0060_ssh_key: add private key escrow via IPA vault and README
Provisions ~/.ssh/id_ed25519 once and stores it in the FreeIPA KRA vault so the key persists across reinstalls/new machines instead of being regenerated each time. Guards against silently overwriting an existing vault key on transient failures (missing ~/.ssh, vault-add errors, ssh-keygen failures) before archiving. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Daniel unbrot Pätzold
@@ -0,0 +1,20 @@
|
||||
# 0060_ssh_key
|
||||
|
||||
Provisions a per-user `~/.ssh/id_ed25519` key and escrows it in the FreeIPA
|
||||
KRA vault (`SSH_PRIV_KEY`), so the same key is reused across machines instead
|
||||
of generating a new one on every install.
|
||||
|
||||
Run as the logged-in user via `client_software/user_run.sh` (needs the
|
||||
`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
|
||||
|
||||
Behavior:
|
||||
- If `~/.ssh/id_ed25519` already exists locally, it's left untouched.
|
||||
- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
|
||||
- found → key is fetched, permissions fixed to `0600`, public key derived.
|
||||
- not found → a new vault is created, a new key pair is generated, and the
|
||||
private key is archived to the vault.
|
||||
- Requires `IPAVAULTUSE=true` (KRA available); otherwise the script is a
|
||||
no-op.
|
||||
|
||||
Note: this only handles private-key escrow. Publishing the public key to the
|
||||
user's FreeIPA entry (`ipa user-mod --sshpubkey`) is not done by this script.
|
||||
Reference in New Issue
Block a user