Daniel unbrot Pätzold
a708e4fa6e
Provisions ~/.ssh/id_ed25519 once and stores it in the FreeIPA KRA vault so the key persists across reinstalls/new machines instead of being regenerated each time. Guards against silently overwriting an existing vault key on transient failures (missing ~/.ssh, vault-add errors, ssh-keygen failures) before archiving. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
0060_ssh_key
Provisions a per-user ~/.ssh/id_ed25519 key and escrows it in the FreeIPA
KRA vault (SSH_PRIV_KEY), so the same key is reused across machines instead
of generating a new one on every install.
Run as the logged-in user via client_software/user_run.sh (needs the
DAVTOKEN_USER environment prepared by sync_client_software.sh).
Behavior:
- If
~/.ssh/id_ed25519already exists locally, it's left untouched. - Otherwise, tries
ipa vault-retrieveforSSH_PRIV_KEY:- found → key is fetched, permissions fixed to
0600, public key derived. - not found → a new vault is created, a new key pair is generated, and the private key is archived to the vault.
- found → key is fetched, permissions fixed to
- Requires
IPAVAULTUSE=true(KRA available); otherwise the script is a no-op.
Note: this only handles private-key escrow. Publishing the public key to the
user's FreeIPA entry (ipa user-mod --sshpubkey) is not done by this script.