0060_ssh_key: relocate ~/.ssh into encrypted data dir, generate non-interactively

Symlinks ~/.ssh to ${DECRYPTEDDATADIR}/ssh_keys (migrating any existing
content once) so the key lives in the gocryptfs-encrypted area instead
of the plain home directory. Also passes -N "" to ssh-keygen so key
generation no longer prompts for a passphrase.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitignore

@@ -8,7 +8,5 @@ config/*
 config.d/*.conf
 config.d/*.sys
 config.d/*.bak
-client_software/.sync_*.db
-client_software/setup_system.conf
 client_software_cust/*
 !client_software_cust/README.md

client_software/0010_kwallet/user_run.sh

@@ -18,7 +18,12 @@ if [[ -z $(wmctrl -m | grep "KWin") ]]; then
 fi
 
 #Restart the service
-systemd-run --user --scope --unit=kwalletd6-logon kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
+# Stop any leftover unit from a previous session before creating a new one
+systemctl --user stop kwalletd6-logon.service 2>/dev/null || true
+systemd-run --user --unit=kwalletd6-logon \
+    --property=RemainAfterExit=yes \
+    --property=SuccessExitStatus=1 \
+    kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
 sleep 1
 
 #Check if kwalletd is enabled now

client_software/0060_ssh_key/README.md

@@ -0,0 +1,24 @@
+# 0060_ssh_key
+
+Provisions a per-user `~/.ssh/id_ed25519` key and escrows it in the FreeIPA
+KRA vault (`SSH_PRIV_KEY`), so the same key is reused across machines instead
+of generating a new one on every install.
+
+Run as the logged-in user via `client_software/user_run.sh` (needs the
+`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
+
+Behavior:
+- `~/.ssh` is relocated to `${DECRYPTEDDATADIR}/ssh_keys` (the user's
+  gocryptfs-encrypted data dir) on first run: any existing content is moved
+  there once, then `~/.ssh` becomes a symlink to it. Subsequent runs detect
+  the symlink and skip this step.
+- If `~/.ssh/id_ed25519` already exists, it's left untouched.
+- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
+  - found → key is fetched, permissions fixed to `0600`, public key derived.
+  - not found → a new vault is created, a new key pair is generated, and the
+    private key is archived to the vault.
+- Requires `IPAVAULTUSE=true` (KRA available); otherwise the script is a
+  no-op.
+
+Note: this only handles private-key escrow. Publishing the public key to the
+user's FreeIPA entry (`ipa user-mod --sshpubkey`) is not done by this script.

client_software/0060_ssh_key/user_run.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env sh
+# SPDX-FileCopyrightText: Daniel Pätzold
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# If IPA-KRA is available, use it to store or retrieve personal private ssh key, so that the key won't change every time on new installs
+#
+
+#Check Token
+if [ "${DAVTOKEN_USER}." == "." ]; then
+    echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit."
+    exit 1
+fi
+
+SSHDIR="${HOME}/.ssh"
+SSHDIR_REAL="${DECRYPTEDDATADIR}/ssh_keys"
+KEYFILE="${SSHDIR}/id_ed25519"
+SSHVAULTNAME="SSH_PRIV_KEY"
+
+#Relocate ~/.ssh into the encrypted data directory, migrating any existing content once
+if [ ! -L "${SSHDIR}" ]; then
+  mkdir -p "${SSHDIR_REAL}"
+  chmod 0700 "${SSHDIR_REAL}"
+  if [ -d "${SSHDIR}" ]; then
+    echo "Migrating existing ${SSHDIR} contents to ${SSHDIR_REAL}."
+    cp -a "${SSHDIR}/." "${SSHDIR_REAL}/"
+    if [ $? -ne 0 ]; then
+      echo "Error migrating ${SSHDIR} contents to ${SSHDIR_REAL}. Aborting, please check."
+      exit 1
+    fi
+    rm -rf "${SSHDIR}"
+  fi
+  ln -s "${SSHDIR_REAL}" "${SSHDIR}"
+  if [ $? -ne 0 ]; then
+    echo "Error creating symlink ${SSHDIR} -> ${SSHDIR_REAL}. Aborting, please check."
+    exit 1
+  fi
+fi
+
+if [ ${IPAVAULTUSE} = "false" ]; then
+  echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available."
+else
+  if [ -f ${KEYFILE} ]; then
+    echo "SSH Key already present at ${KEYFILE}. Leaving it untouched."
+  else
+    echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault"
+    ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE}
+    if [ $? -ne 0 ]; then
+      echo "Seems there is no key yet on IPA, creating it new."
+      ipa vault-add "${SSHVAULTNAME}" --desc "SSH private key (Stored by OEMDRV autoinstall Modules)" --type=standard
+      if [ $? -ne 0 ]; then
+        echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check."
+        exit 1
+      else
+        ssh-keygen -t ed25519 -C "$(whoami)" -N "" -f ${KEYFILE}
+        if [ $? -ne 0 ]; then
+          echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check."
+          exit 1
+        fi
+        ipa vault-archive "${SSHVAULTNAME}" --in ${KEYFILE}
+        if [ $? -ne 0 ]; then
+          echo "Error storing the Key to the created Vault ${SSHVAULTNAME}. This should not happen, aborting. Please check."
+          exit 1
+        else
+          echo "Sucessfully created SSH Key and stored it in IPAs KRA Vault named ${SSHVAULTNAME}."
+        fi
+      fi
+    else
+      # derive public key from private key when enrolling to new system
+      ssh-keygen -y -f "${KEYFILE}" > "${KEYFILE}.pub"
+      if [ $? -eq 0 ]; then
+        chmod 0600 "${KEYFILE}" "${KEYFILE}.pub"
+        echo "Sucessfully fetched SSH Key from IPA."
+      else
+        echo "Something went wrong with Key provisioning, please check."
+        exit 1
+      fi
+    fi
+  fi
+fi
+
+exit 0

