172 lines
5.1 KiB
Bash
Executable file
172 lines
5.1 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Copyright 2025 Emile Clark-Boman
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
set -euo pipefail
|
|
|
|
USAGE="${BOLD}${UNDERLINE}${RED}Usage${RESET}
|
|
${BOLD}${GREEN}$THIS new ssh-key [option...]${RESET}
|
|
|
|
${BOLD}${UNDERLINE}${RED}Description${RESET}
|
|
Generates a new SSH keypair with secure defaults.
|
|
For more advanced usage run the ${BOLD}${MAGENTA}\`ssh-keygen\`${RESET} utility directly.
|
|
|
|
${BOLD}${UNDERLINE}${RED}Key Sizes${RESET}
|
|
Key sizes are specified in bits via the ${BOLD}${MAGENTA}-b|--bits${RESET} flag.
|
|
• ${BOLD}${CYAN}ECDSA keys${RESET} can only operate on elliptic curves of size: ${BOLD}${CYAN}256, 384, or 521 bits${RESET}
|
|
• ${BOLD}${CYAN}Ed25519 keys${RESET} have a ${BOLD}${MAGENTA}fixed length${RESET} so the key size is ignored
|
|
• ${BOLD}${CYAN}RSA keys${RESET} have been intentionally restricted for Cerulean to: ${BOLD}${CYAN}2048, 3072, 4096, or 8192 bits${RESET}
|
|
|
|
${BOLD}${UNDERLINE}${RED}Options${RESET}
|
|
${BOLD}${MAGENTA}-h, --help${RESET} Show this message (^_^)
|
|
${BOLD}${MAGENTA}-o, --out${RESET} Private key file name to write to (the public key is named identically but ends with ${BOLD}${MAGENTA}.pub${RESET})
|
|
${BOLD}${MAGENTA}-c, --comment${RESET} A comment or email address to write on the key
|
|
${BOLD}${MAGENTA}-t, --type${RESET} The cryptographic algorithm to use: ${BOLD}${MAGENTA}ecdsa, ed25519, rsa${RESET} ${BOLD}${CYAN}(default: ecdsa)${RESET}
|
|
${BOLD}${MAGENTA}-r, --rounds${RESET} The number of KDF rounds to apply ${BOLD}${CYAN}(default: 100)${RESET}
|
|
${BOLD}${MAGENTA}-b, --bits${RESET} The key size in bits ${BOLD}${MAGENTA}(see \"Key Sizes\" above) ${CYAN}(defaults: ecdsa=521, rsa=4096, ed25519=NULL)${RESET}
|
|
${BOLD}${MAGENTA}-N, --nopasswd${RESET} Do not encrypt the private key with a password
|
|
${BOLD}${MAGENTA}-H, --hardware-key${RESET} Enable the use of a secure hardware key peripheral device (ie YubiKey)"
|
|
|
|
# ==== Argument Values ====
|
|
TYPE='rsa'
|
|
ROUNDS='100'
|
|
BITS=''
|
|
COMMENT=''
|
|
OUT=''
|
|
NOPASSWD=''
|
|
HWKEY=false
|
|
# ==== Argument Values ====
|
|
|
|
# parse all args
|
|
while [[ $# -gt 0 ]]; do
|
|
ARG="$1"
|
|
case "$ARG" in
|
|
-h|--help)
|
|
throw-usage 0
|
|
;;
|
|
-o|--out)
|
|
shift
|
|
OUT="$1"; shift
|
|
;;
|
|
-c|--comment)
|
|
shift
|
|
COMMENT="$1"; shift
|
|
;;
|
|
-t|--type)
|
|
shift
|
|
TYPE="$1"; shift
|
|
;;
|
|
-r|--rounds)
|
|
