Compare commits

...

4 commits

Author SHA1 Message Date
Jakobus Schürz
cf3d960a10 set PCKS11_MODULE from P11M, when delivered by ssh 2023-02-23 13:06:40 +01:00
Jakobus Schürz
6726c262bb try to read for modules for pkcs11 2023-02-23 10:02:59 +01:00
Jakobus Schürz
91f4bc89bd move reading for pkcs11-module to funktions 2023-02-23 09:59:46 +01:00
Jakobus Schürz
e39b7ce58c improve pkcs11 for multiple token 2023-02-22 16:19:00 +01:00
4 changed files with 43 additions and 45 deletions

View file

@ -68,12 +68,11 @@ if [[ $- = *i* ]] ; then
. ${MSC_BASE}/logging
# P11M for etoken/smartcard authentification
# Use PKCS11_MODULE or P11M (comes from ssh, when connected from remote) only in context of startagent/loadagent
# which dnf >/dev/null 2>&1 [ -z "${P11M+x}" ] && P11M="$(dnf repoquery --installed -l p11-kit | grep \/p11-kit-proxy.so\$ | head -1)"
# which dpkg >/dev/null 2>&1 && [ -z "${P11M+x}" ] && P11M="$(dpkg -L p11-kit-modules|grep \/p11-kit-proxy.so\$ | head -1)"
[ -z "${PKCS11_MODULE:+x}" ] && [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && export PKCS11_MODULE=$(whereis p11-kit-proxy.so|awk '{print $2}' || { echo "p11-kit-proxy not installed, unset PKCS11_MODULE"; unset PKCS11_MODULE; })
[ -z "${P11M:+x}" ] && [ -n "$(whereis p11-kit-proxy.so|awk '{print $2}')" ] && export P11M=$(whereis p11-kit-proxy.so|awk '{print $2}' || { echo "p11-kit-proxy not forwarded by ssh or installed, unset P11M"; unset P11M; })
# Basics
[ -z "${VISUAL+x}" ] && export VISUAL=${VISUAL_DEFAULT}
@ -197,8 +196,10 @@ EOF
_tmux_hook
_umask_hook
_pkcs11module
promptcommandmunge "_tmux_hook"
promptcommandmunge "_umask_hook"
promptcommandmunge "_pkcs11module"
which direnv >/dev/null && eval "$(direnv hook bash)"
cat << EOF >> "${MSC_LOGFILE}"

View file

@ -1,25 +0,0 @@
#!/bin/sh
set -eu
set -x
which dnf >/dev/null 2>&1 [ -z "${P11M+x}" ] && P11M="$(dnf repoquery --installed -l p11-kit | grep \/p11-kit-proxy.so\$ | head -1)"
which dpkg >/dev/null 2>&1 && [ -z "${P11M+x}" ] && P11M="$(dpkg -L p11-kit-modules|grep \/p11-kit-proxy.so\$ | head -1)"
echo SSH_AGENT_PID before: $SSH_AGENT_PID
[ -z "$(pidof ssh-agent)" -o "${SSH_AGENT_PID}" != "$(pidof ssh-agent)" ] && eval "$(ssh-agent -s)"
echo SSH_AGENT_PID after: $SSH_AGENT_PID
#if ssh-add -l | grep -q "${P11M}"; then
# # Remove any stale loaded keys from token, ssh-agent does not automatically
# # reconnect with the token when you reinsert it.
# ssh-add -e "${P11M}"
#fi
ssh-add -e "${P11M}" 2>/dev/null
echo $?
# Tell ssh-agent to use the keys on the token
ssh-add -s "${P11M}"