system_setup/configure.sh

@@ -46,8 +46,6 @@ do_configure() {
         if [[ -f "$CONF_PRE" ]]; then
             echo "  Choice (p): Another config run result was found in $CONF_PRE."
             echo "    Hint: May contain Values that already were setup different for your details"
-        else
-            unset CONF_PRE
         fi
         if [[ -f "$CONF_FILE" ]]; then
             echo "  Choice (c): Found companys full config in $CONF_FILE."
@@ -64,12 +62,13 @@ do_configure() {
             case "${CHOICE}" in
                 "p")
                     if [[ -f "$CONF_PRE" ]]; then
-                        echo "Using the existing config run file."
+                        echo "Using the existing config run file $CONF_PRE"
                         break
                     fi
                     ;;
                 "c")
                     if [[ -f "$CONF_FILE" ]]; then
+                        echo "Replacing $CONF_PRE with $CONF_FILE"
                         rm "$CONF_PRE" >/dev/null 2>&1
                         cp "$CONF_FILE" "$CONF_PRE" && break
                     fi

system_setup/logon_script.sh

@@ -82,11 +82,14 @@ git config --global --add safe.directory /opt/sys_config
 # Pre check for old configuration parameters, will be removed in the future
 if [ ! -z "${CLIENT_SOFTWARE_DST}" ] || [ ! -z "${CLIENT_SOFTWARE_SRC}" ]; then
     elog_add " ===================="
+    elog_add ""
     elog_add "WARNING: Your company/setup has still CLIENT_SOFTWARE_DST or CLIENT_SOFTWARE_SRC set."
     elog_add "These parameters are obsolete and must be removed! The new parameters are CLIENT_SOFTWARE_CUST_DST and CLIENT_SOFTWARE_CUST_SRC"
     elog_add "as the software repository has been split into customer software and distributed software."
     elog_add "Please try to relog first. If this problem reoccures, contact your system admins to correct it."
     elog_add "Will continue with the new path. Press any key to continue."
+    elog_add ""
+    elog_add " ===================="
     read -n 1 -s -r
 fi
 
@@ -126,7 +129,7 @@ else
         # Rule seems to be ok, executing script
         elog_add "Matching Sudo rule found."
         elog_add ""
-        elog_add "Running client software sync..."
+        elog_add "Running ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
         elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install $1"
         if [[ $RETNO -ne 0 ]]; then
             elog_add "Errorcode was $RETNO"
@@ -137,10 +140,9 @@ else
 fi
 
