This repository has been archived by the owner on Aug 29, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 27
/
ssh-certinfo
executable file
·372 lines (276 loc) · 7.77 KB
/
ssh-certinfo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
#!/usr/bin/env bash
# +------------------------------------------------------------------+
# | Title : ssh-certinfo |
# | Description : shows validity and information of SSH certificates |
# | Author : Sven Wick <[email protected]> |
# | URL : https://github.com/vaporup/ssh-tools |
# +------------------------------------------------------------------+
# shellcheck disable=SC2207
#
# Some colors for better output
#
RED='\033[0;91m'
GREEN='\033[0;92m'
YELLOW='\033[0;93m'
RESET='\033[0m'
#
# Defaults
#
WARN=30 # days before cert expires
#
# Usage/Help message
#
function usage() {
cat << EOF
Usage: ${0##*/} [OPTIONS] CERT-FILE [...]
OPTIONS:
-c show colors
-h Show this message
-w days warning threshold (default: 30)
-v Verbose output
Examples:
Default:
${0##*/} ~/.ssh/id_rsa-cert.pub
${0##*/} ~/.ssh/*.pub
Certificates which expire within the next 2 months (colored output):
${0##*/} -c -w 60 ~/.ssh/id_rsa-cert.pub
${0##*/} -c -w 60 ~/.ssh/*.pub
EOF
}
if [[ -z $1 || $1 == "--help" ]]; then
usage
exit 1
fi
#
# Command line Options
#
# shellcheck disable=SC2249
while getopts ":chvw:" opt; do
case ${opt} in
c )
colors="yes"
;;
h )
usage
exit 1
;;
v )
verbose="yes"
;;
w )
[[ ${OPTARG} =~ ^[0-9]+$ ]] && WARN=${OPTARG}
;;
\? )
echo "Invalid option: ${OPTARG}" 1>&2
usage
exit 1
;;
esac
done
function return_epoch_from_date_string() {
#
# date behaves differently on *BSD, Busybox, etc..
# Trying multiple variants and use first that succeeds
#
DATES=()
#
# GNU date
#
DATES+=( $( date -d "$1" +%s 2>/dev/null || echo NO_DATE ) )
#
# BSD date
#
DATES+=( $( date -j -f "%Y-%m-%dT%T" "$1" "+%s" 2>/dev/null || echo NO_DATE ) )
#
# BusyBox
#
DATES+=( $( date -d "${1//T/ }" +%s 2>/dev/null || echo NO_DATE ) )
for DATE in "${DATES[@]}"; do
if [[ ${DATE} -gt 0 ]]; then
echo "${DATE}"
break
fi
done
}
function print_cert() {
ssh-keygen -L -f "${cert}"
echo
}
function get_cert_data() {
valid_from=$( echo "${valid}" | awk '{print $3}' )
valid_to=$( echo "${valid}" | awk '{print $5}' )
valid_from_epoch=$( return_epoch_from_date_string "${valid_from}" )
valid_to_epoch=$( return_epoch_from_date_string "${valid_to}" )
valid_to_epoch_warning=$(( valid_to_epoch - WARN_SECONDS ))
expires_in_days=$(( WARN - ( ( now - valid_to_epoch_warning ) / 60 / 60 / 24 ) -1 ))
}
function print_if_certs_were_found() {
if grep -q "yes" "${certs_found}"; then
echo
else
if [[ ${colors} == yes ]]; then
echo -e -n "${YELLOW}"
echo -e "No SSH certificates found.\n"
echo -e -n "${RESET}"
else
echo -e "No SSH certificates found.\n"
fi
fi
}
function cert_is_valid() {
if [[ ${now} -gt ${valid_from_epoch} && ${now} -lt ${valid_to_epoch} ]]; then
