obel1x/fedora-OEMDRV
0
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

SSH Key storage on IPA and Bugfix when Config is already existing #35

Merged
obel1x merged 2 commits from unbrot/fedora-OEMDRV:main into main 2026-06-17 15:44:31 +02:00
Conversation 0 Commits 2 Files Changed 2
+30 -4
2 changed files with 30 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 6fe96f82fd - Show all commits
client_software/0060_ssh_key/README.md
+5 -1
View File
@@ -8,7 +8,11 @@ Run as the logged-in user via `client_software/user_run.sh` (needs the
`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`). `DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
Behavior: Behavior:
- If `~/.ssh/id_ed25519` already exists locally, it's left untouched. - `~/.ssh` is relocated to `${DECRYPTEDDATADIR}/ssh_keys` (the user's
gocryptfs-encrypted data dir) on first run: any existing content is moved
there once, then `~/.ssh` becomes a symlink to it. Subsequent runs detect
the symlink and skip this step.
- If `~/.ssh/id_ed25519` already exists, it's left untouched.
- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`: - Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
- found → key is fetched, permissions fixed to `0600`, public key derived. - found → key is fetched, permissions fixed to `0600`, public key derived.
- not found → a new vault is created, a new key pair is generated, and the - not found → a new vault is created, a new key pair is generated, and the
client_software/0060_ssh_key/user_run.sh
+25 -3
View File
@@ -11,15 +11,37 @@ if [ "${DAVTOKEN_USER}." == "." ]; then
exit 1 exit 1
fi fi
KEYFILE="${HOME}/.ssh/id_ed25519" SSHDIR="${HOME}/.ssh"
SSHDIR_REAL="${DECRYPTEDDATADIR}/ssh_keys"
KEYFILE="${SSHDIR}/id_ed25519"
SSHVAULTNAME="SSH_PRIV_KEY" SSHVAULTNAME="SSH_PRIV_KEY"
#Relocate ~/.ssh into the encrypted data directory, migrating any existing content once
if [ ! -L "${SSHDIR}" ]; then
mkdir -p "${SSHDIR_REAL}"
chmod 0700 "${SSHDIR_REAL}"
if [ -d "${SSHDIR}" ]; then
echo "Migrating existing ${SSHDIR} contents to ${SSHDIR_REAL}."
cp -a "${SSHDIR}/." "${SSHDIR_REAL}/"
if [ $? -ne 0 ]; then
echo "Error migrating ${SSHDIR} contents to ${SSHDIR_REAL}. Aborting, please check."
exit 1
fi
rm -rf "${SSHDIR}"
fi
ln -s "${SSHDIR_REAL}" "${SSHDIR}"
if [ $? -ne 0 ]; then
echo "Error creating symlink ${SSHDIR} -> ${SSHDIR_REAL}. Aborting, please check."
exit 1
fi
fi
if [ ${IPAVAULTUSE} = "false" ]; then if [ ${IPAVAULTUSE} = "false" ]; then
echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available." echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available."
else else
if [ -f ${KEYFILE} ]; then if [ -f ${KEYFILE} ]; then
echo "SSH Key already present at ${KEYFILE}. Leaving it untouched." echo "SSH Key already present at ${KEYFILE}. Leaving it untouched."
else else
mkdir -p "${HOME}/.ssh"
echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault" echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault"
ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE} ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE}
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
@@ -29,7 +51,7 @@ else
echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check." echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check."
exit 1 exit 1
else else
ssh-keygen -t ed25519 -C "$(whoami)" -f ${KEYFILE} ssh-keygen -t ed25519 -C "$(whoami)" -N "" -f ${KEYFILE}
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check." echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check."
exit 1 exit 1