diff --git a/bin/startagent b/bin/startagent index 0cebec5..1f9e230 100755 --- a/bin/startagent +++ b/bin/startagent @@ -42,46 +42,63 @@ EOF } check_token(){ - loginfo "a P11M: ${P11M}" - loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}" - - [ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M} - loginfo "b P11M: ${P11M}" - loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}" - # it's the same as "token" in functions.sh - # defined here also, to work also in environments, where functions.sh couldn't be sourced - [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; } - - loginfo "c P11M: ${P11M}" - loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}" - # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work - # So remember and unset DISPLAY, and set it at the end again, if it was set before - [ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY - [ $DISPLAY ] && logtrace "unset DISPLAY: $DISPLAY" - [ $DISPLAY ] && unset DISPLAY - - # Write public keys of all in agent stored keys to a temporary file - local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)" - logtrace "tmppubkey: $tmppubkey" - logdebug "C" - tmpIFS="${IFS}" - IFS=$'\n' - for tmppk in $(ssh-add -L) - do - printf "%s" "$tmppk" |tee "${tmppubkey}" || return $? - #echo "${tmppk}" > $tmppubkey || return $? - #ssh-add -L > $tmppubkey || return $? - # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. - loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )" - logdebug "$(ssh-add -l )" - done - logdebug "$(rm "${tmppubkey}")" - IFS=$tmpIFS - unset tmpIFS - [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG" - [ $DISPLAY_ORIG ] && export DISPLAY=$DISPLAY_ORIG - + if [ -e ~/.ssh/ssh_from_remote_auth_sock ] + then + logdebug "~/.ssh/ssh_from_remote_auth_sock is link" + . ~/.ssh/p11m + local agentfile="${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)" + cat << EOF > $agentfile +SSH_AUTH_SOCK=~/.ssh/ssh_from_remote_auth_sock; export SSH_AUTH_SOCK +PKCS11_MODULE=${P11M}; export PKCS11_MODULE +EOF + # echo $agentfile + loginfo "$(cat $agentfile)" + return 0 + else + logdebug "~/.ssh/ssh_from_remote_auth_sock is broken" + return 1 + fi } +# loginfo "a P11M: ${P11M}" +# loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}" +# +# [ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M} +# loginfo "b P11M: ${P11M}" +# loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}" +# # it's the same as "token" in functions.sh +# # defined here also, to work also in environments, where functions.sh couldn't be sourced +# [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; } +# +# loginfo "c P11M: ${P11M}" +# loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}" +# # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work +# # So remember and unset DISPLAY, and set it at the end again, if it was set before +# [ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY +# [ $DISPLAY ] && logtrace "unset DISPLAY: $DISPLAY" +# [ $DISPLAY ] && unset DISPLAY +# +# # Write public keys of all in agent stored keys to a temporary file +# local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)" +# logtrace "tmppubkey: $tmppubkey" +# logdebug "C" +# tmpIFS="${IFS}" +# IFS=$'\n' +# for tmppk in $(ssh-add -L) +# do +# printf "%s" "$tmppk" |tee "${tmppubkey}" || return $? +# #echo "${tmppk}" > $tmppubkey || return $? +# #ssh-add -L > $tmppubkey || return $? +# # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. +# loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )" +# logdebug "$(ssh-add -l )" +# done +# logdebug "$(rm "${tmppubkey}")" +# IFS=$tmpIFS +# unset tmpIFS +# [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG" +# [ $DISPLAY_ORIG ] && export DISPLAY=$DISPLAY_ORIG +# +#} createonly=false tokenonly=false @@ -303,13 +320,14 @@ agent_load_identity_keys () { for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep "\.so$"); do logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key" - #[ -e "${P11M-x}" ] || [ "$(readlink - f $key)" == "$P11M" ] || key="$P11M" - #[ "$(readlink - f $key)" == "$P11M" ] || key="$P11M" - [ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] && key="$PKCS11_MODULE" - export PKCS11_MODULE=$(readlink -f $key) - export P11M=$PKCS11_MODULE + if [ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] + then + key="$PKCS11_MODULE" + else + export PKCS11_MODULE=$(readlink -f $key) + fi logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key" - grep -q "PKCS11_MODULE" "${agentfile}" >/dev/null 2>&1 && sed -i -e '/PKCS11_MODULE/d' "${agentfile}" + grep -q "PKCS11_MODULE" "${agentfile}" >/dev/null 2>&1 && { sed -i -e '/PKCS11_MODULE/d' "${agentfile}"; key=$PKCS11_MODULE; } printf "%s\n" "PKCS11_MODULE=$(readlink -f $key)" | tee -a "${agentfile}" >&2 tokenfingerprints=($(ssh-keygen -l -D $key|tr -s ' '|awk '{print $2}')) @@ -409,13 +427,23 @@ logtrace " SSH_IDENTITIES_DIR: $SSH_IDENTITIES_DIR" if [[ $SSH_TTY || $X2GO_SESSION ]] ; then logdebug "Shell running with forwarded ssh-agent. Please add local token manually" check_token - res=1 + res=2 else logdebug "run with local ssh-agent" - agent_start_or_restart $ssh_identity - ! $createonly && agent_load_identity_keys $ssh_identity - res=0 + check_token + if [ $? -eq 0 ] + then + loginfo "run with remote agent" + printf "%s" "${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)" + #! $createonly && agent_load_identity_keys $ssh_identity + res=1 + else + agent_start_or_restart $ssh_identity + ! $createonly && agent_load_identity_keys $ssh_identity + res=0 + fi fi SCRIPTEXIT +loginfo "return with $res" exit $res