#!/bin/bash # Add SSH public key to ~/.ssh/authorized_keys on infrastructure hosts. # # Modes (pick one): # ADD_KEY_LOCAL=1 — you are already SSH'd on the target host (e.g. 192.168.1.164): only # update the current user's ~/.ssh/authorized_keys on this machine. # LAN_DIRECT=1 — same LAN as hosts: ssh BACKEND_USER@192.168.1.x directly (no ProxyJump, # no 4nk.myftp.biz). Host list includes proxy .100, backends, and .164. # (default) — bastion JUMP then ProxyJump to each backend (Internet / standard doc). # # The key embedded below (desk@desk) is what gets appended remotely; client auth uses your # existing keys (SSH_IDENTITY_FILE / agent). # # Run as the SSH user, not root: sudo uses /root/.ssh and causes Permission denied (publickey). # # Optional env: # BACKEND_USER=ncantu # JUMP=ncantu@4nk.myftp.biz # default jump host when LAN_DIRECT is unset # SSH_IDENTITY_FILE=~/.ssh/id_ed25519 # SSH_VERBOSE=1 # EXTRA_LAN_IPS="192.168.1.42 ..." # space-separated, appended when LAN_DIRECT=1 # Usage: # ADD_KEY_LOCAL=1 ./add-ssh-key.sh # LAN_DIRECT=1 ./add-ssh-key.sh set -euo pipefail SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyLeCZh0tJ7rEp1sktpMlA2EaBBKBU5jNRMgboYAOsk desk@desk" KEY_FINGERPRINT="AAAAC3NzaC1lZDI1NTE5AAAAIDyLeCZh0tJ7rEp1sktpMlA2EaBBKBU5jNRMgboYAOsk" JUMP="${JUMP:-ncantu@4nk.myftp.biz}" BACKEND_USER="${BACKEND_USER:-ncantu}" BACKEND_IPS=( "192.168.1.101" # test "192.168.1.102" # pprod "192.168.1.103" # prod "192.168.1.104" # services "192.168.1.105" # bitcoin "192.168.1.173" # ia ) LAN_IPS=( "192.168.1.100" # proxy "${BACKEND_IPS[@]}" "192.168.1.164" # workstation / host 164 on LAN ) SSH_OPTS=( -o StrictHostKeyChecking=accept-new ) if [ -n "${SSH_IDENTITY_FILE:-}" ]; then idf="${SSH_IDENTITY_FILE/#\~/$HOME}" SSH_OPTS+=(-i "$idf" -o IdentitiesOnly=yes) fi if [ -n "${SSH_VERBOSE:-}" ]; then SSH_OPTS+=(-v) fi if [ "$(id -u)" -eq 0 ]; then echo "Do not run this script with sudo/root: SSH will use /root/.ssh and fail with Permission denied (publickey)." >&2 exit 1 fi add_key_to_current_user() { local auth="${HOME}/.ssh/authorized_keys" mkdir -p "${HOME}/.ssh" chmod 700 "${HOME}/.ssh" touch "${auth}" chmod 600 "${auth}" if ! grep -qF "${KEY_FINGERPRINT}" "${auth}" 2>/dev/null; then printf '%s\n' "${SSH_KEY}" >> "${auth}" echo "Key added (local user $(whoami)@$(hostname -f 2>/dev/null || hostname))" else echo "Key already present (local user $(whoami)@$(hostname -f 2>/dev/null || hostname))" fi } run_add_key_remote() { local -a ssh_cmd=("$@") "${ssh_cmd[@]}" bash -s </dev/null; then printf '%s\n' "\${KEY_LINE}" >> "\${AUTH}" echo "Key added" else echo "Key already present" fi EOF } if [ "${ADD_KEY_LOCAL:-0}" = "1" ]; then echo "ADD_KEY_LOCAL=1: updating authorized_keys for current user only." echo "Key: $SSH_KEY" echo "Host: $(hostname) (${USER})" add_key_to_current_user exit 0 fi if [ "${LAN_DIRECT:-0}" = "1" ]; then echo "LAN_DIRECT=1: direct SSH on LAN (no ProxyJump / no bastion hostname)." echo "Key: $SSH_KEY" echo "User: ${BACKEND_USER}" if [ -n "${EXTRA_LAN_IPS:-}" ]; then # shellcheck disable=SC2206 extra_ips=( ${EXTRA_LAN_IPS} ) LAN_IPS+=( "${extra_ips[@]}" ) fi for ip in "${LAN_IPS[@]}"; do echo "" echo "Processing: ${BACKEND_USER}@${ip}" run_add_key_remote ssh "${SSH_OPTS[@]}" "${BACKEND_USER}@${ip}" done echo "" echo "SSH key addition completed (LAN direct)." exit 0 fi echo "Adding SSH key to all servers (bastion + ProxyJump)..." echo "Key: $SSH_KEY" echo "Jump: $JUMP" echo "" echo "Processing bastion (proxy): ${JUMP}" run_add_key_remote ssh "${SSH_OPTS[@]}" "$JUMP" echo "" for ip in "${BACKEND_IPS[@]}"; do echo "Processing backend: ${BACKEND_USER}@${ip} (via ${JUMP})" run_add_key_remote ssh "${SSH_OPTS[@]}" -J "$JUMP" "${BACKEND_USER}@${ip}" echo "" done echo "SSH key addition completed for bastion and all listed backends."