#!/usr/bin/env sh # SPDX-FileCopyrightText: Daniel Pätzold # SPDX-License-Identifier: AGPL-3.0-or-later # # If IPA-KRA is available, use it to store or retrieve personal private ssh key, so that the key won't change every time on new installs # #Check Token if [ "${DAVTOKEN_USER}." == "." ]; then echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit." exit 1 fi SSHDIR="${HOME}/.ssh" SSHDIR_REAL="${DECRYPTEDDATADIR}/ssh_keys" KEYFILE="${SSHDIR}/id_ed25519" SSHVAULTNAME="SSH_PRIV_KEY" #Relocate ~/.ssh into the encrypted data directory, migrating any existing content once if [ ! -L "${SSHDIR}" ]; then mkdir -p "${SSHDIR_REAL}" chmod 0700 "${SSHDIR_REAL}" if [ -d "${SSHDIR}" ]; then echo "Migrating existing ${SSHDIR} contents to ${SSHDIR_REAL}." cp -a "${SSHDIR}/." "${SSHDIR_REAL}/" if [ $? -ne 0 ]; then echo "Error migrating ${SSHDIR} contents to ${SSHDIR_REAL}. Aborting, please check." exit 1 fi rm -rf "${SSHDIR}" fi ln -s "${SSHDIR_REAL}" "${SSHDIR}" if [ $? -ne 0 ]; then echo "Error creating symlink ${SSHDIR} -> ${SSHDIR_REAL}. Aborting, please check." exit 1 fi fi if [ ${IPAVAULTUSE} = "false" ]; then echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available." else if [ -f ${KEYFILE} ]; then echo "SSH Key already present at ${KEYFILE}. Leaving it untouched." else echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault" ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE} if [ $? -ne 0 ]; then echo "Seems there is no key yet on IPA, creating it new." ipa vault-add "${SSHVAULTNAME}" --desc "SSH private key (Stored by OEMDRV autoinstall Modules)" --type=standard if [ $? -ne 0 ]; then echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check." exit 1 else ssh-keygen -t ed25519 -C "$(whoami)" -N "" -f ${KEYFILE} if [ $? -ne 0 ]; then echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check." exit 1 fi ipa vault-archive "${SSHVAULTNAME}" --in ${KEYFILE} if [ $? -ne 0 ]; then echo "Error storing the Key to the created Vault ${SSHVAULTNAME}. This should not happen, aborting. Please check." exit 1 else echo "Sucessfully created SSH Key and stored it in IPAs KRA Vault named ${SSHVAULTNAME}." fi fi else # derive public key from private key when enrolling to new system ssh-keygen -y -f "${KEYFILE}" > "${KEYFILE}.pub" if [ $? -eq 0 ]; then chmod 0600 "${KEYFILE}" "${KEYFILE}.pub" echo "Sucessfully fetched SSH Key from IPA." else echo "Something went wrong with Key provisioning, please check." exit 1 fi fi fi fi exit 0