jakob/myshellconfig
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

make agent/token available also from remotelogin

Browse source
This commit is contained in:
Jakobus Schürz 2023-07-06 19:30:28 +02:00
parent d6ba30980a
commit e0adff87b8
1 changed files with 77 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

118
bin/startagent
View file

@ -42,46 +42,63 @@ EOF
}
check_token(){
loginfo "a P11M: ${P11M}"
loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}"
[ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M}
loginfo "b P11M: ${P11M}"
loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}"
# it's the same as "token" in functions.sh
# defined here also, to work also in environments, where functions.sh couldn't be sourced
[ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
loginfo "c P11M: ${P11M}"
loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}"
# If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
# So remember and unset DISPLAY, and set it at the end again, if it was set before
[ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY
[ $DISPLAY ] && logtrace "unset DISPLAY: $DISPLAY"
[ $DISPLAY ] && unset DISPLAY
# Write public keys of all in agent stored keys to a temporary file
local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)"
logtrace "tmppubkey: $tmppubkey"
logdebug "C"
tmpIFS="${IFS}"
IFS=$'\n'
for tmppk in $(ssh-add -L)
do
printf "%s" "$tmppk" |tee "${tmppubkey}" || return $?
#echo "${tmppk}" > $tmppubkey || return $?
#ssh-add -L > $tmppubkey || return $?
# Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token.
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
logdebug "$(ssh-add -l )"
done
logdebug "$(rm "${tmppubkey}")"
IFS=$tmpIFS
unset tmpIFS
[ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
[ $DISPLAY_ORIG ] && export DISPLAY=$DISPLAY_ORIG
if [ -e ~/.ssh/ssh_from_remote_auth_sock ]
then
logdebug "~/.ssh/ssh_from_remote_auth_sock is link"
. ~/.ssh/p11m
local agentfile="${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)"
cat << EOF > $agentfile
SSH_AUTH_SOCK=~/.ssh/ssh_from_remote_auth_sock; export SSH_AUTH_SOCK
PKCS11_MODULE=${P11M}; export PKCS11_MODULE
EOF
# echo $agentfile
loginfo "$(cat $agentfile)"
return 0
else
logdebug "~/.ssh/ssh_from_remote_auth_sock is broken"
return 1
fi
}
# loginfo "a P11M: ${P11M}"
# loginfo "a PKCS11_MODULE: ${PKCS11_MODULE}"
#
# [ -n "${P11M:+x}" ] && export PKCS11_MODULE=${P11M}
# loginfo "b P11M: ${P11M}"
# loginfo "b PKCS11_MODULE: ${PKCS11_MODULE}"
# # it's the same as "token" in functions.sh
# # defined here also, to work also in environments, where functions.sh couldn't be sourced
# [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
#
# loginfo "c P11M: ${P11M}"
# loginfo "c PKCS11_MODULE: ${PKCS11_MODULE}"
# # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
# # So remember and unset DISPLAY, and set it at the end again, if it was set before
# [ $DISPLAY ] && local DISPLAY_ORIG=$DISPLAY
# [ $DISPLAY ] && logtrace "unset DISPLAY: $DISPLAY"
# [ $DISPLAY ] && unset DISPLAY
#
# # Write public keys of all in agent stored keys to a temporary file
# local tmppubkey="$(mktemp -p ${XDG_RUNTIME_DIR} pubkey.XXXXXX.pub)"
# logtrace "tmppubkey: $tmppubkey"
# logdebug "C"
# tmpIFS="${IFS}"
# IFS=$'\n'
# for tmppk in $(ssh-add -L)
# do
# printf "%s" "$tmppk" |tee "${tmppubkey}" || return $?
# #echo "${tmppk}" > $tmppubkey || return $?
# #ssh-add -L > $tmppubkey || return $?
# # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token.
# loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
# logdebug "$(ssh-add -l )"
# done
# logdebug "$(rm "${tmppubkey}")"
# IFS=$tmpIFS
# unset tmpIFS
# [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
# [ $DISPLAY_ORIG ] && export DISPLAY=$DISPLAY_ORIG
#
#}
createonly=false
tokenonly=false
@ -303,13 +320,14 @@ agent_load_identity_keys () {
for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep "\.so$"); do
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
#[ -e "${P11M-x}" ] || [ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
#[ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
[ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] && key="$PKCS11_MODULE"
if [ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ]
then
key="$PKCS11_MODULE"
else
export PKCS11_MODULE=$(readlink -f $key)
export P11M=$PKCS11_MODULE
fi
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
grep -q "PKCS11_MODULE" "${agentfile}" >/dev/null 2>&1 && sed -i -e '/PKCS11_MODULE/d' "${agentfile}"
grep -q "PKCS11_MODULE" "${agentfile}" >/dev/null 2>&1 && { sed -i -e '/PKCS11_MODULE/d' "${agentfile}"; key=$PKCS11_MODULE; }
printf "%s\n" "PKCS11_MODULE=$(readlink -f $key)" | tee -a "${agentfile}" >&2
tokenfingerprints=($(ssh-keygen -l -D $key|tr -s ' '|awk '{print $2}'))
@ -409,13 +427,23 @@ logtrace " SSH_IDENTITIES_DIR: $SSH_IDENTITIES_DIR"
if [[ $SSH_TTY || $X2GO_SESSION ]] ; then
logdebug "Shell running with forwarded ssh-agent. Please add local token manually"
check_token
res=1
res=2
else
logdebug "run with local ssh-agent"
check_token
if [ $? -eq 0 ]
then
loginfo "run with remote agent"
printf "%s" "${SSH_AGENTS_DIR}/agent-${ssh_identity}-$(hostname)"
#! $createonly && agent_load_identity_keys $ssh_identity
res=1
else
agent_start_or_restart $ssh_identity
! $createonly && agent_load_identity_keys $ssh_identity
res=0
fi
fi
SCRIPTEXIT
loginfo "return with $res"
exit $res