diff --git a/bin/sshstartagent b/bin/sshstartagent index 4c45287..278f6c3 100755 --- a/bin/sshstartagent +++ b/bin/sshstartagent @@ -57,17 +57,23 @@ ssh_runinagent() { local SSH_AUTH_SOCK local SSH_AGENT_PID + local PKCS11_MODULE local agentfile local command local agentfile=${1} shift local sshcommand=${@} + logdebug "agentfile: ${agentfile}" logtrace "run command »$sshcommand« in agent $agentfile" if [ -e "$agentfile" ]; then - /bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID; \ - . $agentfile >/dev/null 2>/dev/null; \ - $sshcommand" + #/bin/sh -c "unset SSH_AUTH_SOCK SSH_AGENT_PID PKCS11_MODULE; eval $(<$agentfile) >/dev/null 2>&1; echo SSH_AUTH_SOCK ${SSH_AUTH_SOCK:-not set} >&2; $sshcommand" + #unset SSH_AUTH_SOCK SSH_AGENT_PID PKCS11_MODULE + . $agentfile >&2 + logdebug "SSH_AUTH_SOCK: ${SSH_AUTH_SOCK:-not set}" + logdebug "SSH_AGENT_PID: ${SSH_AGENT_PID:-not set}" + logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set}" + $sshcommand ret=$? else logwarning "agentfile not existent" @@ -111,26 +117,35 @@ start_or_restart_local_agent() { logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set}" for i in $(pgrep -f ${SSH_AUTH_SOCK}) do + logdebug "$(stat ${SSH_AUTH_SOCK})" logdebug "found pid: $i" - [ -n "${SSH_AGENT_PID:+x}" ] \ - && [ $i -eq ${SSH_AGENT_PID} ] \ - || { logwarning "kill unused ssh-agent with pid $i"; kill $i; } + logdebug "is SSH_AGENT_PID set?" [ -n "${SSH_AGENT_PID:+x}" ] + logdebug "is $SSH_AGENT_PID same as found pid $i:" [ $i -eq ${SSH_AGENT_PID} ] + ${REMOTE_UNUSED_AGENTS:-false} && { [ -n "${SSH_AGENT_PID:+x}" ] && [ $i -eq ${SSH_AGENT_PID} ] || { logwarning "kill unused ssh-agent with pid $i"; kill $i; }; } done - case $(pgrep -f ${SSH_AUTH_SOCK}|wc -l) in - 0) - logdebug "no ssh-agents for file ${ssh_socketfile}" - ret=2 - ;; - 1) - logdebug "one running agent for file ${ssh_socketfile}. Use it" - msg="$(ssh_runinagent $ssh_agentfile "ssh-add -l 2>&1")" - ret=$? - ;; - *) - logdebug "more than one ssh-agents for file ${ssh_socketfile}" - return 3 - ;; - esac + if [ -e ${ssh_socketfile} ] + then + case $(pgrep -f ${SSH_AUTH_SOCK}|wc -l) in + 0) + logdebug "no ssh-agents for file ${ssh_socketfile}" + ret=3 + ;; + 1) + logdebug "one running agent for file ${ssh_socketfile}. Use it" + msg="$(ssh_runinagent $ssh_agentfile "ssh-add -v -l 2>&1")" + ret=$? + logdebug "SSH_AUTH_SOCK: $SSH_AUTH_SOCK" + ;; + *) + logdebug "more than one ssh-agents for file ${ssh_socketfile}" + return 3 + ;; + esac + else + logdebug "remove socketfile: $( rm -v -f "$ssh_socketfile" )" + msg="$(ssh_runinagent $ssh_agentfile "ssh-add -v -l 2>&1")" + ret=$? + fi logdebug "ret: $ret" #msg="$(ssh-add -l 2>&1)" logtrace "Output from check for running agent: $msg" @@ -142,22 +157,35 @@ start_or_restart_local_agent() { logdebug "agent is running, but:" logwarning "$msg" ;; - 2|99) + 2|3|99) logdebug "former agent is not running -> start it" logdebug "remove socketfile: $( rm -v -f "$ssh_socketfile" )" logdebug "remove agentfile: $( rm -v -f "$ssh_agentfile" )" + #logdebug "$(ssh-agent -k)" + logdebug "SSH_AGENT_OPTIONS: $SSH_AGENT_OPTIONS" + logtrace "$(ssh-agent -a $ssh_socketfile ${SSH_AGENT_OPTIONS} > $ssh_agentfile )" + logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set}" + sed '/^PKCS11_MODULE/d' ${ssh_agentfile} + [ -n "${PKCS11_MODULE:+x}" ] && logdebug "add PKCS11_MODULE to ${ssh_agentfile}" + [ -n "${PKCS11_MODULE:+x}" ] && echo "PKCS11_MODULE=$PKCS11_MODULE; export PKCS11_MODULE" >> ${ssh_agentfile} + logdebug "agent started" + ;; + 4) + logdebug "this is strange" ;; esac else logdebug "ssh_agentfile ${ssh_agentfile} does not exist" + logdebug "remove socketfile: $( rm -v -f "$ssh_socketfile" )" + logdebug "remove agentfile: $( rm -v -f "$ssh_agentfile" )" + logdebug "SSH_AGENT_OPTIONS: $SSH_AGENT_OPTIONS" + logtrace "$(ssh-agent -a $ssh_socketfile ${SSH_AGENT_OPTIONS} > $ssh_agentfile )" + logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set}" + sed '/^PKCS11_MODULE/d' ${ssh_agentfile} + [ -n "${PKCS11_MODULE:+x}" ] && logdebug "add PKCS11_MODULE to ${ssh_agentfile}" + [ -n "${PKCS11_MODULE:+x}" ] && echo "PKCS11_MODULE=$PKCS11_MODULE; export PKCS11_MODULE" >> ${ssh_agentfile} + logdebug "agent started" fi - logdebug "SSH_AGENT_OPTIONS: $SSH_AGENT_OPTIONS" - logtrace "$(ssh-agent -a $ssh_socketfile ${SSH_AGENT_OPTIONS} > $ssh_agentfile )" - logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set}" - sed '/^PKCS11_MODULE/d' ${ssh_agentfile} - [ -n "${PKCS11_MODULE:+x}" ] && logdebug "add PKCS11_MODULE to ${ssh_agentfile}" - [ -n "${PKCS11_MODULE:+x}" ] && echo "PKCS11_MODULE=$PKCS11_MODULE; export PKCS11_MODULE" >> ${ssh_agentfile} - logdebug "agent started" } @@ -183,6 +211,13 @@ EOF fi else logdebug "Only local agent allowed" + if [ -e ${ssh_agentfile} -a $(grep SSH_AUTH_SOCK ${ssh_agentfile}|echo $?) ] + then + logdebug "agentfile exists" + else + logdebug "agentfile is missing -> kill all ssh-agents for socket" + pkill -f ${ssh_socketfile} + fi if [ -L ${ssh_socketfile} ] then logdebug "${ssh_socketfile} is symlinked to $(readlink -f ${ssh_socketfile}). Remove it" @@ -253,7 +288,7 @@ logtrace " SSH_IDENTITIES_DIR: $SSH_IDENTITIES_DIR" set_and_load_identity_config ${1} loginfo " SSH_ADD_OPTIONS=${SSH_ADD_OPTIONS:-not set}" -loginfo "SSH_AGENT_ALLOW_FROM_REMOTE=${SSH_AGENT_ALLOW_FROM_REMOTE:-not set}" +loginfo "SSH_AGENT_ALLOW_FROM_REMOTE=${SSH_AGENT_ALLOW_FROM_REMOTE:-false}" loginfo " PKCS11_MODULE=${PKCS11_MODULE:-not set}" loginfo " P11M=${P11M:-not set}" loginfo " SSH_AUTH_SOCK=${SSH_AUTH_SOCK:-not set}"