make agent/token available also from remotelogin
This commit is contained in:
Jakobus Schürz
parent
d6ba30980a
commit
e0adff87b8
1 changed files with 77 additions and 49 deletions
126
bin/startagent
126
bin/startagent
|
|
@ -42,46 +42,63 @@ EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
check_token(){
|
check_token(){
|
||||||
loginfo "a P11M: ${P11M}"
|
if [ -e ~/.ssh/ssh_from_remote_auth_sock ]
|
||||||
loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}"
|
then
|
||||||
|
logdebug "~/.ssh/ssh_from_remote_auth_sock is link"
|
||||||
[ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M}
|
. ~/.ssh/p11m
|
||||||
loginfo "b P11M: ${P11M}"
|
local agentfile="${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)"
|
||||||
loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}"
|
cat << EOF > $agentfile
|
||||||
# it's the same as "token" in functions.sh
|
SSH_AUTH_SOCK=~/.ssh/ssh_from_remote_auth_sock; export SSH_AUTH_SOCK
|
||||||
# defined here also, to work also in environments, where functions.sh couldn't be sourced
|
PKCS11_MODULE=${P11M}; export PKCS11_MODULE
|
||||||
[ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
|
EOF
|
||||||
|
# echo $agentfile
|
||||||
loginfo "c P11M: ${P11M}"
|
loginfo "$(cat $agentfile)"
|
||||||
loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}"
|
return 0
|
||||||
# If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
|
else
|
||||||
# So remember and unset DISPLAY, and set it at the end again, if it was set before
|
logdebug "~/.ssh/ssh_from_remote_auth_sock is broken"
|
||||||
[ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY
|
return 1
|
||||||
[ $DISPLAY ] && logtrace "unset DISPLAY: $DISPLAY"
|
fi
|
||||||
[ $DISPLAY ] && unset DISPLAY
|
|
||||||
|
|
||||||
# Write public keys of all in agent stored keys to a temporary file
|
|
||||||
local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)"
|
|
||||||
logtrace "tmppubkey: $tmppubkey"
|
|
||||||
logdebug "C"
|
|
||||||
tmpIFS="${IFS}"
|
|
||||||
IFS=$'\n'
|
|
||||||
for tmppk in $(ssh-add -L)
|
|
||||||
do
|
|
||||||
printf "%s" "$tmppk" |tee "${tmppubkey}" || return $?
|
|
||||||
#echo "${tmppk}" > $tmppubkey || return $?
|
|
||||||
#ssh-add -L > $tmppubkey || return $?
|
|
||||||
# Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token.
|
|
||||||
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
|
|
||||||
logdebug "$(ssh-add -l )"
|
|
||||||
done
|
|
||||||
logdebug "$(rm "${tmppubkey}")"
