Daniel unbrot Pätzold
6fe96f82fd
Symlinks ~/.ssh to ${DECRYPTEDDATADIR}/ssh_keys (migrating any existing
content once) so the key lives in the gocryptfs-encrypted area instead
of the plain home directory. Also passes -N "" to ssh-keygen so key
generation no longer prompts for a passphrase.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
82 lines
2.9 KiB
Bash
Executable File
82 lines
2.9 KiB
Bash
Executable File
#!/usr/bin/env sh
|
|
# SPDX-FileCopyrightText: Daniel Pätzold
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
#
|
|
# If IPA-KRA is available, use it to store or retrieve personal private ssh key, so that the key won't change every time on new installs
|
|
#
|
|
|
|
#Check Token
|
|
if [ "${DAVTOKEN_USER}." == "." ]; then
|
|
echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit."
|
|
exit 1
|
|
fi
|
|
|
|
SSHDIR="${HOME}/.ssh"
|
|
SSHDIR_REAL="${DECRYPTEDDATADIR}/ssh_keys"
|
|
KEYFILE="${SSHDIR}/id_ed25519"
|
|
SSHVAULTNAME="SSH_PRIV_KEY"
|
|
|
|
#Relocate ~/.ssh into the encrypted data directory, migrating any existing content once
|
|
if [ ! -L "${SSHDIR}" ]; then
|
|
mkdir -p "${SSHDIR_REAL}"
|
|
chmod 0700 "${SSHDIR_REAL}"
|
|
if [ -d "${SSHDIR}" ]; then
|
|
echo "Migrating existing ${SSHDIR} contents to ${SSHDIR_REAL}."
|
|
cp -a "${SSHDIR}/." "${SSHDIR_REAL}/"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error migrating ${SSHDIR} contents to ${SSHDIR_REAL}. Aborting, please check."
|
|
exit 1
|
|
fi
|
|
rm -rf "${SSHDIR}"
|
|
fi
|
|
ln -s "${SSHDIR_REAL}" "${SSHDIR}"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error creating symlink ${SSHDIR} -> ${SSHDIR_REAL}. Aborting, please check."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if [ ${IPAVAULTUSE} = "false" ]; then
|
|
echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available."
|
|
else
|
|
if [ -f ${KEYFILE} ]; then
|
|
echo "SSH Key already present at ${KEYFILE}. Leaving it untouched."
|
|
else
|
|
echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault"
|
|
ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Seems there is no key yet on IPA, creating it new."
|
|
ipa vault-add "${SSHVAULTNAME}" --desc "SSH private key (Stored by OEMDRV autoinstall Modules)" --type=standard
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check."
|
|
exit 1
|
|
else
|
|
ssh-keygen -t ed25519 -C "$(whoami)" -N "" -f ${KEYFILE}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check."
|
|
exit 1
|
|
fi
|
|
ipa vault-archive "${SSHVAULTNAME}" --in ${KEYFILE}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error storing the Key to the created Vault ${SSHVAULTNAME}. This should not happen, aborting. Please check."
|
|
exit 1
|
|
else
|
|
echo "Sucessfully created SSH Key and stored it in IPAs KRA Vault named ${SSHVAULTNAME}."
|
|
fi
|
|
fi
|
|
else
|
|
# derive public key from private key when enrolling to new system
|
|
ssh-keygen -y -f "${KEYFILE}" > "${KEYFILE}.pub"
|
|
if [ $? -eq 0 ]; then
|
|
chmod 0600 "${KEYFILE}" "${KEYFILE}.pub"
|
|
echo "Sucessfully fetched SSH Key from IPA."
|
|
else
|
|
echo "Something went wrong with Key provisioning, please check."
|
|
exit 1
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
exit 0
|