 #Anyway run user scripts if existent
-#elog_add_command "${CLIENT_SOFTWARE_DST}/user_run.sh $1"
-elog_add "Running all software scripts in user- context."
+elog_add "Running user setup scripts in user- context."
 #1. Run the scripts, that are delivered by the package maintainers
-elog_add "Pre Installed scripts"
+elog_add "Pre installed user setup scripts"
 for DIR in $(ls -d ${SYSCONFIGPATH}/client_software/*/ | sort);     # list directories in the form "/tmp/dirname/"
 do
     DIR=${DIR%*/}      # remove the trailing "/"
@@ -163,9 +165,16 @@ do
         elog_add " ===================="
     fi
 done
+elog_add "Done running pre installed user setup scripts"
+
 #2. Run the scripts, that are delivered by the package maintainers
-if [ -d "${CLIENT_SOFTWARE_CUST_DST}" ]; then
-  elog_add "Company delivered scripts in ${CLIENT_SOFTWARE_CUST_DST}"
+# To run scripts, the tepository path must always be set right (but maybe empty, which is fine)
+if [ "${CLIENT_SOFTWARE_CUST_DST}" != "${SYSCONFIGPATH}/client_software_cust" ]; then
+    echo "Error in config: Required parameter CLIENT_SOFTWARE_CUST_DST is missing or set wrong."
+    echo "Please relog and if the problem reoccures, contact your system admins to correct the Values."
+    read -n 1 -s -r -p "Press any key to continue"
+else
+  elog_add "Running company delivered user setup scripts in ${CLIENT_SOFTWARE_CUST_DST}"
   for DIR in $(ls -d ${CLIENT_SOFTWARE_CUST_DST}/*/ | sort);     # list directories in the form "/tmp/dirname/"
   do
     DIR=${DIR%*/}      # remove the trailing "/"
@@ -188,8 +197,9 @@ if [ -d "${CLIENT_SOFTWARE_CUST_DST}" ]; then
         elog_add " ===================="
     fi
   done
+  elog_add "Done running company user setup scripts"
 fi
-elog_add "Completed user scripts in software."
+elog_add "Completed user setup scripts."
 elog_add  ""
 
 # Remove unused flatpak user installed software and data

system_setup/sync_client_software.sh

@@ -10,6 +10,16 @@ if [ "$EUID" -ne 0 ]; then
     echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
+# Remove 'server _gateway iburst' from chrony.conf — Anaconda adds it as a fallback but
+# _gateway is not resolvable by chronyd at startup; DHCP-sourced servers via sourcedir
+# /run/chrony-dhcp already cover NTP discovery so this line is redundant and noisy.
+_CHRONY_CONF="/etc/chrony.conf"
+if [ -f "${_CHRONY_CONF}" ] && grep -q "^server _gateway" "${_CHRONY_CONF}"; then
+    echo "Patching chrony.conf: removing unresolvable 'server _gateway' entry"
+    sed -i "/^server _gateway/d" "${_CHRONY_CONF}"
+    systemctl restart chronyd
+fi
+
 # Ensure krb5_validate = False in sssd.conf to restore offline auth
 # (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt
 #  fails with EACCES before the cached-credential fallback is reached)
@@ -73,6 +83,16 @@ else
 fi
 echo ""
 
+# Before running sync or software installs, restore the rights to all filles.
+# They must be owned by root, changeable by admingroup and readable by otherusers (we are root, so we can change!)
+# user_run.sh must also be executable by users
+chown root:${CLIENTADMINGROUP} -R ${SYSCONFIGPATH}
+chmod ug+rwX,o=rX -R ${SYSCONFIGPATH}
+
+#Make all install.sh executable
+find ${SYSCONFIGPATH}/client_software -type f -name install.sh -exec chmod ug+x,o-x {} \;
+find ${SYSCONFIGPATH}/client_software -type f -name user_run.sh -exec chmod ugo+x {} \;
+
 # At first, sync central configs if they are configured to be synced
 if [[ ! -z "${DISTCONFIGPATH_SRC}" ]]; then
     echo "Synced config path was found, doing remote sync."
@@ -130,14 +150,14 @@ if [[ ! -z "${DISTCONFIGPATH_SRC}" ]]; then
     fi
 fi
 
-echo "Running all software scripts in admin- context."
+echo "Running install scripts in admin- context."
 # Run pre installed scripts in client_software
-echo "Running pre installed scripts first."
+echo "Running pre installed install scripts in admin- context."
 for DIR in $(ls -d ${SYSCONFIGPATH}/client_software/*/ | sort); do
   DIR=${DIR%*/}      # remove the trailing "/"
-  if [[ "$1." != "." ]] && [[ "${DIR}" != *"$1"* ]]; then
+  if [[ "$2." != "." ]] && [[ "${DIR}" != *"$2"* ]]; then
     #search for string in dir
-    echo "Skipping ${DIR} while not in search parameter ( $1 )."
+    echo "Skipping ${DIR} while not in search parameter ( $2 )."
     continue
   fi
   if [ -f "${DIR}/install.sh" ]; then
@@ -155,21 +175,22 @@ for DIR in $(ls -d ${SYSCONFIGPATH}/client_software/*/ | sort); do
     echo " ===================="
   fi
 done
-echo "Sucessfully installed pre-defined software."
+echo "Done running pre installed install scripts in admin- context."
 echo
 