View file

@ -45,7 +45,7 @@ check_token(){
# it's the same as "token" in functions.sh
# defined here also, to work also in environments, where functions.sh couldn't be sourced
[ -z "${P11M:+x}" ] && { P11M=$PKCS11_MODULE; export P11M; }
[ -z "${PKCS11_MODULE:+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
# If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
# So remember and unset DISPLAY, and set it at the end again, if it was set before
@ -58,7 +58,7 @@ check_token(){
logtrace "tmppubkey: $tmppubkey"
loginfo "$(ssh-add -L > $tmppubkey)"
# Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token.
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $P11M; ssh-add -s $P11M; } )"
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODUlE; ssh-add -s $PKCS11_MODUlE; } )"
logdebug "$(rm "${tmppubkey}")"
logdebug "$(ssh-add -l )"
[ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
@ -287,19 +287,23 @@ agent_load_identity_keys () {
for key in $(ls ${SSH_IDENTITIES_DIR}/${ssh_identity}/*|grep "\.so$"); do
echo "key: $key"
logdebug "P11M1: ${P11M:-not set} - key: $key"
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
#[ -e "${P11M-x}" ] || [ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
#[ "$(readlink - f $key)" == "$P11M" ] || key="$P11M"
[ "$(readlink -f $key)" != "$P11M" -a "${P11M:-x}" != "x" ] && key="$P11M"
logdebug "P11M2: ${P11M:-not set} - key: $key"
logdebug "P11M: ${P11M:-not set} - key: $key"
[ "$(readlink -f $key)" != "$PKCS11_MODULE" -a "${PKCS11_MODULE:-x}" != "x" ] && key="$PKCS11_MODULE"
export PKCS11_MODULE=$(readlink -f $key)
export P11M=$PKCS11_MODULE
logdebug "PKCS11_MODULE: ${PKCS11_MODULE:-not set} - key: $key"
grep -q "PKCS11_MODULE" "${agentfile}" >/dev/null 2>&1 && sed -i -e '/PKCS11_MODULE/d' "${agentfile}"
echo "PKCS11_MODULE=$(readlink -f $key)" | tee -a "${agentfile}"
tokenfingerprints=($(ssh-keygen -l -D $key|tr -s ' '|awk '{print $2}'))
logtrace "fingerprints: ${fingerprints[*]}"
logtrace "tokenfingerprints count: ${#tokenfingerprints[@]}"
if [ ${#tokenfingerprints[@]} -gt 1 ]; then
logerr "Found ${#tokenfingerprints[@]} in p11-kit-proxy! Check if only one token is plugged into your computer"
logerr "Found ${#tokenfingerprints[@]} in $key! Check if only one token is plugged into your computer"
else
tokenfingerprint=${tokenfingerprints[0]}
logtrace "tokenfingerprint: ${tokenfingerprint}"
@ -309,7 +313,7 @@ agent_load_identity_keys () {
if $readd || $remove ; then
$readd && logdebug "re-add token $key"
$remove && logdebug "remove token $key"
echo agentfile1 $agentfile \$SSH_ADD_OPTIONS $key >&2
logtrace "agentfile1 $agentfile \$SSH_ADD_OPTIONS $key "
logdebug "$(ssh_runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -e "${key}" 2>&1)"
ssh_runinagent $agentfile echo $SSH_AUTH_SOCK >&2
$remove || logdebug "$(ssh_runinagent $agentfile ssh-add ${SSH_ADD_OPTIONS} -s "${key}" 2>&1)"
@ -337,6 +341,8 @@ agent_load_identity_keys () {
function check_pubkeysonly () {
if [ ${#pubkeysonly[*]} -gt 0 ] ; then
for p in ${pubkeysonly[@]}; do
logtrace "pubkeyonly: $p"
logtrace "$(ssh_runinagent $agentfile ssh-add -T ${p} 2>&1)"
ssh_runinagent $agentfile ssh-add -T ${p} 2>&1 || { $remove || readd=true; break; }
done
else