shift
|
|
ROUNDS="$1"; shift
|
|
;;
|
|
-b|--bits)
|
|
shift
|
|
BITS="$1"; shift
|
|
;;
|
|
-N|--nopasswd)
|
|
shift
|
|
NOPASSWD="-N ''"
|
|
;;
|
|
-H|--hardware-key)
|
|
shift
|
|
HWKEY=true
|
|
;;
|
|
-*)
|
|
throw-badflag 1 "$ARG"
|
|
;;
|
|
*)
|
|
throw-badarg 1 "$ARG"
|
|
;;
|
|
esac
|
|
done; unset -v ARG
|
|
|
|
# ensure $ROUNDS is a valid numeric
|
|
if ! isnumeric "$ROUNDS"; then
|
|
throw-badval 1 "$ROUNDS" '-r|--rounds'
|
|
fi
|
|
|
|
case "$TYPE" in
|
|
ecdsa)
|
|
if [[ -z "$BITS" ]]; then
|
|
BITS='521'
|
|
else
|
|
# NOTE: ECDSA keys can only operate on elliptic curves
|
|
# NOTE: of sizes: 256, 384 or 521 bits
|
|
case "$BITS" in
|
|
256|384|512) true
|
|
;;
|
|
*)
|
|
throw-badval 1 "$BITS" '-b|--bits'
|
|
;;
|
|
esac
|
|
fi
|
|
;;
|
|
ed25519)
|
|
# NOTE: the value of BITS does not matter for Ed25519
|
|
# NOTE: as it operates on a fixed size elliptic curve
|
|
if [[ -z "$BITS" ]]; then
|
|
BITS='256'
|
|
fi
|
|
;;
|
|
rsa)
|
|
if [[ -z "$BITS" ]]; then
|
|
BITS='4096'
|
|
else
|
|
case "$BITS" in
|
|
2048)
|
|
echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: Although ${MAGENTA}2048-bit RSA keys${YELLOW} are considered secure,${RESET}" >&2
|
|
echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: it is the growing opinion that these will not be soon.${RESET}" >&2
|
|
echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: ${GREEN}Consider using a minimum of ${MAGENTA}3072-bit${YELLOW}, or ideally ${MAGENTA}4096-bit.${RESET}" >&2
|
|
;;
|
|
3072|4096|8192) true
|
|
;;
|
|
*)
|
|
throw-badval 1 "$BITS" '-b|--bits'
|
|
;;
|
|
esac
|
|
fi
|
|
;;
|
|
*)
|
|
throw-badval 1 "$TYPE" '-t|--type'
|
|
;;
|
|
esac
|
|
|
|
if ! isnumeric "$BITS"; then
|
|
throw-badval 1 "$BITS" '-b|--bits'
|
|
fi
|
|
|
|
if [[ "$HWKEY" == true ]]; then
|
|
if [[ "$TYPE" == "rsa" ]]; then
|
|
echo -e "${BOLD}${MAGENTA}-H|--hardware-key${RESET} flag is not valid for ${BOLD}${MAGENTA}RSA keys${RESET} ${BOLD}${CYAN}(use Ed25519 instead)${RESET}"
|
|
exit 1
|
|
fi
|
|
TYPE="$TYPE-sk"
|
|
fi
|
|
|
|
if [[ -z "$OUT" ]]; then
|
|
# fallback to ssh-keygen's default file (for chmod later)
|
|
OUT="~/.ssh/id_$TYPE"
|
|
fi
|
|
|
|
# permit error during key generation
|
|
set +e
|
|
echo -e "${BOLD}${GREEN}[+] ssh-keygen -t $TYPE -a$ROUNDS -b$BITS -C '$COMMENT' -f '$OUT' $NOPASSWD${RESET}"
|
|
ssh-keygen -t $TYPE -a "$ROUNDS" -b "$BITS" -C "$COMMENT" -f "$OUT" $NOPASSWD
|
|
chmod 600 $OUT
|
|
chmod 644 $OUT.pub
|
|
# reset state
|
|
set -e
|
|
|
|
unset TYPE ROUNDS BITS COMMENT OUT NOPASSWD HWKEY
|