|
|
||||||
IFS=$tmpIFS
|
|
||||||
unset tmpIFS
|
|
||||||
[ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
|
|
||||||
[ $DISPLAY_ORIG ] && export DISPLAY=$DISPLAY_ORIG
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
# loginfo "a P11M: ${P11M}"
|
||||||
|
# loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}"
|
||||||
|
#
|
||||||
|
# [ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M}
|
||||||
|
# loginfo "b P11M: ${P11M}"
|
||||||
|
# loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}"
|
||||||
|
# # it's the same as "token" in functions.sh
|
||||||
|
# # defined here also, to work also in environments, where functions.sh couldn't be sourced
|
||||||
|
# [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
|
||||||
|
#
|
||||||
|
# loginfo "c P11M: ${P11M}"
|
||||||
|
# loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}"
|
||||||
|
# # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
|
||||||
|
# # So remember and unset DISPLAY, and set it at the end again, if it was set before
|
||||||
|
# [ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY
|
||||||
|
# [ $DISPLAY ] && logtrace "unset DISPLAY: $DISPLAY"
|
||||||
|
# [ $DISPLAY ] && unset DISPLAY
|
||||||
|
#
|
||||||
|
# # Write public keys of all in agent stored keys to a temporary file
|
||||||
|
# local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)"
|
||||||
|
# logtrace "tmppubkey: $tmppubkey"
|
||||||
|
# logdebug "C"
|
||||||
|
# tmpIFS="${IFS}"
|
||||||
|
# IFS=$'\n'
|
||||||
|
# for tmppk in $(ssh-add -L)
|
||||||
|
# do
|
||||||
|
# printf "%s" "$tmppk" |tee "${tmppubkey}" || return $?
|
||||||
|
# #echo "${tmppk}" > $tmppubkey || return $?
|
||||||
|
# #ssh-add -L > $tmppubkey || return $?
|
||||||
|
# # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token.
|
||||||
|
# loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
|
||||||
|
# logdebug "$(ssh-add -l )"
|
||||||
|
# done
|
||||||
|
# logdebug "$(rm "${tmppubkey}")"
|
||||||
|
# IFS=$tmpIFS
|
||||||
|
# unset tmpIFS
|
||||||
|
# [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
|
||||||
|
# [ $DISPLAY_ORIG ] && export DISPLAY=$DISPLAY_ORIG
|
||||||
|
#
|
||||||
|
#}
|
||||||
|
|
||||||
createonly=false
|
createonly=false
|
||||||
tokenonly=false
|
tokenonly=false
|
||||||
|
|
@ -303,13 +320,14 @@ agent_load_identity_keys () {
|
||||||
|
|
||||||
for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep "\.so$"); do
|
for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep "\.so$"); do
|
||||||
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
|
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
|
||||||
#[ -e "${P11M-x}" ] || [ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
|
if [ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ]
|
||||||
#[ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
|
then
|
||||||
[ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] && key="$PKCS11_MODULE"
|
key="$PKCS11_MODULE"
|
||||||
export PKCS11_MODULE=$(readlink -f $key)
|
else
|
||||||
export P11M=$PKCS11_MODULE
|
export PKCS11_MODULE=$(readlink -f $key)
|
||||||
|
fi
|
||||||
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
|
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
|
||||||
grep -q "PKCS11_MODULE" "${agentfile}" >/dev/null 2>&1 && sed -i -e '/PKCS11_MODULE/d' "${agentfile}"
|
grep -q "PKCS11_MODULE" "${agentfile}" >/dev/null 2>&1 && { sed -i -e '/PKCS11_MODULE/d' "${agentfile}"; key=$PKCS11_MODULE; }
|
||||||
printf "%s\n" "PKCS11_MODULE=$(readlink -f $key)" | tee -a "${agentfile}" >&2
|
printf "%s\n" "PKCS11_MODULE=$(readlink -f $key)" | tee -a "${agentfile}" >&2
|
||||||
|
|
||||||
tokenfingerprints=($(ssh-keygen -l -D $key|tr -s ' '|awk '{print $2}'))
|
tokenfingerprints=($(ssh-keygen -l -D $key|tr -s ' '|awk '{print $2}'))
|
||||||
|
|
@ -409,13 +427,23 @@ logtrace " SSH_IDENTITIES_DIR: $SSH_IDENTITIES_DIR"
|
||||||
if [[ $SSH_TTY || $X2GO_SESSION ]] ; then
|
if [[ $SSH_TTY || $X2GO_SESSION ]] ; then
|
||||||
logdebug "Shell running with forwarded ssh-agent. Please add local token manually"
|
logdebug "Shell running with forwarded ssh-agent. Please add local token manually"
|
||||||
check_token
|
check_token
|
||||||
res=1
|
res=2
|
||||||
else
|
else
|
||||||
logdebug "run with local ssh-agent"
|
logdebug "run with local ssh-agent"
|
||||||
agent_start_or_restart $ssh_identity
|
check_token
|
||||||
! $createonly && agent_load_identity_keys $ssh_identity
|
if [ $? -eq 0 ]
|
||||||
res=0
|
then
|
||||||
|
loginfo "run with remote agent"
|
||||||
|
printf "%s" "${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)"
|
||||||
|
#! $createonly && agent_load_identity_keys $ssh_identity
|
||||||
|
res=1
|
||||||
|
else
|
||||||
|
agent_start_or_restart $ssh_identity
|
||||||
|
! $createonly && agent_load_identity_keys $ssh_identity
|
||||||
|
res=0
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SCRIPTEXIT
|
SCRIPTEXIT
|
||||||
|
loginfo "return with $res"
|
||||||
exit $res
|
exit $res
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue