jakob/myshellconfig
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix use of token from remote

Browse source
This commit is contained in:
Jakobus Schürz 2023-04-14 18:02:50 +02:00
parent 35bfdb7dd0
commit 1884a7ebff
2 changed files with 32 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
bin/startagent
View file

@ -42,12 +42,18 @@ EOF
} }
check_token(){ check_token(){
loginfo "a P11M: ${P11M}"
loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}"
[ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M} [ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M}
loginfo "b P11M: ${P11M}"
loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}"
# it's the same as "token" in functions.sh # it's the same as "token" in functions.sh
# defined here also, to work also in environments, where functions.sh couldn't be sourced # defined here also, to work also in environments, where functions.sh couldn't be sourced
[ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; } [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
loginfo "c P11M: ${P11M}"
loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}"
# If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
# So remember and unset DISPLAY, and set it at the end again, if it was set before # So remember and unset DISPLAY, and set it at the end again, if it was set before
[ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY [ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY
@ -57,7 +63,7 @@ check_token(){
# Write public keys of all in agent stored keys to a temporary file # Write public keys of all in agent stored keys to a temporary file
local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)" local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)"
logtrace "tmppubkey: $tmppubkey" logtrace "tmppubkey: $tmppubkey"
loginfo "$(ssh-add -L > $tmppubkey)" ssh-add -L > $tmppubkey || return $?
# Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token.
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )" loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
logdebug "$(rm "${tmppubkey}")" logdebug "$(rm "${tmppubkey}")"

68
functions.sh
View file

@ -21,48 +21,14 @@ promptcommandmunge () {
EXIT EXIT
} }
function _pkcs11module_hook() { _pkcs11module_hook() {
# if [ -S ~/.ssh/ssh_from_remote_auth_sock ] if [ ! -z ${SSH_TTY:+x} ]; then
# then # Ich bin remote
# if ss -elx|grep -q $(readlink -f ~/.ssh/ssh_from_remote_auth_sok) # test if socket is active if [ -n "${P11M:+x}" ]
# then
# # Use PKCS11_MODULE from remote connection, even when using local machine
# # This is for: When i'm logged in from remote and working on local workstation, so i can use the token locally too
# #echo "read p11m" >&2
# if [ -e ~/.ssh/p11m ]
# then
# . ~/.ssh/p11m
# else
# rm ~/.ssh/p11m
# unset P11M
# unset PKCS11_MODULE
# fi
# fi
# else
# #echo "NOT read p11m, delete it!" >&2
# [ -e ~/.ssh/p11m ] && { rm ~/.ssh/p11m; \
# unset P11M; \
# unset PKCS11_MODULE; \
# }
#
# fi
if [ -z "${PKCS11_MODULE:+x}" ]
then
# setze PKCS11_MODULE
loginfo "PKCS11_MODULE not set yet"
if [ -z "${P11M:+x}" ]
then then
# komme ich nicht über ssh, oder P11M ist nicht gesetzt, dann suche das P11-KIT-PROXY Modul für PKCS11_MODULE
logtrace "P11M not set -> search for p11-kit-proxy"
PKCS11_MODULE="$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}')"
[ -n "$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}')" ] && \
export PKCS11_MODULE=$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}') || \
{ loginfo "${pkcs11_module_default:-p11-kit-proxy.so} not forwarded by ssh or installed, unset P11M"; unset P11M; }
else
# komme ich über ssh, dann ist P11M (hoffentlich) gesetzt. Setze PKCS11_MODULE auf P11M # komme ich über ssh, dann ist P11M (hoffentlich) gesetzt. Setze PKCS11_MODULE auf P11M
logtrace "P11M set -> set PKCS11_MODULE to P11M" logdebug "P11M set -> set PKCS11_MODULE to P11M"
PKCS11_MODULE=${P11M} PKCS11_MODULE=${P11M}
if [ -n "${TMUX}" ]; then if [ -n "${TMUX}" ]; then
tmux set-environment P11M ${P11M} tmux set-environment P11M ${P11M}
@ -70,14 +36,30 @@ function _pkcs11module_hook() {
fi fi
fi fi
else else
# lass es gesetzt. # Ich bin lokal
logtrace "PKCS11_MODULE is set, do nothing" if [ -z "${P11M:+x}" ]
then
# komme ich nicht über ssh, oder P11M ist nicht gesetzt, dann suche das P11-KIT-PROXY Modul für PKCS11_MODULE
logdebug "P11M not set -> search for p11-kit-proxy"
PKCS11_MODULE="$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}')"
[ -n "$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}')" ] && \
export PKCS11_MODULE=$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}') || \
{ loginfo "${pkcs11_module_default:-p11-kit-proxy.so} not forwarded by ssh or installed, unset P11M"; unset P11M; }
else
# komme ich über ssh, dann ist P11M (hoffentlich) gesetzt. Setze PKCS11_MODULE auf P11M
logdebug "P11M set -> set PKCS11_MODULE to P11M"
PKCS11_MODULE=${P11M}
if [ -n "${TMUX}" ]; then
tmux set-environment P11M ${P11M}
tmux set-environment -g P11M ${P11M}
fi
fi
fi fi
loginfo "PKCS11_MODULE: $PKCS11_MODULE" loginfo "PKCS11_MODULE: $PKCS11_MODULE"
if [ -n "${TMUX}" -a -n "${PKCS11_MODULE}" ]; then if [ -n "${TMUX}" -a -n "${PKCS11_MODULE}" ]; then
logdebug "set PKCS11_MODULE also in tmux environment" loginfo "set PKCS11_MODULE also in tmux environment"
tmux set-environment PKCS11_MODULE ${PKCS11_MODULE} tmux set-environment PKCS11_MODULE ${PKCS11_MODULE}
tmux set-environment -g PKCS11_MODULE ${PKCS11_MODULE} tmux set-environment -g PKCS11_MODULE ${PKCS11_MODULE}
fi fi