simplify token with ssh-agent-start-or-restart

This commit is contained in:
Jakobus Schürz 2020-09-22 12:13:19 +02:00
parent feacd69ce1
commit 20ad665142
2 changed files with 115 additions and 86 deletions

View file

@ -2,9 +2,10 @@
loadonly=false loadonly=false
tokenonly=false tokenonly=false
reloadtoken=false
while :; do while :; do
case $1 in case $1 in
-l|--load-only-agent) -l|--load-only)
loadonly=true loadonly=true
shift shift
;; ;;
@ -12,8 +13,12 @@ while :; do
tokenonly=true tokenonly=true
shift shift
;; ;;
-r|-f|--reload-token)
reloadtoken=true
shift
;;
*) *)
ssh_identity=$1 ssh_identity=${1-$SSH_DEFAULT_IDENTITY}
break break
;; ;;
esac esac
@ -23,9 +28,11 @@ SCRIPTENTRY
[ -z "${SSH_IDENTITIES_DIR+x}" ] && { SSH_IDENTITIES_DIR="${SSH_IDENTITIES_DEFAULT_DIR-${HOME}/.ssh/identities}"; export SSH_IDENTITIES_DIR; } [ -z "${SSH_IDENTITIES_DIR+x}" ] && { SSH_IDENTITIES_DIR="${SSH_IDENTITIES_DEFAULT_DIR-${HOME}/.ssh/identities}"; export SSH_IDENTITIES_DIR; }
[ -z "${SSH_AGENTS_DIR+x}" ] && { SSH_AGENTS_DIR=${SSH_AGENTS_DEFAULT_DIR-~/.ssh/agents}; export SSH_AGENTS_DIR; } [ -z "${SSH_AGENTS_DIR+x}" ] && { SSH_AGENTS_DIR=${SSH_AGENTS_DEFAULT_DIR-~/.ssh/agents}; export SSH_AGENTS_DIR; }
[ -z "${SSH_AGENT_SOCKETS_DIR+x}" ] && { SSH_AGENT_SOCKETS_DIR=${SSH_AGENT_SOCKETS_DEFAULT_DIR-~/.ssh/agents}; export SSH_AGENT_SOCKETS_DIR; } [ -z "${SSH_AGENT_SOCKETS_DIR+x}" ] && { SSH_AGENT_SOCKETS_DIR=${SSH_AGENT_SOCKETS_DEFAULT_DIR-~/.ssh/agents}; export SSH_AGENT_SOCKETS_DIR; }
[ -z "${SSH_AGENT_OPTIONS+x}" ] && { SSH_AGENT_OPTIONS=${SSH_AGENT_DEFAULT_OPTIONS-'-t 7200'}; export SSH_AGENT_OPTIONS; }
logdebug "SSH_AGENTS_DIR: $SSH_AGENTS_DIR" >&2 logdebug "SSH_AGENTS_DIR: $SSH_AGENTS_DIR" >&2
logdebug "SSH_AGENT_SOCKETS_DIR: $SSH_AGENT_SOCKETS_DIR" >&2 logdebug "SSH_AGENT_SOCKETS_DIR: $SSH_AGENT_SOCKETS_DIR" >&2
logdebug "SSH_IDENTITIES_DIR: $SSH_IDENTITIES_DIR" >&2 logdebug "SSH_IDENTITIES_DIR: $SSH_IDENTITIES_DIR" >&2
logdebug "ssh-identität: $ssh_identity" >&2
[ -z "${SSH_AGENTS_DIR-x}" ] || mkdir -vp "$SSH_AGENTS_DIR" [ -z "${SSH_AGENTS_DIR-x}" ] || mkdir -vp "$SSH_AGENTS_DIR"
[ -z "${SSH_AGENT_SOCKETS_DIR-x}" ] || mkdir -vp "$SSH_AGENT_SOCKETS_DIR" [ -z "${SSH_AGENT_SOCKETS_DIR-x}" ] || mkdir -vp "$SSH_AGENT_SOCKETS_DIR"
[ -z "${SSH_IDENTITIES_DIR-x}" ] || mkdir -vp "$SSH_IDENTITIES_DIR" [ -z "${SSH_IDENTITIES_DIR-x}" ] || mkdir -vp "$SSH_IDENTITIES_DIR"
@ -36,51 +43,62 @@ agent-start-or-restart () {
local ssh_identity local ssh_identity
local agentfile local agentfile
local agentsocket local agentsocket
local ret
if [ -n "${1+x}" ]; then if [ -n "${1+x}" ]; then
ssh_identity="$1" ssh_identity="$1"
agentfile="${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)" identitydir=${SSH_IDENTITIES_DIR}/${ssh_identity}
agentsocket="${SSH_AGENT_SOCKETS_DIR}/socket-${ssh_identity}-$(hostname)" if [ -d ${identitydir} ]; then
logdebug "agentfile: $agentfile" >&2 [ -e "${identitydir}/config" ] && . "${identitydir}/config"
logdebug "agentsocket: $agentsocket" >&2 agentfile="${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)"
logdebug "ssh-identität: $ssh_identity" >&2 agentsocket="${SSH_AGENT_SOCKETS_DIR}/socket-${ssh_identity}-$(hostname)"
if [ -e $agentfile ]; then logdebug "agentfile: $agentfile" >&2
logdebug "agentsocket: $agentsocket" >&2
logdebug "SSH_AGENT_OPTIONS: $SSH_AGENT_OPTIONS"
if [ -e $agentfile ]; then
local msg="$(/bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; . $agentfile >/dev/null 2>&1; ssh-add -l")" local msg
local ret=$? msg="$(/bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; . $agentfile >/dev/null 2>&1; ssh-add -l")"
logdebug "$msg" local ret=$?
case $ret in logtrace "$msg"
0) case $ret in
loginfo "agent is running" >&2 0)
;; loginfo "agent is running" >&2
1) ;;
logwarn "command failed on ssh-agent" 1)
;; logwarn "command failed on ssh-agent"
2) ;;
loginfo "former agent is not running" >&2 2)
[ -e $agentsocket ] && { logdebug -n "remove socketfile: $( rm -v "$agentsocket" )"; } loginfo "former agent is not running" >&2
logdebug "$(ssh-agent -a $agentsocket $SSH_AGENT_OPTIONS > $agentfile )" [ -e $agentsocket ] && { logdebug -n "remove socketfile: $( rm -v "$agentsocket" )"; }
loginfo "agent started" >&2 logdebug "$(ssh-agent -a $agentsocket $SSH_AGENT_OPTIONS > $agentfile )"
;; loginfo "agent started" >&2
esac ;;
esac
else
loginfo "agent did not exist" >&2
#rm "$agentsocket"
logdebug "ssh-agent -a $agentsocket \> $agentfile"
logdebug "$(ssh-agent -a $agentsocket $SSH_AGENT_OPTIONS > $agentfile )"
loginfo "agent started" >&2
fi
logdebug "agent for $ssh_identity: $agentfile"
$logonly && logdebug "current loaded keys: $(ssh-runinagent $agentfile ssh-add -l)"
echo $agentfile
ret=0
else else
