add functionality for removing token/keys

This commit is contained in:
Jakobus Schürz 2020-09-22 20:35:47 +02:00
parent b9170167a8
commit 599cc2ecf9

View file

@ -3,7 +3,7 @@
usage(){
cat << EOF
Usage: ssh-agent-start-or-restart [[-c]|[--create-only]]|[[-t]|[--token-only]]|[[-k]|[--key-only]]|[[-r]|[-f]|[--reload]|[--force]] [<ssh-identity>]
Usage: ssh-agent-start-or-restart [[-c]|[--create-only]]|[[-t]|[--token-only]]|[[-k]|[--key-only]]|[[-r]|[-f]|[--readd]|[--force]] [<ssh-identity>]
If started only with <ssh-identity>, the script looks up in configured identity-path \$SSH_IDENTITIES_DIR (${SSH_IDENTITIES_DIR}) if it can find a directory named after <ssh-identity>.
If no <ssh_identity> is given, the identity is set to \$SSH_DEFAULT_IDENTITY ($SSH_DEFAULT_IDENTITY) configured via Environment.
@ -21,13 +21,14 @@ usage(){
just use this.
-k|--key-only To add or renew only configured keys configured in
${SSH_IDENTITIES_DIR}/<ssh-identity>, just use this.
-r|-f|--reload-token|--force remove all in ${SSH_IDENTITIES_DIR}/<ssh-identity>
-r|-f|--readd-token|--force remove all in ${SSH_IDENTITIES_DIR}/<ssh-identity>
configured keys and tokens and readd them again.
Depends on -t an -k Option to select wheter only
keys or tokens only. If no -t and -k is given, all
keys and token are removed and readded again.
Just to be asked for password again, if you plugged off
hardware-token and plugged it in again.
--rm|--remove remove keys and token instead of adding them.
-h|--info Show this info
@ -37,8 +38,9 @@ EOF
createonly=false
tokenonly=false
reload=false
readd=false
keyonly=false
remove=false
while :; do
case $1 in
-c|--create-only)
@ -53,8 +55,12 @@ while :; do
keyonly=true
shift
;;
-r|-f|--reload-token|--force)
reload=true
-r|-f|--readd-token|--force)
readd=true
shift
;;
--rm|--remove)
remove=true
shift
;;
-h|--info)
@ -104,10 +110,16 @@ agent-start-or-restart () {
logdebug "agentfile: $agentfile" >&2
logdebug "agentsocket: $agentsocket" >&2
logdebug "SSH_AGENT_OPTIONS: $SSH_AGENT_OPTIONS"
if (! $keyonly && ! $tokenonly ) && $remove ; then
loginfo "delete keys and tokens in ssh-agent"
loginfo "$(ssh-runinagent $agentfile ssh-add -D 2>&1)"
createonly=true
else
if [ -e $agentfile ]; then
local msg
msg="$(/bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; . $agentfile >/dev/null 2>&1; ssh-add -l")"
msg="$(/bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; . $agentfile >/dev/null 2>&1; ssh-add -l 2>&1")"
local ret=$?
logtrace "$msg"
case $ret in
@ -134,6 +146,7 @@ agent-start-or-restart () {
logdebug "$(ssh-agent -a $agentsocket $SSH_AGENT_OPTIONS > $agentfile )"
loginfo "agent started" >&2
fi
fi
logdebug "agent for $ssh_identity: $agentfile"
$createonly && logdebug "current loaded keys: $(ssh-runinagent $agentfile ssh-add -l)"
@ -179,6 +192,13 @@ agent-load-identity-keys () {
logdebug "identitydir: $identitydir"
fingerprints=( $(ssh-runinagent $agentfile "ssh-add -l|awk '{print \$2}'") )
# if $remove; then
# if [ ! $keyonly -a ! $tokenonly ] ; then
# loginfo "Remove all keys and token"
# /bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; . $agentfile >/dev/null 2>&1; ssh-add -D 2>&1"
# fi
# fi
#
if ! $tokenonly ; then
for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/id_*|grep -v "pub$\|so$\|config$\|public$"); do
logdebug "key: $key"
@ -186,14 +206,16 @@ agent-load-identity-keys () {
logtrace "${fingerprints[*]} and $fingerprint"
if [[ ${fingerprints[*]} =~ "$fingerprint" ]]; then
logdebug "$key is loaded" >&2
if $reload; then
logwarn "reload key $key" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -d ${key})"
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} ${key})"
if [ $readd -o $remove ]; then
$readd && logwarn "readd key $key" >&2
$remove && logwarn "remove key $key" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -d ${key} 2>&1)"
$remove || loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} ${key} 2>&1)"
fi
else
logwarn "$key is not loaded -> load it" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} ${key})"
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -d ${key} 2>&1)"
$remove || loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} ${key} 2>&1)"
fi
done
fi
@ -204,14 +226,17 @@ agent-load-identity-keys () {
logtrace "${fingerprints[*]} and $tokenfingerprint"
if [[ ${fingerprints[*]} =~ "$tokenfingerprint" ]]; then
logdebug "$token is loaded" >&2
if $reload; then
logwarn "reload token $token" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -e ${token})"
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -s ${token})"
if [ $readd -o $remove ]; then
$readd && logwarn "readd token $token" >&2
$remove && logwarn "remove token $token" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -e ${token} 2>&1)"
$remove || loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -s ${token} 2>&1)"
fi
$remove loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -e ${token} 2>&1)"
else
logwarn "$token is not loaded -> load it" >&2
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -s ${token})"
loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -e ${token} 2>&1)"
$remove || loginfo "$(ssh-runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -s ${token} 2>&1)"
fi
done
fi