improve pkcs11 for multiple token

bashrc_add

@@ -68,13 +68,22 @@ if [[ $- = *i* ]] ; then
     . ${MSC_BASE}/logging
 
     # P11M for etoken/smartcard authentification
+    # Use PKCS11_MODULE or P11M (comes from ssh, when connected from remote) only in context of startagent/loadagent
     
 #    which dnf >/dev/null 2>&1 [ -z "${P11M+x}" ] && P11M="$(dnf repoquery --installed -l p11-kit | grep \/p11-kit-proxy.so\$ | head -1)"
 #    which dpkg >/dev/null 2>&1 && [ -z "${P11M+x}" ] && P11M="$(dpkg -L p11-kit-modules|grep \/p11-kit-proxy.so\$ | head -1)"
 
-    [ -z "${PKCS11_MODULE:+x}" ]             && [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && export PKCS11_MODULE=$(whereis p11-kit-proxy.so|awk '{print $2}' || { echo "p11-kit-proxy not installed, unset PKCS11_MODULE"; unset PKCS11_MODULE; })
-    [ -z "${P11M:+x}" ]                      && [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && export P11M=$(whereis p11-kit-proxy.so|awk '{print $2}' || { echo "p11-kit-proxy not forwarded by ssh or installed, unset P11M"; unset P11M; })
     
+    function find_pkcs11module() {
+        [ -z "${PKCS11_MODULE:+x}" ] && \
+            [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && \
+            export PKCS11_MODULE=$(whereis p11-kit-proxy.so|awk '{print $2}' || \
+            { echo "p11-kit-proxy not installed, unset PKCS11_MODULE"; unset PKCS11_MODULE; })
+        [ -z "${P11M:+x}" ]          && \
+            [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && \
+            export P11M=$(whereis p11-kit-proxy.so|awk '{print $2}' || \
+            { echo "p11-kit-proxy not forwarded by ssh or installed, unset P11M"; unset P11M; })
+    }
     # Basics
     [ -z "${VISUAL+x}" ]    && export VISUAL=${VISUAL_DEFAULT}
     [ -z "${EDITOR+x}" ]    && export EDITOR=${EDITOR_DEFAULT}

bin/ssh-init-pkcs11

@@ -1,25 +0,0 @@
-#!/bin/sh
-
-set -eu
-set -x
-which dnf >/dev/null 2>&1 [ -z "${P11M+x}" ] && P11M="$(dnf repoquery --installed -l p11-kit | grep \/p11-kit-proxy.so\$ | head -1)"
-which dpkg >/dev/null 2>&1 && [ -z "${P11M+x}" ] && P11M="$(dpkg -L p11-kit-modules|grep \/p11-kit-proxy.so\$ | head -1)"
-
-
-echo SSH_AGENT_PID before: $SSH_AGENT_PID
-
-[ -z "$(pidof ssh-agent)" -o "${SSH_AGENT_PID}" != "$(pidof ssh-agent)" ] && eval "$(ssh-agent -s)"
-
-
-echo SSH_AGENT_PID after: $SSH_AGENT_PID
-
-#if ssh-add -l | grep -q "${P11M}"; then
-#    # Remove any stale loaded keys from token, ssh-agent does not automatically
-#    # reconnect with the token when you reinsert it.
-#    ssh-add -e "${P11M}"
-#fi
-
-ssh-add -e "${P11M}" 2>/dev/null
-echo $?
-# Tell ssh-agent to use the keys on the token
-ssh-add -s "${P11M}"

bin/startagent

@@ -45,7 +45,7 @@ check_token(){
 
     # it's the same as "token" in functions.sh
     # defined here also, to work also in environments, where functions.sh couldn't be sourced
-    [ -z "${P11M:+x}" ] && { P11M=$PKCS11_MODULE; export P11M; }
+    [ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
 
     # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
     # So remember and unset DISPLAY, and set it at the end again, if it was set before
@@ -58,7 +58,7 @@ check_token(){
     logtrace "tmppubkey: $tmppubkey"
     loginfo "$(ssh-add -L > $tmppubkey)"
     # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. 
-    loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $P11M; ssh-add -s $P11M; } )"
+    loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODUlE; ssh-add -s $PKCS11_MODUlE; } )"
     logdebug "$(rm "${tmppubkey}")"
     logdebug "$(ssh-add -l )"
     [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
@@ -287,12 +287,13 @@ agent_load_identity_keys () {
 
                 for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep  "\.so$"); do
                     echo "key: $key"
-                    logdebug "P11M1: ${P11M:-not set} - key: $key"
+                    logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
                     #[ -e "${P11M-x}" ] || [ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
                     #[ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
-                    [ "$(readlink -f $key)" != "$P11M" -a "${P11M:-x}" != "x" ] && key="$P11M"
-                    logdebug "P11M2: ${P11M:-not set} - key: $key"
-                    logdebug "P11M: ${P11M:-not set} - key: $key"
+                    [ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] && key="$PKCS11_MODULE"
+                    logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
+                    grep "export PKCS11_MODULE" ${agentfile} && sed -e '/export PKCS11_MODULE/d' ${agentfile}
+                    echo "export PKCS11_MODULE=$(readlink -f $key)" | tee -a "${agentfile}"
 
                     tokenfingerprints=($(ssh-keygen -l -D $key|tr -s ' '|awk '{print $2}'))
 

functions.sh

@@ -951,14 +951,14 @@ utoken () {
     ENTRY
     ssh_identity=$1
 
-    [ -z "${P11M+x}" ] && { P11M=$PKCS11_MODULE; export P11M; }
+    [ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
     
     if [ -n "${ssh_identity+x}" ]; then
         agentfile="${HOME}/.ssh/agents/agent-${ssh_identity}-$(hostname)"
         if [ -e "$agentfile" ]; then 
             local SSH_AUTH_SOCK
             local SSH_AGENT_PID
-            /bin/sh -c ". $agentfile >/dev/null 2>/dev/null; ssh-add -l; ssh-add -e $P11M; ssh-add -l"
+            /bin/sh -c ". $agentfile >/dev/null 2>/dev/null; ssh-add -l; ssh-add -e $PKCS11_MODULE; ssh-add -l"
         fi
     fi
     EXIT
@@ -966,7 +966,7 @@ utoken () {
 
 token(){
 
-    [ -z "${P11M:+x}" ] && { P11M=$PKCS11_MODULE; export P11M; }
+    [ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
 
     # If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
     # So remember and unset DISPLAY, and set it at the end again, if it was set before
@@ -979,7 +979,7 @@ token(){
     logtrace "tmppubkey: $tmppubkey"
     loginfo "$(ssh-add -L > $tmppubkey)"
     # Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token. 
-    loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $P11M; ssh-add -s $P11M; } )"
+    loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
     logdebug "$(rm "${tmppubkey}")"
     logdebug "$(ssh-add -l )"
     [ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
@@ -989,8 +989,9 @@ token(){
 
 
 token-extract-pubkey() {
-    if pkcs11-tool --module $P11M --list-token-slots >&2 ;then
-        ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $P11M -r --type pubkey ${1:+--label} ${1} |openssl rsa -pubin -inform DER )
+    [ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
+    if pkcs11-tool --module $PKCS11_MODULE --list-token-slots >&2 ;then
+        ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $PKCS11_MODULE -r --type pubkey ${1:+--label} ${1} |openssl rsa -pubin -inform DER )
         if [ $? -gt 0 ] ; then
             token-list-objects >&2
         fi
@@ -1001,12 +1002,13 @@ token-extract-pubkey() {
 }
 
 token-list-objects() {
+    [ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
     case $1 in
         --login|-l)
-            pkcs11-tool --module $P11M --login --list-objects
+            pkcs11-tool --module $PKCS11_MODULE --login --list-objects
             ;;
         *)
-            pkcs11-tool --module $P11M --list-objects
+            pkcs11-tool --module $PKCS11_MODULE --list-objects
             ;;
     esac
 
@@ -1017,7 +1019,7 @@ loadagent() {
     local af
     af=$(startagent --create-only $1 )
     loginfo "Load agent from $af"
-    unset SSH_AUTH_SOCKET SSH_AGENT_PID
+    unset SSH_AUTH_SOCKET SSH_AGENT_PID PKCS11_MODULE
     [ -n "${af+x}" ] && eval $(<$af)
     logdebug "SSH_AUTH_SOCK: ${SSH_AUTH_SOCK-not set}"
     logdebug "SSH_AGENT_PID: ${SSH_AGENT_PID-not set}"