improve pkcs11 for multiple token

This commit is contained in:
Jakobus Schürz 2023-02-22 16:19:00 +01:00
parent 77446d1ab8
commit e39b7ce58c
4 changed files with 30 additions and 43 deletions

View file

@ -68,13 +68,22 @@ if [[ $- = *i* ]] ; then
. ${MSC_BASE}/logging
# P11M for etoken/smartcard authentification
# Use PKCS11_MODULE or P11M (comes from ssh, when connected from remote) only in context of startagent/loadagent
# which dnf >/dev/null 2>&1 [ -z "${P11M+x}" ] && P11M="$(dnf repoquery --installed -l p11-kit | grep \/p11-kit-proxy.so\$ | head -1)"
# which dpkg >/dev/null 2>&1 && [ -z "${P11M+x}" ] && P11M="$(dpkg -L p11-kit-modules|grep \/p11-kit-proxy.so\$ | head -1)"
[ -z "${PKCS11_MODULE:+x}" ] && [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && export PKCS11_MODULE=$(whereis p11-kit-proxy.so|awk '{print $2}' || { echo "p11-kit-proxy not installed, unset PKCS11_MODULE"; unset PKCS11_MODULE; })
[ -z "${P11M:+x}" ] && [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && export P11M=$(whereis p11-kit-proxy.so|awk '{print $2}' || { echo "p11-kit-proxy not forwarded by ssh or installed, unset P11M"; unset P11M; })
function find_pkcs11module() {
[ -z "${PKCS11_MODULE:+x}" ] && \
[ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && \
export PKCS11_MODULE=$(whereis p11-kit-proxy.so|awk '{print $2}' || \
{ echo "p11-kit-proxy not installed, unset PKCS11_MODULE"; unset PKCS11_MODULE; })
[ -z "${P11M:+x}" ] && \
[ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && \
export P11M=$(whereis p11-kit-proxy.so|awk '{print $2}' || \
{ echo "p11-kit-proxy not forwarded by ssh or installed, unset P11M"; unset P11M; })
}
# Basics
[ -z "${VISUAL+x}" ] && export VISUAL=${VISUAL_DEFAULT}
[ -z "${EDITOR+x}" ] && export EDITOR=${EDITOR_DEFAULT}

View file

@ -1,25 +0,0 @@
#!/bin/sh
set -eu
set -x
which dnf >/dev/null 2>&1 [ -z "${P11M+x}" ] && P11M="$(dnf repoquery --installed -l p11-kit | grep \/p11-kit-proxy.so\$ | head -1)"
which dpkg >/dev/null 2>&1 && [ -z "${P11M+x}" ] && P11M="$(dpkg -L p11-kit-modules|grep \/p11-kit-proxy.so\$ | head -1)"
echo SSH_AGENT_PID before: $SSH_AGENT_PID
[ -z "$(pidof ssh-agent)" -o "${SSH_AGENT_PID}" != "$(pidof ssh-agent)" ] && eval "$(ssh-agent -s)"
echo SSH_AGENT_PID after: $SSH_AGENT_PID
#if ssh-add -l | grep -q "${P11M}"; then
# # Remove any stale loaded keys from token, ssh-agent does not automatically
# # reconnect with the token when you reinsert it.
# ssh-add -e "${P11M}"
#fi
ssh-add -e "${P11M}" 2>/dev/null
echo $?
# Tell ssh-agent to use the keys on the token
ssh-add -s "${P11M}"

