forked from obel1x/fedora-OEMDRV
0060_ssh_key: relocate ~/.ssh into encrypted data dir, generate non-interactively
Symlinks ~/.ssh to ${DECRYPTEDDATADIR}/ssh_keys (migrating any existing
content once) so the key lives in the gocryptfs-encrypted area instead
of the plain home directory. Also passes -N "" to ssh-keygen so key
generation no longer prompts for a passphrase.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Daniel unbrot Pätzold
@@ -8,7 +8,11 @@ Run as the logged-in user via `client_software/user_run.sh` (needs the
|
||||
`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
|
||||
|
||||
Behavior:
|
||||
- If `~/.ssh/id_ed25519` already exists locally, it's left untouched.
|
||||
- `~/.ssh` is relocated to `${DECRYPTEDDATADIR}/ssh_keys` (the user's
|
||||
gocryptfs-encrypted data dir) on first run: any existing content is moved
|
||||
there once, then `~/.ssh` becomes a symlink to it. Subsequent runs detect
|
||||
the symlink and skip this step.
|
||||
- If `~/.ssh/id_ed25519` already exists, it's left untouched.
|
||||
- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
|
||||
- found → key is fetched, permissions fixed to `0600`, public key derived.
|
||||
- not found → a new vault is created, a new key pair is generated, and the
|
||||
|
||||
Reference in New Issue
Block a user