forked from obel1x/fedora-OEMDRV
Compare commits
14 Commits
dc181fddf4
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
 obel1x
|
4af970dfc4 | ||
 Daniel unbrot Pätzold
|
6fe96f82fd | ||
|
Daniel unbrot Pätzold
|
a708e4fa6e | ||
|
obel1x
|
b99ad00d6a | ||
|
Daniel unbrot Pätzold
|
334c00e197 | ||
|
obel1x
|
f705722e6d | ||
|
Daniel unbrot Pätzold
|
ac85c665a8 | ||
|
Daniel unbrot Pätzold
|
01b39e892f | ||
|
Daniel unbrot Pätzold
|
5e0f268962 | ||
|
Daniel unbrot Pätzold
|
b32cc96ca0 | ||
|
Daniel unbrot Pätzold
|
5b13ea7372 | ||
|
Daniel unbrot Pätzold
|
3429ffa48f | ||
|
obel1x
|
40843b8295 | ||
|
obel1x
|
fbf4faf6aa |
@@ -18,7 +18,12 @@ if [[ -z $(wmctrl -m | grep "KWin") ]]; then
|
||||
fi
|
||||
|
||||
#Restart the service
|
||||
systemd-run --user --scope --unit=kwalletd6-logon kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
|
||||
# Stop any leftover unit from a previous session before creating a new one
|
||||
systemctl --user stop kwalletd6-logon.service 2>/dev/null || true
|
||||
systemd-run --user --unit=kwalletd6-logon \
|
||||
--property=RemainAfterExit=yes \
|
||||
--property=SuccessExitStatus=1 \
|
||||
kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
|
||||
sleep 1
|
||||
|
||||
#Check if kwalletd is enabled now
|
||||
|
||||
Executable → Regular
@@ -0,0 +1,24 @@
|
||||
# 0060_ssh_key
|
||||
|
||||
Provisions a per-user `~/.ssh/id_ed25519` key and escrows it in the FreeIPA
|
||||
KRA vault (`SSH_PRIV_KEY`), so the same key is reused across machines instead
|
||||
of generating a new one on every install.
|
||||
|
||||
Run as the logged-in user via `client_software/user_run.sh` (needs the
|
||||
`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
|
||||
|
||||
Behavior:
|
||||
- `~/.ssh` is relocated to `${DECRYPTEDDATADIR}/ssh_keys` (the user's
|
||||
gocryptfs-encrypted data dir) on first run: any existing content is moved
|
||||
there once, then `~/.ssh` becomes a symlink to it. Subsequent runs detect
|
||||
the symlink and skip this step.
|
||||
- If `~/.ssh/id_ed25519` already exists, it's left untouched.
|
||||
- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
|
||||
- found → key is fetched, permissions fixed to `0600`, public key derived.
|
||||
- not found → a new vault is created, a new key pair is generated, and the
|
||||
private key is archived to the vault.
|
||||
- Requires `IPAVAULTUSE=true` (KRA available); otherwise the script is a
|
||||
no-op.
|
||||
|
||||
Note: this only handles private-key escrow. Publishing the public key to the
|
||||
user's FreeIPA entry (`ipa user-mod --sshpubkey`) is not done by this script.
|
||||
Executable
+81
@@ -0,0 +1,81 @@
|
||||
#!/usr/bin/env sh
|
||||
# SPDX-FileCopyrightText: Daniel Pätzold
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#
|
||||
# If IPA-KRA is available, use it to store or retrieve personal private ssh key, so that the key won't change every time on new installs
|
||||
#
|
||||
|
||||
#Check Token
|
||||
if [ "${DAVTOKEN_USER}." == "." ]; then
|
||||
echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
SSHDIR="${HOME}/.ssh"
|
||||
SSHDIR_REAL="${DECRYPTEDDATADIR}/ssh_keys"
|
||||
KEYFILE="${SSHDIR}/id_ed25519"
|
||||
SSHVAULTNAME="SSH_PRIV_KEY"
|
||||
|
||||
#Relocate ~/.ssh into the encrypted data directory, migrating any existing content once
|
||||
if [ ! -L "${SSHDIR}" ]; then
|
||||
mkdir -p "${SSHDIR_REAL}"
|
||||
chmod 0700 "${SSHDIR_REAL}"
|
||||
if [ -d "${SSHDIR}" ]; then
|
||||
echo "Migrating existing ${SSHDIR} contents to ${SSHDIR_REAL}."
