#!/usr/bin/env sh # SPDX-FileCopyrightText: Daniel Pätzold # SPDX-License-Identifier: AGPL-3.0-or-later # # If IPA-KRA is available, use it to store or retrieve personal private ssh key, so that the key won't change every time on new installs # #Check Token if [ "${DAVTOKEN_USER}." == "." ]; then echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit." exit 1 fi KEYFILE="${HOME}/.ssh/id_ed25519" SSHVAULTNAME="SSH_PRIV_KEY" if [ ${IPAVAULTUSE} = "false" ]; then echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available." else if [ -f ${KEYFILE} ]; then echo "SSH Key already present at ${KEYFILE}. Leaving it untouched." else mkdir -p "${HOME}/.ssh" echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault" ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE} if [ $? -ne 0 ]; then echo "Seems there is no key yet on IPA, creating it new." ipa vault-add "${SSHVAULTNAME}" --desc "SSH private key (Stored by OEMDRV autoinstall Modules)" --type=standard if [ $? -ne 0 ]; then echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check." exit 1 else ssh-keygen -t ed25519 -C "$(whoami)" -f ${KEYFILE} if [ $? -ne 0 ]; then echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check." exit 1 fi ipa vault-archive "${SSHVAULTNAME}" --in ${KEYFILE} if [ $? -ne 0 ]; then echo "Error storing the Key to the created Vault ${SSHVAULTNAME}. This should not happen, aborting. Please check." exit 1 else echo "Sucessfully created SSH Key and stored it in IPAs KRA Vault named ${SSHVAULTNAME}." fi fi else # derive public key from private key when enrolling to new system ssh-keygen -y -f "${KEYFILE}" > "${KEYFILE}.pub" if [ $? -eq 0 ]; then chmod 0600 "${KEYFILE}" "${KEYFILE}.pub" echo "Sucessfully fetched SSH Key from IPA." else echo "Something went wrong with Key provisioning, please check." exit 1 fi fi fi fi exit 0