Script to scp ssh pubkeys from a server and sign them with a local CA; still tweaking things.

ssh-keysign.sh

#!/bin/sh

print_help() {
	echo "A script to copy ssh host keys via SCP and sign them with a local SSH CA"
	echo
	echo "Simple usage: ${0} -h <host>"
	echo "The following options are accepted:"
	echo " -h: specify the host"
	echo " -H: override the hostname for SCP (default: same as -h)"
	echo " -s: override location of CA privkey (default: /etc/ssh/ca)"
	echo " -i: override identity of key to be signed (default: same as -h)"
	echo " -n: override principals of key to be signed (default: same as -h)"
	echo " -V: specify validity period of key to be signed (default: -1m:forever)"
	echo
	echo "If specifying -H, -i, and -n, you needn't specify -h"
}

CAFILE="/etc/ssh/ca"
VALIDITY="-1m:forever"

while getopts "h:H:s:i:n:V:" opt; do
	case ${opt} in
		h)
		  HOST="${OPTARG}"
		  ;;
		H)
		  SCPHOST="${OPTARG}"
		  ;;
		s)
		  CAFILE="${OPTARG}"
		  ;;
		i)
		  IDENTITY="${OPTARG}"
		  ;;
		n)
		  PRINCIPALS="${OPTARG}"
		  ;;
		V)
		  VALIDITY="${OPTARG}"
		  ;;
		\?)
		  print_help
		  exit
		  ;;
	esac
done

if [ -n "${HOST}" ]; then
	if [ -z "${SCPHOST}" ]; then
		SCPHOST="${HOST}"
	fi
	if [ -z "${IDENTITY}" ]; then
		IDENTITY="${HOST}"
	fi
	if [ -z "${PRINCIPALS}" ]; then
		PRINCIPALS="${HOST}"
	fi
elif [ -n "${SCPHOST}" ] && [ -n "${IDENTITY}" ] && [ -n "${PRINCIPALS}" ]; then
	continue
else
	print_help
	exit 1
fi


umask 77
TMPDIR=$(mktemp -d)

cd ${TMPDIR}

scp ${SCPHOST}:'/etc/ssh/*.pub' ./ && \
sudo ssh-keygen -s ${CAFILE} -h -I "${IDENTITY}" -n "${PRINCIPALS}" \
	-V "${VALIDITY}" ./* && \
echo "signed keys for ${HOST:-$IDENTITY} in ${TMPDIR}"