diff --git a/bashrc_add b/bashrc_add index ef0f27b..c1ee248 100755 --- a/bashrc_add +++ b/bashrc_add @@ -68,13 +68,22 @@ if [[ $- = *i* ]] ; then . ${MSC_BASE}/logging # P11M for etoken/smartcard authentification + # Use PKCS11_MODULE or P11M (comes from ssh, when connected from remote) only in context of startagent/loadagent # which dnf >/dev/null 2>&1 [ -z "${P11M+x}" ] && P11M="$(dnf repoquery --installed -l p11-kit | grep \/p11-kit-proxy.so\$ | head -1)" # which dpkg >/dev/null 2>&1 && [ -z "${P11M+x}" ] && P11M="$(dpkg -L p11-kit-modules|grep \/p11-kit-proxy.so\$ | head -1)" - [ -z "${PKCS11_MODULE:+x}" ] && [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && export PKCS11_MODULE=$(whereis p11-kit-proxy.so|awk '{print $2}' || { echo "p11-kit-proxy not installed, unset PKCS11_MODULE"; unset PKCS11_MODULE; }) - [ -z "${P11M:+x}" ] && [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && export P11M=$(whereis p11-kit-proxy.so|awk '{print $2}' || { echo "p11-kit-proxy not forwarded by ssh or installed, unset P11M"; unset P11M; }) - + + function find_pkcs11module() { + [ -z "${PKCS11_MODULE:+x}" ] && \ + [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && \ + export PKCS11_MODULE=$(whereis p11-kit-proxy.so|awk '{print $2}' || \ + { echo "p11-kit-proxy not installed, unset PKCS11_MODULE"; unset PKCS11_MODULE; }) + [ -z "${P11M:+x}" ] && \ + [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && \ + export P11M=$(whereis p11-kit-proxy.so|awk '{print $2}' || \ + { echo "p11-kit-proxy not forwarded by ssh or installed, unset P11M"; unset P11M; }) + } # Basics [ -z "${VISUAL+x}" ] && export VISUAL=${VISUAL_DEFAULT} [ -z "${EDITOR+x}" ] && export EDITOR=${EDITOR_DEFAULT} diff --git a/bin/ssh-init-pkcs11 b/bin/ssh-init-pkcs11 deleted file mode 100755 index e5b88cb..0000000 --- a/bin/ssh-init-pkcs11 +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -set -eu -set -x -which dnf >/dev/null 2>&1 [ -z "${P11M+x}" ] && P11M="$(dnf repoquery --installed -l p11-kit | grep \/p11-kit-proxy.so\$ | head -1)" -which dpkg >/dev/null 2>&1 && [ -z "${P11M+x}" ] && P11M="$(dpkg -L p11-kit-modules|grep \/p11-kit-proxy.so\$ | head -1)" - - -echo SSH_AGENT_PID before: $SSH_AGENT_PID - -[ -z "$(pidof ssh-agent)" -o "${SSH_AGENT_PID}" != "$(pidof ssh-agent)" ] && eval "$(ssh-agent -s)" - - -echo SSH_AGENT_PID after: $SSH_AGENT_PID - -#if ssh-add -l | grep -q "${P11M}"; then -# # Remove any stale loaded keys from token, ssh-agent does not automatically -# # reconnect with the token when you reinsert it. -# ssh-add -e "${P11M}" -#fi - -ssh-add -e "${P11M}" 2>/dev/null -echo $? -# Tell ssh-agent to use the keys on the token -ssh-add -s "${P11M}" diff --git a/bin/startagent b/bin/startagent index 12d97be..784ecd7 100755 --- a/bin/startagent +++ b/bin/startagent @@ -45,7 +45,7 @@ check_token(){ # it's the same as "token" in functions.sh # defined here also, to work also in environments, where functions.sh couldn't be sourced - [ -z "${P11M:+x}" ] && { P11M=$PKCS11_MODULE; export P11M; } + [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; } # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work # So remember and unset DISPLAY, and set it at the end again, if it was set before @@ -58,7 +58,7 @@ check_token(){ logtrace "tmppubkey: $tmppubkey" loginfo "$(ssh-add -L > $tmppubkey)" # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. - loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $P11M; ssh-add -s $P11M; } )" + loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODUlE; ssh-add -s $PKCS11_MODUlE; } )" logdebug "$(rm "${tmppubkey}")" logdebug "$(ssh-add -l )" [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG" @@ -287,12 +287,13 @@ agent_load_identity_keys () { for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep "\.so$"); do echo "key: $key" - logdebug "P11M1: ${P11M:-not set} - key: $key" + logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key" #[ -e "${P11M-x}" ] || [ "$(readlink - f $key)" == "$P11M" ] || key="$P11M" #[ "$(readlink - f $key)" == "$P11M" ] || key="$P11M" - [ "$(readlink -f $key)" != "$P11M" -a "${P11M:-x}" != "x" ] && key="$P11M" - logdebug "P11M2: ${P11M:-not set} - key: $key" - logdebug "P11M: ${P11M:-not set} - key: $key" + [ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] && key="$PKCS11_MODULE" + logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key" + grep "export PKCS11_MODULE" ${agentfile} && sed -e '/export PKCS11_MODULE/d' ${agentfile} + echo "export PKCS11_MODULE=$(readlink -f $key)" | tee -a "${agentfile}" tokenfingerprints=($(ssh-keygen -l -D $key|tr -s ' '|awk '{print $2}')) diff --git a/functions.sh b/functions.sh index b9c198a..1fea80f 100755 --- a/functions.sh +++ b/functions.sh @@ -951,14 +951,14 @@ utoken () { ENTRY ssh_identity=$1 - [ -z "${P11M+x}" ] && { P11M=$PKCS11_MODULE; export P11M; } + [ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; } if [ -n "${ssh_identity+x}" ]; then agentfile="${HOME}/.ssh/agents/agent-${ssh_identity}-$(hostname)" if [ -e "$agentfile" ]; then local SSH_AUTH_SOCK local SSH_AGENT_PID - /bin/sh -c ". $agentfile >/dev/null 2>/dev/null; ssh-add -l; ssh-add -e $P11M; ssh-add -l" + /bin/sh -c ". $agentfile >/dev/null 2>/dev/null; ssh-add -l; ssh-add -e $PKCS11_MODULE; ssh-add -l" fi fi EXIT @@ -966,7 +966,7 @@ utoken () { token(){ - [ -z "${P11M:+x}" ] && { P11M=$PKCS11_MODULE; export P11M; } + [ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; } # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work # So remember and unset DISPLAY, and set it at the end again, if it was set before @@ -979,7 +979,7 @@ token(){ logtrace "tmppubkey: $tmppubkey" loginfo "$(ssh-add -L > $tmppubkey)" # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. - loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $P11M; ssh-add -s $P11M; } )" + loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )" logdebug "$(rm "${tmppubkey}")" logdebug "$(ssh-add -l )" [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG" @@ -989,8 +989,9 @@ token(){ token-extract-pubkey() { - if pkcs11-tool --module $P11M --list-token-slots >&2 ;then - ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $P11M -r --type pubkey ${1:+--label} ${1} |openssl rsa -pubin -inform DER ) + [ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; } + if pkcs11-tool --module $PKCS11_MODULE --list-token-slots >&2 ;then + ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $PKCS11_MODULE -r --type pubkey ${1:+--label} ${1} |openssl rsa -pubin -inform DER ) if [ $? -gt 0 ] ; then token-list-objects >&2 fi @@ -1001,12 +1002,13 @@ token-extract-pubkey() { } token-list-objects() { + [ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; } case $1 in --login|-l) - pkcs11-tool --module $P11M --login --list-objects + pkcs11-tool --module $PKCS11_MODULE --login --list-objects ;; *) - pkcs11-tool --module $P11M --list-objects + pkcs11-tool --module $PKCS11_MODULE --list-objects ;; esac @@ -1017,7 +1019,7 @@ loadagent() { local af af=$(startagent --create-only $1 ) loginfo "Load agent from $af" - unset SSH_AUTH_SOCKET SSH_AGENT_PID + unset SSH_AUTH_SOCKET SSH_AGENT_PID PKCS11_MODULE [ -n "${af+x}" ] && eval $(<$af) logdebug "SSH_AUTH_SOCK: ${SSH_AUTH_SOCK-not set}" logdebug "SSH_AGENT_PID: ${SSH_AGENT_PID-not set}"