loginfo "agent did not exist" >&2 logwarn "ssh-identity $ssh_identity is not configured. Please create $identitydir and add keys"
#rm "$agentsocket" ret=2
logdebug "ssh-agent -a $agentsocket \> $agentfile"
logdebug "$(ssh-agent -a $agentsocket $SSH_AGENT_OPTIONS > $agentfile )"
loginfo "agent started" >&2
fi fi
logdebug "agent for $ssh_identity: $agentfile"
echo $agentfile
return 0
else else
logwarn "no identity given - exit" >&2 logwarn "no identity given - exit" >&2
return 1 ret=1
fi fi
EXIT EXIT
return $ret
} }
@ -98,41 +116,50 @@ agent-load-identity-keys () {
if [ -n "${1+x}" ]; then if [ -n "${1+x}" ]; then
ssh_identity="$1" ssh_identity="$1"
identitydir=${SSH_IDENTITIES_DIR}/${ssh_identity} identitydir=${SSH_IDENTITIES_DIR}/${ssh_identity}
[ -e "${identitydir}/config" ] && . "${identitydir}/config" if [ -d ${identitydir} ]; then
agentfile="${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)" [ -e "${identitydir}/config" ] && . "${identitydir}/config"
agentsocket="${SSH_AGENT_SOCKETS_DIR}/socket-${ssh_identity}-$(hostname)" agentfile="${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)"
loginfo "ssh-identität: $ssh_identity" >&2 agentsocket="${SSH_AGENT_SOCKETS_DIR}/socket-${ssh_identity}-$(hostname)"
loginfo "SSH_ADD_OPTIONS: $SSH_ADD_OPTIONS" loginfo "ssh-identität: $ssh_identity" >&2
logdebug "agentfile: $agentfile" >&2 loginfo "SSH_ADD_OPTIONS: $SSH_ADD_OPTIONS"
logdebug "agentsocket: $agentsocket" >&2 logdebug "agentfile: $agentfile" >&2
logdebug "identitydir: $identitydir" logdebug "agentsocket: $agentsocket" >&2
logdebug "identitydir: $identitydir"
fingerprints=( $(ssh-runinagent $agentfile "ssh-add -l|awk '{print \$2}'") ) fingerprints=( $(ssh-runinagent $agentfile "ssh-add -l|awk '{print \$2}'") )
if ! $tokenonly ; then if ! $tokenonly ; then
for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/id_*|grep -v "pub$\|so$\|config$\|public$"); do for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/id_*|grep -v "pub$\|so$\|config$\|public$"); do
logdebug "key: $key" logdebug "key: $key"
fingerprint=$(ssh-keygen -l -f ~/.ssh/identities/bmi/id_ed25519|awk '{print $2}') fingerprint=$(ssh-keygen -l -f ~/.ssh/identities/bmi/id_ed25519|awk '{print $2}')
logtrace "${fingerprints[*]} and $fingerprint" logtrace "${fingerprints[*]} and $fingerprint"
if [[ ${fingerprints[*]} =~ "$fingerprint" ]]; then if [[ ${fingerprints[*]} =~ "$fingerprint" ]]; then
logdebug "$key is loaded" >&2 logdebug "$key is loaded" >&2
else
logdebug "$key is not loaded" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} ${key})"
fi
done
fi
for token in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep "\.so$"); do
logdebug "token: $token"
tokenfingerprint="$(ssh-keygen -l -D $token|tr -s ' '|awk '{print $2}')"
logtrace "${fingerprints[*]} and $tokenfingerprint"
if [[ ${fingerprints[*]} =~ "$tokenfingerprint" ]]; then
logdebug "$token is loaded" >&2
if $reloadtoken; then
logdebug "reload token $token" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -e ${token})"
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -s ${token})"
fi
else else
logdebug "$key is not loaded" >&2 logdebug "$token is not loaded" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} ${key})" loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -s ${token})"
fi fi
done done
logdebug "current loaded keys: $(ssh-runinagent $agentfile ssh-add -l)"
else
logwarn "ssh-identity $ssh_identity is not configured. Please create $identitydir and add keys"
fi fi
for token in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep "\.so$"); do
logdebug "token: $token"
tokenfingerprint="$(ssh-keygen -l -D $token|tr -s ' '|awk '{print $2}')"
logtrace "${fingerprints[*]} and $tokenfingerprint"
if [[ ${fingerprints[*]} =~ "$tokenfingerprint" ]]; then
logdebug "$token is loaded" >&2
else
logdebug "$token is not loaded" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -s ${token})"
fi
done
logdebug "current loaded keys: $(ssh-runinagent $agentfile ssh-add -l)"
fi fi
EXIT EXIT
} }
@ -143,21 +170,21 @@ ssh-runinagent () {
local agentfile local agentfile
local command local command
agentfile=${1} local agentfile=${1}
shift shift
sshcommand=${@} local sshcommand=${@}
logdebug "run command »$sshcommand« in agent $agentfile" >&2 logtrace "run command »$sshcommand« in agent $agentfile" >&2
if [ -e "$agentfile" ]; then if [ -e "$agentfile" ]; then
/bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; . $agentfile >/dev/null 2>/dev/null; $sshcommand" /bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; . $agentfile >/dev/null 2>/dev/null; $sshcommand"
EXIT ret=$?
return $?
else else
logwarn "agentfile not existent" >&2 logwarn "agentfile not existent" >&2
EXIT ret=99
return 1
fi fi
EXIT
return $ret
} }

