khirbat/secretive.sh

## secretive.sh
#!/bin/bash

# Sign OpenSSH host key on remote host using Secretive
function secretive-sign-host-key () (  : [user@]hostname
    set -xu

    if [[ $# != 1 ]]; then
        echo "Usage:  ${FUNCNAME[0]} [user@]host"
        exit 1
    fi

    export SSH_AUTH_SOCK="$HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh"

    KEYS="$(ssh-add -l || true)"
    if [[ -z "$KEYS" ]]; then
            echo "Error: Secretive not installed or Secretive does not have any keys. Run 'brew install Secretive', 'open -a Secretive' and create a key"
            exit 1
    elif [[ ! -f "$HOME/.ssh/ca.pub" ]]; then
            echo "Error: pick one of these keys as the CA signing key and copy it to ~/.ssh/ca.pub"
            echo "$KEYS"
            exit 1
    fi

    SSH_OPTS=(
        -o StrictHostKeyChecking=no
        -o UserKnownHostsFile=/dev/null
        -o ControlMaster=no
        -o ControlPath=none
        -o ControlPersist=no
    )

    userhost=$1
    host=${userhost#*@}

    # configure remote host
    scp "${SSH_OPTS[@]}" ~/.ssh/ca.pub "$userhost:/tmp"
    ssh "${SSH_OPTS[@]}" -a -t "$userhost"  '
        set -ex
        C=/tmp/50-host-cert.conf
        umask 0077
        echo "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" > $C
        sudo cp $C /etc/ssh/sshd_config.d
        sudo pkill -HUP sshd
    '
    echo EXIT STATUS: $?

    # sign host key using agent forwarding
    # https://manpages.debian.org/bookworm/openssh-client/ssh-keygen.1.en.html#U
    ssh "${SSH_OPTS[@]}" -A -t "$userhost" "
        sudo -sHE ssh-keygen -Us /tmp/ca.pub -I ${host}_ed25519 -n $host -V -1d:+365d -h /etc/ssh/ssh_host_ed25519_key.pub
        pkill -HUP sshd
    "

    # clear out stale ~/.ssh/known_hosts entries
    ssh-keygen -R "$host"

    # print remote host certificate, to check principals, dates etc
    ssh-keyscan -qc "$host" | ssh-keygen -Lf -
)
	#!/bin/bash

	# Sign OpenSSH host key on remote host using Secretive
	function secretive-sign-host-key () ( : [user@]hostname
	set -xu

	if [[ $# != 1 ]]; then
	echo "Usage: ${FUNCNAME[0]} [user@]host"
	exit 1
	fi

	export SSH_AUTH_SOCK="$HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh"

	KEYS="$(ssh-add -l \|\| true)"
	if [[ -z "$KEYS" ]]; then
	echo "Error: Secretive not installed or Secretive does not have any keys. Run 'brew install Secretive', 'open -a Secretive' and create a key"
	exit 1
	elif [[ ! -f "$HOME/.ssh/ca.pub" ]]; then
	echo "Error: pick one of these keys as the CA signing key and copy it to ~/.ssh/ca.pub"
	echo "$KEYS"
	exit 1
	fi

	SSH_OPTS=(
	-o StrictHostKeyChecking=no
	-o UserKnownHostsFile=/dev/null
	-o ControlMaster=no
	-o ControlPath=none
	-o ControlPersist=no
	)

	userhost=$1
	host=${userhost#*@}

	# configure remote host
	scp "${SSH_OPTS[@]}" ~/.ssh/ca.pub "$userhost:/tmp"
	ssh "${SSH_OPTS[@]}" -a -t "$userhost" '
	set -ex
	C=/tmp/50-host-cert.conf
	umask 0077
	echo "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" > $C
	sudo cp $C /etc/ssh/sshd_config.d
	sudo pkill -HUP sshd
	'
	echo EXIT STATUS: $?

	# sign host key using agent forwarding
	# https://manpages.debian.org/bookworm/openssh-client/ssh-keygen.1.en.html#U
	ssh "${SSH_OPTS[@]}" -A -t "$userhost" "
	sudo -sHE ssh-keygen -Us /tmp/ca.pub -I ${host}_ed25519 -n $host -V -1d:+365d -h /etc/ssh/ssh_host_ed25519_key.pub
	pkill -HUP sshd
	"

	# clear out stale ~/.ssh/known_hosts entries
	ssh-keygen -R "$host"

	# print remote host certificate, to check principals, dates etc
	ssh-keyscan -qc "$host" \| ssh-keygen -Lf -
	)
No results found