View file

@ -20,6 +20,19 @@ promptcommandmunge () {
esac
EXIT
}
function _pkcs11module() {
[ -z "${P11M:+x}" ] && \
[ -n "$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}')" ] && \
export PKCS11_MODULE=$(whereis ${pkcs11_module_default:-p11-kit-proxy.so}|awk '{print $2}' || \
{ echo "${pkcs11_module_default:-p11-kit-proxy.so} not forwarded by ssh or installed, unset P11M"; unset P11M; })
[ -n "${P11M:+x}" ] && PKCS11_MODULE=${P11M}
[ -n "${P11M:+x}" ] && tmux set-environment P11M ${P11M}
tmux set-environment PKCS11_MODULE ${PKCS11_MODULE}
}
## this function updates in combination with PROMPT_COMMAND the shell-environment-variables in tmux-sessions,
# every time prompt is called. It does it only, when called from tmux (Environment TMUX is set)
function _tmux_hook() {
@ -951,14 +964,14 @@ utoken () {
ENTRY
ssh_identity=$1
[ -z "${P11M+x}" ] && { P11M=$PKCS11_MODULE; export P11M; }
[ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
if [ -n "${ssh_identity+x}" ]; then
agentfile="${HOME}/.ssh/agents/agent-${ssh_identity}-$(hostname)"
if [ -e "$agentfile" ]; then
local SSH_AUTH_SOCK
local SSH_AGENT_PID
/bin/sh -c ". $agentfile >/dev/null 2>/dev/null; ssh-add -l; ssh-add -e $P11M; ssh-add -l"
/bin/sh -c ". $agentfile >/dev/null 2>/dev/null; ssh-add -l; ssh-add -e $PKCS11_MODULE; ssh-add -l"
fi
fi
EXIT
@ -966,7 +979,7 @@ utoken () {
token(){
[ -z "${P11M:+x}" ] && { P11M=$PKCS11_MODULE; export P11M; }
[ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
# If DISPLAY is set, ssh-add calls ssh-askpass, and if its in remote-terminal, it wont work
# So remember and unset DISPLAY, and set it at the end again, if it was set before
@ -979,7 +992,7 @@ token(){
logtrace "tmppubkey: $tmppubkey"
loginfo "$(ssh-add -L > $tmppubkey)"
# Check if public-keys in tmppubkey are working. They are not working, if you removed and add back hardware-token.
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $P11M; ssh-add -s $P11M; } )"
loginfo "$(ssh-add -T ${tmppubkey}|| { ssh-add -e $PKCS11_MODULE; ssh-add -s $PKCS11_MODULE; } )"
logdebug "$(rm "${tmppubkey}")"
logdebug "$(ssh-add -l )"
[ $DISPLAY_ORIG ] && logtrace "reset DISPLAY=$DISPLAY_ORIG"
@ -989,8 +1002,9 @@ token(){
token-extract-pubkey() {
if pkcs11-tool --module $P11M --list-token-slots >&2 ;then
ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $P11M -r --type pubkey ${1:+--label} ${1} |openssl rsa -pubin -inform DER )
[ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
if pkcs11-tool --module $PKCS11_MODULE --list-token-slots >&2 ;then
ssh-keygen -i -m pkcs8 -f <(pkcs11-tool --module $PKCS11_MODULE -r --type pubkey ${1:+--label} ${1} |openssl rsa -pubin -inform DER )
if [ $? -gt 0 ] ; then
token-list-objects >&2
fi
@ -1001,12 +1015,13 @@ token-extract-pubkey() {
}
token-list-objects() {
[ -z "${PKCS11_MODULE+x}" ] && { PKCS11_MODULE=$P11M; export PKCS11_MODULE; }
case $1 in
--login|-l)
pkcs11-tool --module $P11M --login --list-objects
pkcs11-tool --module $PKCS11_MODULE --login --list-objects
;;
*)
pkcs11-tool --module $P11M --list-objects
pkcs11-tool --module $PKCS11_MODULE --list-objects
;;
esac
@ -1017,12 +1032,13 @@ loadagent() {
local af
af=$(startagent --create-only $1 )
loginfo "Load agent from $af"
unset SSH_AUTH_SOCKET SSH_AGENT_PID
unset SSH_AUTH_SOCKET SSH_AGENT_PID PKCS11_MODULE
[ -n "${af+x}" ] && eval $(<$af)
logdebug "SSH_AUTH_SOCK: ${SSH_AUTH_SOCK-not set}"
logdebug "SSH_AGENT_PID: ${SSH_AGENT_PID-not set}"
loginfo "currently loaded keys in agent:
$(ssh-add -l)"
export P11M=$PKCS11_MODULE
EXIT
}