Adds SSH key rotation action

diff --git a/README.md b/README.md
index 7085aa0ac1d23bae897a1508490a0388f861756c..5410818058d959eecfe1d3031ff8ea783a254fb3 100644 (file)
--- a/README.md
+++ b/README.md
@@ -46,7 +46,6 @@ If no folder is specified, the current folder is assumed as the project home.
 
 ## Further development
 
-* Command to rotate SSH client keys.
 * Remount shared folders and reinitialize spice-vdagent upon resume from disk.
 * More params (memory, cpus, ssh, serial console, additional shared folders, etc).
 * Integration with [image-bootstrap](https://github.com/hartwork/image-bootstrap).

diff --git a/kvmx b/kvmx
index 2d78897e726cda1084f31ca29adb62813941362c..0402053b7cd0fe97c9d44ccc9a96097d38ff0cd6 100755 (executable)
--- a/kvmx
+++ b/kvmx
@@ -671,6 +671,22 @@ function kvmx_log {
   tail -F $logs
 }
 
+# Rotate SSH keys
+function kvmx_rotate_sshkeys {
+  # Generate new keypair
+  SSHKEY="$STORAGE/$VM.key"
+  $DIRNAME/kvmx-keygen $SSHKEY.new "$user@`basename $image .img`"
+
+  # Replace pubkey on server
+  echo "touch ~/.ssh/authorized_keys.new && chmod 600 ~/.ssh/authorized_keys.new" | kvmx_ssh
+  cat $SSHKEY.new.pub | kvmx_ssh "tee ~/.ssh/authorized_keys.new &> /dev/null"
+  echo "mv ~/.ssh/authorized_keys.new ~/.ssh/authorized_keys" | kvmx_ssh
+
+  # Replace keypair locally
+  mv $SSHKEY.new     $SSHKEY
+  mv $SSHKEY.new.pub $SSHKEY.pub
+}
+
 # Dispatch
 if type kvmx_$ACTION 2> /dev/null | grep -q 'function'; then
   __kvmx_initialize

diff --git a/kvmx-create b/kvmx-create
index 7f9270de53d782369682296300a08c029dbc9864..204f2e0fd70acfaea26c5142e3a12730ebb8f5d8 100755 (executable)
--- a/kvmx-create
+++ b/kvmx-create
@@ -248,7 +248,7 @@ function kvmx_create_custom {
     if [ "$ssh_custom" == "y" ]; then
       privkey="`dirname $image`/`basename $image .img`.key"
       pubkey="${privkey}.pub"
-      ssh-keygen -t rsa -b 4096 -f $privkey -N '' -C "user@`basename $image .img`"
+      $DIRNAME/kvmx-keygen $privkey "$user@`basename $image .img`"
     else
       pubkey="$DIRNAME/share/ssh/insecure_private_key.pub"
     fi

diff --git a/kvmx-keygen b/kvmx-keygen
new file mode 100755 (executable)
index 0000000..3784e52
--- /dev/null
+++ b/kvmx-keygen
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+#
+# kvmx-keygen -- ssh-keygen wrapper for kvmx
+#
+# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published
+# by the Free Software Foundation, either version 3 of the License,
+# or any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Parameters
+BASENAME="`basename $0`"
+PRIVKEY="$1"
+COMMENT="$2"
+
+# Generate a keypair
+ssh-keygen -t rsa -b 4096 -f $PRIVKEY -N '' -C $COMMENT