forked from obel1x/fedora-OEMDRV
Daniel unbrot Pätzold
6fe96f82fd
Symlinks ~/.ssh to ${DECRYPTEDDATADIR}/ssh_keys (migrating any existing
content once) so the key lives in the gocryptfs-encrypted area instead
of the plain home directory. Also passes -N "" to ssh-keygen so key
generation no longer prompts for a passphrase.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1.2 KiB
1.2 KiB
0060_ssh_key
Provisions a per-user ~/.ssh/id_ed25519 key and escrows it in the FreeIPA
KRA vault (SSH_PRIV_KEY), so the same key is reused across machines instead
of generating a new one on every install.
Run as the logged-in user via client_software/user_run.sh (needs the
DAVTOKEN_USER environment prepared by sync_client_software.sh).
Behavior:
~/.sshis relocated to${DECRYPTEDDATADIR}/ssh_keys(the user's gocryptfs-encrypted data dir) on first run: any existing content is moved there once, then~/.sshbecomes a symlink to it. Subsequent runs detect the symlink and skip this step.- If
~/.ssh/id_ed25519already exists, it's left untouched. - Otherwise, tries
ipa vault-retrieveforSSH_PRIV_KEY:- found → key is fetched, permissions fixed to
0600, public key derived. - not found → a new vault is created, a new key pair is generated, and the private key is archived to the vault.
- found → key is fetched, permissions fixed to
- Requires
IPAVAULTUSE=true(KRA available); otherwise the script is a no-op.
Note: this only handles private-key escrow. Publishing the public key to the
user's FreeIPA entry (ipa user-mod --sshpubkey) is not done by this script.