Daniel unbrot Pätzold
6fe96f82fd
Symlinks ~/.ssh to ${DECRYPTEDDATADIR}/ssh_keys (migrating any existing
content once) so the key lives in the gocryptfs-encrypted area instead
of the plain home directory. Also passes -N "" to ssh-keygen so key
generation no longer prompts for a passphrase.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
25 lines
1.2 KiB
Markdown
25 lines
1.2 KiB
Markdown
# 0060_ssh_key
|
|
|
|
Provisions a per-user `~/.ssh/id_ed25519` key and escrows it in the FreeIPA
|
|
KRA vault (`SSH_PRIV_KEY`), so the same key is reused across machines instead
|
|
of generating a new one on every install.
|
|
|
|
Run as the logged-in user via `client_software/user_run.sh` (needs the
|
|
`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
|
|
|
|
Behavior:
|
|
- `~/.ssh` is relocated to `${DECRYPTEDDATADIR}/ssh_keys` (the user's
|
|
gocryptfs-encrypted data dir) on first run: any existing content is moved
|
|
there once, then `~/.ssh` becomes a symlink to it. Subsequent runs detect
|
|
the symlink and skip this step.
|
|
- If `~/.ssh/id_ed25519` already exists, it's left untouched.
|
|
- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
|
|
- found → key is fetched, permissions fixed to `0600`, public key derived.
|
|
- not found → a new vault is created, a new key pair is generated, and the
|
|
private key is archived to the vault.
|
|
- Requires `IPAVAULTUSE=true` (KRA available); otherwise the script is a
|
|
no-op.
|
|
|
|
Note: this only handles private-key escrow. Publishing the public key to the
|
|
user's FreeIPA entry (`ipa user-mod --sshpubkey`) is not done by this script.
|