From 1884a7ebff12b06ac66b1809ca64d3b83b8ca214 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakobus=20Sch=C3=BCrz?= <jakobus.schuerz@bmi.gv.at>
Date: Fri, 14 Apr 2023 18:02:50 +0200
Subject: [PATCH] fix use of token from remote

---
 bin/startagent |  8 +++++-
 functions.sh   | 68 +++++++++++++++++++-------------------------------
 2 files changed, 32 insertions(+), 44 deletions(-)

diff --git a/bin/startagent b/bin/startagent
index dcce8cb..32a24ab 100755
--- a/bin/startagent
+++ b/bin/startagent
@@ -42,12 +42,18 @@ EOF
 }
 
 check_token(){
+    loginfo "a P11M: ${P11M}"
+    loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}"
 
     [ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M}
+    loginfo "b P11M: ${P11M}"
+    loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}"
     # it's the same as "token" in functions.sh
     # defined here also, to work also in environments, where functions.sh couldn't be sourced
     [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
 
+    loginfo "c P11M: ${P11M}"
+    loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}"
     # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
     # So remember and unset DISPLAY, and set it at the end again, if it was set before
     [ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY
@@ -57,7 +63,7 @@ check_token(){
     # Write public keys of all in agent stored keys to a temporary file
     local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)"
     logtrace "tmppubkey: $tmppubkey"
-    loginfo "$(ssh-add -L > $tmppubkey)"
+    ssh-add -L > $tmppubkey || return $?
     # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. 
     loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
     logdebug "$(rm "${tmppubkey}")"
diff --git a/functions.sh b/functions.sh
index fb6e49f..ae5356b 100755
--- a/functions.sh
+++ b/functions.sh
@@ -21,48 +21,14 @@ promptcommandmunge () {
     EXIT
 }
 
-function _pkcs11module_hook() {
+_pkcs11module_hook() {
 
-#    if [ -S ~/.ssh/ssh_from_remote_auth_sock ]
-#    then
-#        if ss -elx|grep -q $(readlink -f ~/.ssh/ssh_from_remote_auth_sok) # test if socket is active
-#        then
-#            # Use PKCS11_MODULE from remote connection, even when using local machine
-#            # This is for: When i'm logged in from remote and working on local workstation, so i can use the token locally too
-#            #echo "read p11m" >&2
-#            if  [ -e ~/.ssh/p11m ]
-#            then
-#                . ~/.ssh/p11m
-#            else
-#                rm ~/.ssh/p11m
-#                unset P11M
-#                unset PKCS11_MODULE
-#            fi
-#        fi
-#    else
-#        #echo "NOT read p11m, delete it!" >&2
-#        [ -e ~/.ssh/p11m ] && { rm ~/.ssh/p11m; \
-#            unset P11M; \
-#            unset PKCS11_MODULE; \
-#        }
-#
-#    fi
-
-    if [ -z "${PKCS11_MODULE:+x}" ]
-    then
-        # setze PKCS11_MODULE
-        loginfo "PKCS11_MODULE not set yet"
-        if [ -z "${P11M:+x}" ]
+    if [ ! -z ${SSH_TTY:+x} ]; then 
+        # Ich bin remote
+        if [ -n "${P11M:+x}" ]
         then
-            # komme ich nicht über ssh, oder P11M ist nicht gesetzt, dann suche das P11-KIT-PROXY Modul für PKCS11_MODULE
-            logtrace "P11M not set -> search for p11-kit-proxy"
-            PKCS11_MODULE="$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}')"
-            [ -n "$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}')" ] && \
-            export PKCS11_MODULE=$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}') || \
-            { loginfo "${pkcs11_module_default:-p11-kit-proxy.so} not forwarded by ssh or installed, unset P11M"; unset P11M; }
-        else
             # komme ich über ssh, dann ist P11M (hoffentlich) gesetzt. Setze PKCS11_MODULE auf P11M
-            logtrace "P11M set -> set PKCS11_MODULE to P11M"
+            logdebug "P11M set -> set PKCS11_MODULE to P11M"
             PKCS11_MODULE=${P11M}
             if [ -n "${TMUX}" ]; then
                     tmux set-environment P11M ${P11M}
@@ -70,14 +36,30 @@ function _pkcs11module_hook() {
             fi
         fi
     else
-        # lass es gesetzt.
-        logtrace "PKCS11_MODULE is set, do nothing"
+        # Ich bin lokal
+        if [ -z "${P11M:+x}" ]
+        then
+            # komme ich nicht über ssh, oder P11M ist nicht gesetzt, dann suche das P11-KIT-PROXY Modul für PKCS11_MODULE
+            logdebug "P11M not set -> search for p11-kit-proxy"
+            PKCS11_MODULE="$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}')"
+            [ -n "$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}')" ] && \
+            export PKCS11_MODULE=$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}') || \
+            { loginfo "${pkcs11_module_default:-p11-kit-proxy.so} not forwarded by ssh or installed, unset P11M"; unset P11M; }
+        else
+            # komme ich über ssh, dann ist P11M (hoffentlich) gesetzt. Setze PKCS11_MODULE auf P11M
+            logdebug "P11M set -> set PKCS11_MODULE to P11M"
+            PKCS11_MODULE=${P11M}
+            if [ -n "${TMUX}" ]; then
+                    tmux set-environment P11M ${P11M}
+                    tmux set-environment -g P11M ${P11M}
+            fi
+        fi
     fi
-
+    
     loginfo "PKCS11_MODULE: $PKCS11_MODULE"
 
     if [ -n "${TMUX}" -a -n "${PKCS11_MODULE}" ]; then
-        logdebug "set PKCS11_MODULE also in tmux environment"
+        loginfo "set PKCS11_MODULE also in tmux environment"
         tmux set-environment PKCS11_MODULE ${PKCS11_MODULE}
         tmux set-environment -g PKCS11_MODULE ${PKCS11_MODULE}
     fi