From e0adff87b85e93c32cb301a408b0e76603807cc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakobus=20Sch=C3=BCrz?= <jakobus.schuerz@bmi.gv.at>
Date: Thu, 6 Jul 2023 19:30:28 +0200
Subject: [PATCH] make agent/token available also from remotelogin

---
 bin/startagent | 126 ++++++++++++++++++++++++++++++-------------------
 1 file changed, 77 insertions(+), 49 deletions(-)

diff --git a/bin/startagent b/bin/startagent
index 0cebec5..1f9e230 100755
--- a/bin/startagent
+++ b/bin/startagent
@@ -42,46 +42,63 @@ EOF
 }
 
 check_token(){
-    loginfo "a P11M:          ${P11M}"
-    loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}"
-
-    [ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M}
-    loginfo "b P11M:          ${P11M}"
-    loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}"
-    # it's the same as "token" in functions.sh
-    # defined here also, to work also in environments, where functions.sh couldn't be sourced
-    [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
-
-    loginfo "c P11M:          ${P11M}"
-    loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}"
-    # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
-    # So remember and unset DISPLAY, and set it at the end again, if it was set before
-    [ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY
-    [ $DISPLAY ] && logtrace "unset DISPLAY: $DISPLAY"
-    [ $DISPLAY ] && unset DISPLAY
-    
-    # Write public keys of all in agent stored keys to a temporary file
-    local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)"
-    logtrace "tmppubkey: $tmppubkey"
-    logdebug "C"
-    tmpIFS="${IFS}"
-    IFS=$'\n'
-    for tmppk in $(ssh-add -L)
-    do
-        printf "%s" "$tmppk" |tee "${tmppubkey}" || return $?
-        #echo "${tmppk}" > $tmppubkey || return $?
-        #ssh-add -L > $tmppubkey || return $?
-        # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. 
-        loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
-        logdebug "$(ssh-add -l )"
-    done
-    logdebug "$(rm "${tmppubkey}")"
-    IFS=$tmpIFS
-    unset tmpIFS
-    [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
-    [ $DISPLAY_ORIG ] && export DISPLAY=$DISPLAY_ORIG
-
+    if [ -e ~/.ssh/ssh_from_remote_auth_sock ]
+    then
+        logdebug "~/.ssh/ssh_from_remote_auth_sock is link"
+        . ~/.ssh/p11m
+        local agentfile="${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)"
+        cat << EOF > $agentfile
+SSH_AUTH_SOCK=~/.ssh/ssh_from_remote_auth_sock; export SSH_AUTH_SOCK
+PKCS11_MODULE=${P11M}; export PKCS11_MODULE
+EOF
+ #       echo $agentfile
+        loginfo "$(cat $agentfile)"
+        return 0
+    else
+        logdebug "~/.ssh/ssh_from_remote_auth_sock is broken"
+        return 1
+    fi
 }
+#    loginfo "a P11M:          ${P11M}"
+#    loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}"
+#
+#    [ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M}
+#    loginfo "b P11M:          ${P11M}"
+#    loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}"
+#    # it's the same as "token" in functions.sh
+#    # defined here also, to work also in environments, where functions.sh couldn't be sourced
+#    [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
+#
+#    loginfo "c P11M:          ${P11M}"
+#    loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}"
+#    # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
+#    # So remember and unset DISPLAY, and set it at the end again, if it was set before
+#    [ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY
+#    [ $DISPLAY ] && logtrace "unset DISPLAY: $DISPLAY"
+#    [ $DISPLAY ] && unset DISPLAY
+#    
+#    # Write public keys of all in agent stored keys to a temporary file
+#    local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)"
+#    logtrace "tmppubkey: $tmppubkey"
+#    logdebug "C"
+#    tmpIFS="${IFS}"
+#    IFS=$'\n'
+#    for tmppk in $(ssh-add -L)
+#    do
+#        printf "%s" "$tmppk" |tee "${tmppubkey}" || return $?
+#        #echo "${tmppk}" > $tmppubkey || return $?
+#        #ssh-add -L > $tmppubkey || return $?
+#        # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. 
+#        loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
+#        logdebug "$(ssh-add -l )"
+#    done
+#    logdebug "$(rm "${tmppubkey}")"
+#    IFS=$tmpIFS
+#    unset tmpIFS
+#    [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
+#    [ $DISPLAY_ORIG ] && export DISPLAY=$DISPLAY_ORIG
+#
+#}
 
 createonly=false
 tokenonly=false
@@ -303,13 +320,14 @@ agent_load_identity_keys () {
 
                 for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep  "\.so$"); do
                     logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
-                    #[ -e "${P11M-x}" ] || [ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
-                    #[ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
-                    [ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] && key="$PKCS11_MODULE"
-                    export PKCS11_MODULE=$(readlink -f $key)
-                    export P11M=$PKCS11_MODULE
+                    if [ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] 
+                    then
+                        key="$PKCS11_MODULE"
+                    else
+                        export PKCS11_MODULE=$(readlink -f $key)
+                    fi
                     logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
-                    grep -q "PKCS11_MODULE" "${agentfile}" >/dev/null 2>&1 && sed -i -e '/PKCS11_MODULE/d' "${agentfile}"
+                    grep -q "PKCS11_MODULE" "${agentfile}" >/dev/null 2>&1 && { sed -i -e '/PKCS11_MODULE/d' "${agentfile}"; key=$PKCS11_MODULE; }
                     printf "%s\n" "PKCS11_MODULE=$(readlink -f $key)" | tee -a "${agentfile}" >&2
 
                     tokenfingerprints=($(ssh-keygen -l -D $key|tr -s ' '|awk '{print $2}'))
@@ -409,13 +427,23 @@ logtrace "   SSH_IDENTITIES_DIR: $SSH_IDENTITIES_DIR"
 if [[ $SSH_TTY || $X2GO_SESSION ]] ; then
     logdebug "Shell running with forwarded ssh-agent. Please add local token manually"
     check_token
-    res=1
+    res=2
 else
     logdebug "run with local ssh-agent"
-    agent_start_or_restart $ssh_identity
-    ! $createonly && agent_load_identity_keys $ssh_identity
-    res=0
+    check_token
+    if [ $? -eq 0 ]
+    then
+        loginfo "run with remote agent"
+        printf  "%s" "${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)"
+        #! $createonly && agent_load_identity_keys $ssh_identity
+        res=1
+    else
+        agent_start_or_restart $ssh_identity
+        ! $createonly && agent_load_identity_keys $ssh_identity
+        res=0
+    fi
 fi
 
 SCRIPTEXIT
+loginfo "return with $res"
 exit $res