From 1265caca60bf097d66ef9ef0814e8f04f9720170 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 2 Nov 2023 09:46:25 +0100 Subject: mod/ssh-keys-import: calculate fingerprint... ... and store it in key-owner, which is descriptive only. This requires RouterOS 7.12beta1 for the 'transform' property for ':convert' command. --- doc/mod/ssh-keys-import.md | 8 +++++++- global-functions.rsc | 2 +- mod/ssh-keys-import.rsc | 7 ++++++- news-and-changes.rsc | 1 + 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/doc/mod/ssh-keys-import.md b/doc/mod/ssh-keys-import.md index cf28ee2..9f7f7ce 100644 --- a/doc/mod/ssh-keys-import.md +++ b/doc/mod/ssh-keys-import.md @@ -3,6 +3,8 @@ Import ssh keys for public key authentication [⬅️ Go back to main README](../../README.md) +[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.12beta1-yellow?style=flat)](https://mikrotik.com/download/changelogs/) + > ℹ️️ **Info**: This module can not be used on its own but requires the base > installation. See [main README](../../README.md) for details. @@ -35,7 +37,11 @@ been added: $SSHKeysImport "ssh-ed25519 AAAAC3Nza...ZVugJT user" admin; The third part of the key (`user` in this example) is inherited as -`key-owner` in RouterOS. +`key-owner` in RouterOS. Also the `MD5` fingerprint is recorded, this helps +to audit and verify the available keys. + +> ℹ️️ **Info**: Use `ssh-keygen` to show a fingerprint of an existing public +> key file: `ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub` ### Import several keys from file diff --git a/global-functions.rsc b/global-functions.rsc index e307560..7eb1ec5 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -12,7 +12,7 @@ :local 0 "global-functions"; # expected configuration version -:global ExpectedConfigVersion 111; +:global ExpectedConfigVersion 112; # global variables not to be changed by user :global GlobalFunctionsReady false; diff --git a/mod/ssh-keys-import.rsc b/mod/ssh-keys-import.rsc index fb6fee1..0e82785 100644 --- a/mod/ssh-keys-import.rsc +++ b/mod/ssh-keys-import.rsc @@ -3,6 +3,8 @@ # Copyright (c) 2020-2023 Christian Hesse # https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md # +# requires RouterOS, version=7.12beta1 +# # import ssh keys for public key authentication # https://git.eworm.de/cgit/routeros-scripts/about/doc/mod/ssh-keys-import.md @@ -38,12 +40,15 @@ $LogPrintExit2 warning $0 ("Creating directory 'tmpfs/ssh-keys-import' failed!") true; } + :local FingerPrintMD5 [ :convert from=base64 transform=md5 to=hex ($KeyVal->1) ]; :local FileName ("tmpfs/ssh-keys-import/key-" . [ $GetRandom20CharAlNum 6 ] . ".pub"); - /file/add name=$FileName contents=$Key; + /file/add name=$FileName contents=($Key . ", md5=" . $FingerPrintMD5); $WaitForFile $FileName; :do { /user/ssh-keys/import public-key-file=$FileName user=$User; + $LogPrintExit2 info $0 ("Imported ssh public key (" . $KeyVal->2 . ", " . $KeyVal->0 . ", " . \ + "MD5:" . $FingerPrintMD5 . ") for user '" . $User . "'.") false; } on-error={ $LogPrintExit2 warning $0 ("Failed importing key.") true; } diff --git a/news-and-changes.rsc b/news-and-changes.rsc index 5ee3030..babcec8 100644 --- a/news-and-changes.rsc +++ b/news-and-changes.rsc @@ -25,6 +25,7 @@ 109="Added support to send notifications via Ntfy (ntfy.sh)."; 110="Dropped support for loading scripts from local storage."; 111="Modified 'dhcp-to-dns' to allow multiple records for one mac address."; + 112="Enhanced 'mod/ssh-keys-import' to record the fingerprint of keys."; }; # Migration steps to be applied on script updates -- cgit v1.2.3-54-g00ecf