#!/usr/bin/env bash # Copyright 2025 Emile Clark-Boman # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. set -euo pipefail USAGE="${BOLD}${UNDERLINE}${RED}Usage${RESET} ${BOLD}${GREEN}$THIS new ssh-key [option...]${RESET} ${BOLD}${UNDERLINE}${RED}Description${RESET} Generates a new SSH keypair with secure defaults. For more advanced usage run the ${BOLD}${MAGENTA}\`ssh-keygen\`${RESET} utility directly. ${BOLD}${UNDERLINE}${RED}Key Sizes${RESET} Key sizes are specified in bits via the ${BOLD}${MAGENTA}-b|--bits${RESET} flag. • ${BOLD}${CYAN}ECDSA keys${RESET} can only operate on elliptic curves of size: ${BOLD}${CYAN}256, 384, or 521 bits${RESET} • ${BOLD}${CYAN}Ed25519 keys${RESET} have a ${BOLD}${MAGENTA}fixed length${RESET} so the key size is ignored • ${BOLD}${CYAN}RSA keys${RESET} have been intentionally restricted to: ${BOLD}${CYAN}2048, 3072, 4096, or 8192 bits${RESET} ${BOLD}${UNDERLINE}${RED}Options${RESET} ${BOLD}${MAGENTA}-h, --help${RESET} Show this message (^_^) ${BOLD}${MAGENTA}-o, --out${RESET} Private key file name to write to (the public key is named identically but ends with ${BOLD}${MAGENTA}.pub${RESET}) ${BOLD}${MAGENTA}-c, --comment${RESET} A comment or email address to write on the key ${BOLD}${MAGENTA}-t, --type${RESET} The cryptographic algorithm to use: ${BOLD}${MAGENTA}ecdsa, ed25519, rsa${RESET} ${BOLD}${CYAN}(default: ecdsa)${RESET} ${BOLD}${MAGENTA}-r, --rounds${RESET} The number of KDF rounds to apply ${BOLD}${CYAN}(default: 100)${RESET} ${BOLD}${MAGENTA}-b, --bits${RESET} The key size in bits ${BOLD}${MAGENTA}(see \"Key Sizes\" above) ${CYAN}(defaults: ecdsa=521, rsa=4096, ed25519=NULL)${RESET} ${BOLD}${MAGENTA}-N, --nopasswd${RESET} Do not encrypt the private key with a password ${BOLD}${MAGENTA}-H, --hardware-key${RESET} Enable the use of a secure hardware key peripheral device (ie YubiKey)" # ==== Argument Values ==== TYPE='ecdsa' ROUNDS='100' BITS='' COMMENT='' OUT='' NOPASSWD='' HWKEY=false # ==== Argument Values ==== # parse all args while [[ $# -gt 0 ]]; do ARG="$1" case "$ARG" in -h|--help) throw-usage 0 ;; -o|--out) shift OUT="$1"; shift ;; -c|--comment) shift COMMENT="$1"; shift ;; -t|--type) shift TYPE="$1"; shift ;; -r|--rounds) shift ROUNDS="$1"; shift ;; -b|--bits) shift BITS="$1"; shift ;; -N|--nopasswd) shift NOPASSWD="-N ''" ;; -H|--hardware-key) shift HWKEY=true ;; -*) throw-badflag 1 "$ARG" ;; *) throw-badarg 1 "$ARG" ;; esac done; unset -v ARG # ensure $ROUNDS is a valid numeric if ! isnumeric "$ROUNDS"; then throw-badval 1 "$ROUNDS" '-r|--rounds' fi case "$TYPE" in ecdsa) if [[ -z "$BITS" ]]; then BITS='521' else # NOTE: ECDSA keys can only operate on elliptic curves # NOTE: of sizes: 256, 384 or 521 bits case "$BITS" in 256|384|512) true ;; *) throw-badval 1 "$BITS" '-b|--bits' ;; esac fi ;; ed25519) # NOTE: the value of BITS does not matter for Ed25519 # NOTE: as it operates on a fixed size elliptic curve if [[ -z "$BITS" ]]; then BITS='256' fi ;; rsa) if [[ -z "$BITS" ]]; then BITS='4096' else case "$BITS" in 2048) echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: Although ${MAGENTA}2048-bit RSA keys${YELLOW} are considered secure,${RESET}" >&2 echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: it is the growing opinion that these will not be soon.${RESET}" >&2 echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: ${GREEN}Consider using a minimum of ${MAGENTA}3072-bit${YELLOW}, or ideally ${MAGENTA}4096-bit.${RESET}" >&2 ;; 3072|4096|8192) true ;; *) throw-badval 1 "$BITS" '-b|--bits' ;; esac fi ;; *) throw-badval 1 "$TYPE" '-t|--type' ;; esac if ! isnumeric "$BITS"; then throw-badval 1 "$BITS" '-b|--bits' fi if [[ "$HWKEY" == true ]]; then if [[ "$TYPE" == "rsa" ]]; then echo -e "${BOLD}${MAGENTA}-H|--hardware-key${RESET} flag is not valid for ${BOLD}${MAGENTA}RSA keys${RESET} ${BOLD}${CYAN}(use Ed25519 instead)${RESET}" exit 1 fi TYPE="$TYPE-sk" fi if [[ -z "$OUT" ]]; then # fallback to ssh-keygen's default file (for chmod later) OUT="~/.ssh/id_$TYPE" fi # permit error during key generation set +e echo -e "${BOLD}${GREEN}[+] ssh-keygen -t $TYPE -a$ROUNDS -b$BITS -C '$COMMENT' -f '$OUT' $NOPASSWD${RESET}" ssh-keygen -t $TYPE -a "$ROUNDS" -b "$BITS" -C "$COMMENT" -f "$OUT" $NOPASSWD chmod 600 $OUT chmod 644 $OUT.pub # reset state set -e unset TYPE ROUNDS BITS COMMENT OUT NOPASSWD HWKEY