View file

@ -45,7 +45,7 @@ check_token(){
# it's the same as "token" in functions.sh
# defined here also, to work also in environments, where functions.sh couldn't be sourced
[ -z "${P11M:+x}" ] && { P11M=$PKCS11_MODULE; export P11M; }
[ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
# If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
# So remember and unset DISPLAY, and set it at the end again, if it was set before
@ -58,7 +58,7 @@ check_token(){
logtrace "tmppubkey: $tmppubkey"
loginfo "$(ssh-add -L > $tmppubkey)"
# Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token.
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $P11M; ssh-add -s $P11M; } )"
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODUlE; ssh-add -s $PKCS11_MODUlE; } )"
logdebug "$(rm "${tmppubkey}")"
logdebug "$(ssh-add -l )"
[ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
@ -287,12 +287,13 @@ agent_load_identity_keys () {
for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep "\.so$"); do
echo "key: $key"
logdebug "P11M1: ${P11M:-not set} - key: $key"
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
#[ -e "${P11M-x}" ] || [ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
#[ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
[ "$(readlink -f $key)" != "$P11M" -a "${P11M:-x}" != "x" ] && key="$P11M"
logdebug "P11M2: ${P11M:-not set} - key: $key"
logdebug "P11M: ${P11M:-not set} - key: $key"
[ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] && key="$PKCS11_MODULE"
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
grep "export PKCS11_MODULE" ${agentfile} && sed -e '/export PKCS11_MODULE/d' ${agentfile}
echo "export PKCS11_MODULE=$(readlink -f $key)" | tee -a "${agentfile}"
tokenfingerprints=($(ssh-keygen -l -D $key|tr -s ' '|awk '{print $2}'))

View file

@ -951,14 +951,14 @@ utoken () {
ENTRY
ssh_identity=$1
[ -z "${P11M+x}" ] && { P11M=$PKCS11_MODULE; export P11M; }
[ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
if [ -n "${ssh_identity+x}" ]; then
agentfile="${HOME}/.ssh/agents/agent-${ssh_identity}-$(hostname)"
if [ -e "$agentfile" ]; then
local SSH_AUTH_SOCK
local SSH_AGENT_PID
/bin/sh -c ". $agentfile >/dev/null 2>/dev/null; ssh-add -l; ssh-add -e $P11M; ssh-add -l"
/bin/sh -c ". $agentfile >/dev/null 2>/dev/null; ssh-add -l; ssh-add -e $PKCS11_MODULE; ssh-add -l"
fi
fi
EXIT
@ -966,7 +966,7 @@ utoken () {
token(){
[ -z "${P11M:+x}" ] && { P11M=$PKCS11_MODULE; export P11M; }
[ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
# If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
# So remember and unset DISPLAY, and set it at the end again, if it was set before
@ -979,7 +979,7 @@ token(){
logtrace "tmppubkey: $tmppubkey"
loginfo "$(ssh-add -L > $tmppubkey)"
# Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token.
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $P11M; ssh-add -s $P11M; } )"
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
logdebug "$(rm "${tmppubkey}")"
logdebug "$(ssh-add -l )"
[ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
@ -989,8 +989,9 @@ token(){
token-extract-pubkey() {
if pkcs11-tool --module $P11M --list-token-slots >&2 ;then
ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $P11M -r --type pubkey ${1:+--label} ${1} |openssl rsa -pubin -inform DER )
[ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
if pkcs11-tool --module $PKCS11_MODULE --list-token-slots >&2 ;then
ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $PKCS11_MODULE -r --type pubkey ${1:+--label} ${1} |openssl rsa -pubin -inform DER )
if [ $? -gt 0 ] ; then
token-list-objects >&2
fi
@ -1001,12 +1002,13 @@ token-extract-pubkey() {
}
token-list-objects() {
[ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
case $1 in
--login|-l)
pkcs11-tool --module $P11M --login --list-objects
pkcs11-tool --module $PKCS11_MODULE --login --list-objects
;;
*)
pkcs11-tool --module $P11M --list-objects
pkcs11-tool --module $PKCS11_MODULE --list-objects
;;
esac
@ -1017,7 +1019,7 @@ loadagent() {
local af
af=$(startagent --create-only $1 )
loginfo "Load agent from $af"
unset SSH_AUTH_SOCKET SSH_AGENT_PID
unset SSH_AUTH_SOCKET SSH_AGENT_PID PKCS11_MODULE
[ -n "${af+x}" ] && eval $(<$af)
logdebug "SSH_AUTH_SOCK: ${SSH_AUTH_SOCK-not set}"
logdebug "SSH_AGENT_PID: ${SSH_AGENT_PID-not set}"