Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
vault-sshadd script to unlock SSH keys using Vault stored passwords #blog
#!/bin/bash
COLOR_RED="\033[0;31m"
COLOR_GREEN="\033[0;32m"
COLOR_CYAN="\033[0;36m"
COLOR_PLAIN="\033[0m"
function error {
echo -e "${COLOR_RED}$@${COLOR_PLAIN}"
}
function success {
echo -e "${COLOR_GREEN}$@${COLOR_PLAIN}"
}
function info {
echo -e "${COLOR_CYAN}$@${COLOR_PLAIN}"
}
if ! ( which vault > /dev/null ); then
error "vault is required."
exit 2
fi
# Require something to be passed to this command
if [ $# -eq 0 ]; then
error "You need to specify a key name."
exit 2
fi
for KEY_NAME in $@; do
KEYNAME_IN=${KEY_NAME}
# Try to find the passed key path / name
if ! [ -e "${KEY_NAME}" ]; then
if [ -e "${HOME}/.ssh/${KEY_NAME}" ]; then
KEY_NAME="${HOME}/.ssh/${KEY_NAME}"
else
error "[${KEYNAME_IN}] Could not find key file."
continue
fi
fi
# If this key is already in the agent we don't need to do anything
if ( ssh-add -l | grep -q "${KEY_NAME}" ); then
info "[${KEYNAME_IN}] Key already present."
continue
fi
# Retrieve key from LastPass
PWD=$(vault read -field=passphrase "/secret/ssh-key/$(basename ${KEY_NAME})")
# In case LastPass exitted non-zero we have no password
if ! [ $? -eq 0 ]; then
error "[${KEYNAME_IN}] Unable to get password. Not trying to unlock."
continue
fi
# Fill password to ssh-add utility
expect <<EOF >/dev/null
spawn ssh-add ${KEY_NAME}
expect "Enter passphrase"
send "$PWD\n"
expect eof
EOF
# Check whether the key was added to the agent
if ( ssh-add -l | grep -q "${KEY_NAME}" ); then
success "[${KEYNAME_IN}] Key successfully added."
continue
else
error "[${KEYNAME_IN}] Found passphrase but could not add key."
continue
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.