi ;; pub | public) keyfile="${keysfolder}/${username}/${keybasename}.pub" if [ -r "$keyfile" ]; then printf "\n" cat "$keyfile" printf "\n" else exitcode=4 fi ;; pk8 | pkcs8) keyfile="${keysfolder}/${username}/${keybasename}.pk8" if [ -r "$keyfile" ]; then printf "\n" cat "$keyfile" printf "\n" else exitcode=4 fi ;; ppk | putty) keyfile="${keysfolder}/${username}/${keybasename}.ppk" if [ -r "$keyfile" ]; then printf "\n" cat "$keyfile" printf "\n" else keyfile="${keysfolder}/${username}/${puttybasename}.ppk" if [ -r "$keyfile" ]; then printf "\n" cat "$keyfile" printf "\n" else exitcode=4 fi fi ;; pp3) keyfile="${keysfolder}/${username}/${puttybasename}.pp3" if [ -r "$keyfile" ]; then printf "\n" cat "$keyfile" printf "\n" else exitcode=4 fi ;; fp | fingerprint) fingerprint="`GetFingerprintFromInfo "$username"`" if [ "$fingerprint" != "" ]; then echo "$fingerprint" else keyfile="${keysfolder}/${username}/${keybasename}.pk8" if [ ! -r "$keyfile" ]; then keyfile="${keysfolder}/${username}/$keybasename" fi if [ -r "$keyfile" ]; then encrypted=`grep "ENCRYPTED" "$keyfile"` if [ "$encrypted" != "" ]; then mypassphrase="`GetFromPassphraseFile "$username"`" if [ "$mypassphrase" = "" ]; then mypassphrase="$passphrase" fi fingerprint=`GetFingerprint "$keyfile" "$mypassphrase"` else fingerprint=`GetFingerprint "$keyfile" ""` fi if [ "$fingerprint" != "" ]; then printf '\n%s\n\n' "$fingerprint" else exitcode=4 fi else exitcode=4 fi fi ;; *) exitcode=1 errormsg $exitcode "($progstr) Unknown format '$param2'." esac else exitcode=5 errormsg $exitcode "($progstr) No format specified." fi else exitcode=4 errormsg $exitcode "($progstr) Keys do not exist for username '$username'." fi fi fi ;; *) errormsg 1 "($progstr) Unknown action '$param1'." esac # Cleanup and exit Cleanup exit $exitcode