|
||||
cp -a "${SSHDIR}/." "${SSHDIR_REAL}/"
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error migrating ${SSHDIR} contents to ${SSHDIR_REAL}. Aborting, please check."
|
||||
exit 1
|
||||
fi
|
||||
rm -rf "${SSHDIR}"
|
||||
fi
|
||||
ln -s "${SSHDIR_REAL}" "${SSHDIR}"
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error creating symlink ${SSHDIR} -> ${SSHDIR_REAL}. Aborting, please check."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ${IPAVAULTUSE} = "false" ]; then
|
||||
echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available."
|
||||
else
|
||||
if [ -f ${KEYFILE} ]; then
|
||||
echo "SSH Key already present at ${KEYFILE}. Leaving it untouched."
|
||||
else
|
||||
echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault"
|
||||
ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Seems there is no key yet on IPA, creating it new."
|
||||
ipa vault-add "${SSHVAULTNAME}" --desc "SSH private key (Stored by OEMDRV autoinstall Modules)" --type=standard
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check."
|
||||
exit 1
|
||||
else
|
||||
ssh-keygen -t ed25519 -C "$(whoami)" -N "" -f ${KEYFILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check."
|
||||
exit 1
|
||||
fi
|
||||
ipa vault-archive "${SSHVAULTNAME}" --in ${KEYFILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error storing the Key to the created Vault ${SSHVAULTNAME}. This should not happen, aborting. Please check."
|
||||
exit 1
|
||||
else
|
||||
echo "Sucessfully created SSH Key and stored it in IPAs KRA Vault named ${SSHVAULTNAME}."
|
||||
fi
|
||||
fi
|
||||
else
|
||||
# derive public key from private key when enrolling to new system
|
||||
ssh-keygen -y -f "${KEYFILE}" > "${KEYFILE}.pub"
|
||||
if [ $? -eq 0 ]; then
|
||||
chmod 0600 "${KEYFILE}" "${KEYFILE}.pub"
|
||||
echo "Sucessfully fetched SSH Key from IPA."
|
||||
else
|
||||
echo "Something went wrong with Key provisioning, please check."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
exit 0
|
||||
@@ -46,8 +46,6 @@ do_configure() {
|
||||
if [[ -f "$CONF_PRE" ]]; then
|
||||
echo " Choice (p): Another config run result was found in $CONF_PRE."
|
||||
echo " Hint: May contain Values that already were setup different for your details"
|
||||
else
|
||||
unset CONF_PRE
|
||||
fi
|
||||
if [[ -f "$CONF_FILE" ]]; then
|
||||
echo " Choice (c): Found companys full config in $CONF_FILE."
|
||||
@@ -64,12 +62,13 @@ do_configure() {
|
||||
case "${CHOICE}" in
|
||||
"p")
|
||||
if [[ -f "$CONF_PRE" ]]; then
|
||||
echo "Using the existing config run file."
|
||||
echo "Using the existing config run file $CONF_PRE"
|
||||
break
|
||||
fi
|
||||
;;
|
||||
"c")
|
||||
if [[ -f "$CONF_FILE" ]]; then
|
||||
echo "Replacing $CONF_PRE with $CONF_FILE"
|
||||
rm "$CONF_PRE" >/dev/null 2>&1
|
||||
cp "$CONF_FILE" "$CONF_PRE" && break
|
||||
fi
|
||||
|
||||
@@ -10,6 +10,16 @@ if [ "$EUID" -ne 0 ]; then
|
||||
echo "Press any key to continue" && read -n 1 -s -r && exit 1
|
||||
fi
|
||||
|
||||
# Remove 'server _gateway iburst' from chrony.conf — Anaconda adds it as a fallback but
|
||||
# _gateway is not resolvable by chronyd at startup; DHCP-sourced servers via sourcedir
|
||||
# /run/chrony-dhcp already cover NTP discovery so this line is redundant and noisy.
|
||||
_CHRONY_CONF="/etc/chrony.conf"
|
||||
if [ -f "${_CHRONY_CONF}" ] && grep -q "^server _gateway" "${_CHRONY_CONF}"; then
|
||||
echo "Patching chrony.conf: removing unresolvable 'server _gateway' entry"
|
||||
sed -i "/^server _gateway/d" "${_CHRONY_CONF}"
|
||||
systemctl restart chronyd
|
||||
fi
|
||||
|
||||
# Ensure krb5_validate = False in sssd.conf to restore offline auth
|
||||
# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt
|
||||
# fails with EACCES before the cached-credential fallback is reached)
|
||||
|
||||
Reference in New Issue
Block a user