return 0
else
return 1
fi
}
function cert_is_invalid() {
if [[ ${now} -lt ${valid_from_epoch} ]]; then
return 0
else
return 1
fi
}
function cert_is_expired() {
if [[ ${now} -gt ${valid_to_epoch} ]]; then
return 0
else
return 1
fi
}
function cert_expires() {
if [[ ${now} -gt ${valid_to_epoch_warning} ]]; then
return 0
else
return 1
fi
}
WARN_SECONDS=$(( WARN * 24 * 60 * 60))
CERTS=( "${@:${OPTIND}}" )
now=$(date +%s)
certs_found="$(mktemp)"
trap 'rm -f ${certs_found}' EXIT
echo
if [[ ${verbose} == yes ]]; then
for cert in "${CERTS[@]}"; do
valid=$( print_cert 2>/dev/null | grep -i valid)
if [[ -z ${valid} ]]; then
continue
else
echo "yes" > "${certs_found}"
fi
if [[ ${valid} == *"forever"* ]]; then
if [[ ${colors} == yes ]]; then
echo -e -n "${GREEN}"
print_cert
echo -e -n "${RESET}"
continue
else
print_cert
continue
fi
fi
get_cert_data
if cert_is_invalid; then
if [[ ${colors} == yes ]]; then
echo -e -n "${YELLOW}"
print_cert
echo -e -n "${RESET}"
continue
else
print_cert
continue
fi
fi
if cert_is_expired; then
if [[ ${colors} == yes ]]; then
echo -e -n "${RED}"
print_cert
echo -e -n "${RESET}"
continue
else
print_cert
continue
fi
fi
if cert_expires; then
if [[ ${colors} == yes ]]; then
echo -e -n "${YELLOW}"
print_cert
echo -e -n "${RESET}"
continue
else
print_cert
continue
fi
fi
if cert_is_valid; then
if [[ ${colors} == yes ]]; then
echo -e -n "${GREEN}"
print_cert
echo -e -n "${RESET}"
continue
else
print_cert
continue
fi
fi
done
print_if_certs_were_found
else
for cert in "${CERTS[@]}"; do
valid=$( print_cert 2>/dev/null | grep -i valid)
if [[ -z ${valid} ]]; then
continue
else
echo "yes" > "${certs_found}"
fi
if [[ ${valid} == *"forever"* ]]; then
if [[ ${colors} == yes ]]; then
echo -e "${GREEN}${cert} SSH_CERT_VALID forever -> forever${RESET}"
continue
else
echo "${cert} SSH_CERT_VALID forever -> forever"
continue
fi
fi
get_cert_data
if cert_is_invalid; then
if [[ ${colors} == yes ]]; then
echo -e "${YELLOW}${cert} SSH_CERT_INVALID ${valid_from} -> ${valid_to}${RESET}"
continue
else
echo "${cert} SSH_CERT_INVALID ${valid_from} -> ${valid_to}"
continue
fi
fi
if cert_is_expired; then
if [[ ${colors} == yes ]]; then
echo -e "${RED}${cert} SSH_CERT_EXPIRED ${valid_from} -> ${valid_to}${RESET}"
continue
else
echo "${cert} SSH_CERT_EXPIRED ${valid_from} -> ${valid_to}"
continue
fi
fi
if cert_expires; then
if [[ ${colors} == yes ]]; then
echo -e "${YELLOW}${cert} SSH_CERT_EXPIRES_IN_${expires_in_days}_DAYS ${valid_from} -> ${valid_to} ${RESET}"
continue
else
echo "${cert} SSH_CERT_EXPIRES_IN_${expires_in_days}_DAYS ${valid_from} -> ${valid_to}"
continue
fi
fi
if cert_is_valid; then
if [[ ${colors} == yes ]]; then
echo -e "${GREEN}${cert} SSH_CERT_VALID ${valid_from} -> ${valid_to}${RESET}"
continue
else
echo "${cert} SSH_CERT_VALID ${valid_from} -> ${valid_to}"
continue
fi
fi
done | column -t
print_if_certs_were_found
fi