-# Repository must be the right path (but maybe empty, which is fine)
+# To run scripts, the repository path must always be set right (but maybe empty, which is fine)
 if [ "${CLIENT_SOFTWARE_CUST_DST}" != "${SYSCONFIGPATH}/client_software_cust" ]; then
     echo "Error in config: Required parameter CLIENT_SOFTWARE_CUST_DST is missing or set wrong."
     echo "Please relog and if the problem reoccures, contact your system admins to correct the Values."
     read -n 1 -s -r -p "Press any key to continue"
-    echo ""
+    echo
     exit 1
 else
   # Then, sync all client_software-files
   if [[ -z "${CLIENT_SOFTWARE_CUST_SRC}" ]]; then
     echo "No customer software sync is defined, skipping sync"
     echo "${CLIENT_SOFTWARE_CUST_DST} with ${CLIENT_SOFTWARE_CUST_SRC}"
+    echo
   else
     echo "Syncing customer software repository ${CLIENT_SOFTWARE_CUST_DST}"
     # Create Directory if not existent
@@ -190,24 +211,29 @@ else
         exit 1
     fi
     echo "Sucessfully synced."
-
-    # After sync again, restore the rights to all filles. They must be owned by root, changeable by admingroup and readable by otherusers (we are root, so we can change!)
-    chown root:${CLIENTADMINGROUP} -R ${SYSCONFIGPATH}
-    chmod ug+rwX,o=rX -R ${SYSCONFIGPATH}
-  fi
   fi
   echo
 
+  # After Snc NC is not able to set permission the right way (like execution flag)
+  # So this need to be done again for new files coming in via sync
+  # we do it either with or without sync for better safety
+  chown root:${CLIENTADMINGROUP} -R ${SYSCONFIGPATH}
+  chmod ug+rwX,o=rX -R ${SYSCONFIGPATH}
+
+  #Make all install.sh executable
+  find ${SYSCONFIGPATH}/client_software -type f -name install.sh -exec chmod ug+x,o-x {} \;
+  find ${SYSCONFIGPATH}/client_software -type f -name user_run.sh -exec chmod ugo+x {} \;
+  find ${SYSCONFIGPATH}/client_software_cust -type f -name install.sh -exec chmod ug+x,o-x {} \;
+  find ${SYSCONFIGPATH}/client_software_cust -type f -name user_run.sh -exec chmod ugo+x {} \;
+
   #Run customer setup
   if [ ! -z "${CLIENT_SOFTWARE_CUST_DST}" ]; then
-  echo "Running all software scripts in admin- context."
-  #Make all install.sh executable
-  find ${CLIENT_SOFTWARE_CUST_DST} -type f -name install.sh -exec chmod ugo+x {} \;
+    echo "Running company install scripts in admin- context."
     for DIR in $(ls -d ${CLIENT_SOFTWARE_CUST_DST}/*/ | sort); do
       DIR=${DIR%*/}      # remove the trailing "/"
-    if [[ "$1." != "." ]] && [[ "${DIR}" != *"$1"* ]]; then
+      if [[ "$2." != "." ]] && [[ "${DIR}" != *"$2"* ]]; then
         #search for string in dir
-      echo "Skipping ${DIR} while not in search parameter ( $1 )."
+        echo "Skipping ${DIR} while not in search parameter ( $2 )."
         continue
       fi
       if [ -f "${DIR}/install.sh" ]; then
@@ -225,12 +251,14 @@ if [ ! -z "${CLIENT_SOFTWARE_CUST_DST}" ]; then
         echo " ===================="
       fi
     done
+    echo "Done running company install scripts in admin- context."
+  fi
 fi
 
 #Last, remove unused Flatpak- Runtimes and unused Data
 echo "Removing unused Flatpak- Data."
 flatpak uninstall --unused -y
 
-echo "Sucessfully installed software."
+echo "Done running install scripts in admin- context."
 echo ""
 exit 0