View file

@ -751,8 +751,12 @@ utoken () {
} }
token(){ token(){
ssh-agent-start-or-restart -t $1 # Usage:
# token <identity> will load token in agent. does nothing, if token is already loaded
# token -r|-f|--reload-token <identity> will remove token from agent and add it again (if plugged off and plugged in again
ssh-agent-start-or-restart -t $1 $2
} }
tokenold () { tokenold () {
ENTRY ENTRY
@ -829,14 +833,6 @@ token-extract-pubkey() {
echo "Please insert token. Exit" echo "Please insert token. Exit"
return 1 return 1
fi fi
# case $1 in
# --id|-d|--label|-a)
# ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $PKCS11_MODULE -r --type pubkey $1 $2 |openssl rsa -pubin -inform DER )
# ;;
# --login|-l)
# ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $PKCS11_MODULE --login -r --type pubkey $1 $2 |openssl rsa -pubin -inform DER )
# ;;
# esac
} }
token-list-objects() { token-list-objects() {
@ -854,7 +850,7 @@ token-list-objects() {
loadagent() { loadagent() {
ENTRY ENTRY
local af local af
af=$(ssh-agent-start-or-restart $1 2>/dev/null) af=$(ssh-agent-start-or-restart --load-only $1 )
loginfo "Load agent from $af" loginfo "Load agent from $af"
# eval $(<$af) # eval $(<$af)
. $af . $af
@ -863,20 +859,26 @@ loadagent() {
ssh-runinagent () { ssh-runinagent () {
ENTRY
local agentfile local agentfile
local command local command
agentfile=${1} local agentfile=${1}
shift shift
sshcommand=${@} local sshcommand=${@}
logtrace "run command »$sshcommand« in agent $agentfile" >&2 logtrace "run command »$sshcommand« in agent $agentfile" >&2
if [ -e "$agentfile" ]; then if [ -e "$agentfile" ]; then
/bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; . $agentfile >/dev/null 2>/dev/null; $sshcommand" /bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; . $agentfile >/dev/null 2>/dev/null; $sshcommand"
return $? ret=$?
else else
logwarn "agentfile not existent" >&2 logwarn "agentfile not existent" >&2
return 1 ret=99
fi fi
EXIT
return $ret
} }
setloglevel () { setloglevel () {