-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkeygen.elv
116 lines (101 loc) · 3.14 KB
/
keygen.elv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Copyright (c) 2020, 2022, Cody Opel <cwopel@chlorm.net>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
use github.com/chlorm/elvish-ssh/conf
use github.com/chlorm/elvish-stl/exec
use github.com/chlorm/elvish-stl/list
use github.com/chlorm/elvish-stl/os
use github.com/chlorm/elvish-stl/path
use github.com/chlorm/elvish-stl/platform
use github.com/chlorm/elvish-stl/time
fn -valid-types {|type|
var types = [
'ecdsa'
'ed25519'
'rsa'
]
var _ = (list:has $types $type)
}
fn -ensure-conf-dir {
if (not (os:is-dir $conf:DIR)) {
os:makedirs $conf:DIR
}
}
fn -prevent-overwrite {|f|
if (os:is-file $f) {
fail 'Key already exists: '$f
}
}
# TODO: automate setting this with a truncated hash of the following:
# {date} {device serial} {passphrase or truncated hash of signingkey}
# serial: ykman list --serials
# &comment - Descriptive name of key
fn key-comment {|security-key &comment=$nil|
if (not (eq $comment $nil)) {
put $comment
return
}
var name = (os:user)'@'(platform:hostname)
if $security-key {
var date = (time:date)
set name = $date'-'$comment
}
put $name
}
# https://man.openbsd.org/ssh-keygen.1
# &type - Do NOT change the default unless you know what you are doing.
# &passphrase - If not passed the user will be prompted for a passphrase.
# This is intended for automated generation usually without
# a passphrase (e.g. '').
# &comment - Descriptive name of key
# &security-key - Hardware security key (e.g. Yubikey)
fn new {|&type='ed25519' &passphrase=$nil &comment=$nil &security-key=$false|
-valid-types $type
if (eq $comment $nil) {
set comment = (key-comment &comment=$comment $false)
}
var type2 = $type
if $security-key {
set type = $type'-sk'
set type2 = $type2'_sk'
}
var out = (path:join $conf:DIR 'id_'$type2'-'$comment)
var cmdArgs = [
'-t' $type
'-C' $comment
'-f' $out
]
if (not (eq $passphrase $nil)) {
set cmdArgs = [ $@cmdArgs '-N' $passphrase ]
}
if (and (==s $type 'rsa') (not $security-key)) {
set cmdArgs = [ $@cmdArgs '-b' '4096' ]
}
if $security-key {
set cmdArgs = [
$@cmdArgs
'-w' 'internal'
'-O' 'resident'
'-O' 'application=ssh:'$comment
]
}
-ensure-conf-dir
-prevent-overwrite $out
-prevent-overwrite $out'.pub'
echo $@cmdArgs >&2
e:ssh-keygen $@cmdArgs
}
fn update-known-hosts {
exec:cmd 'ssh-keygen' '-H'
os:remove (path:join $conf:DIR 'known_hosts.old')
}