unbrot/fedora-OEMDRV
1
0
Fork 0
forked from obel1x/fedora-OEMDRV
Code Pull Requests Activity
Files
6fe96f82fd775c4fc18b62eaf59e70be366e687c
fedora-OEMDRV/client_software/0060_ssh_key/README.md
T
Daniel unbrot Pätzold 6fe96f82fd 0060_ssh_key: relocate ~/.ssh into encrypted data dir, generate non-interactively 
Symlinks ~/.ssh to ${DECRYPTEDDATADIR}/ssh_keys (migrating any existing
content once) so the key lives in the gocryptfs-encrypted area instead
of the plain home directory. Also passes -N "" to ssh-keygen so key
generation no longer prompts for a passphrase.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-17 13:49:33 +02:00

1.2 KiB
Raw Blame History

0060_ssh_key

Provisions a per-user ~/.ssh/id_ed25519 key and escrows it in the FreeIPA KRA vault (SSH_PRIV_KEY), so the same key is reused across machines instead of generating a new one on every install.

Run as the logged-in user via client_software/user_run.sh (needs the DAVTOKEN_USER environment prepared by sync_client_software.sh).

Behavior:

  • ~/.ssh is relocated to ${DECRYPTEDDATADIR}/ssh_keys (the user's gocryptfs-encrypted data dir) on first run: any existing content is moved there once, then ~/.ssh becomes a symlink to it. Subsequent runs detect the symlink and skip this step.
  • If ~/.ssh/id_ed25519 already exists, it's left untouched.
  • Otherwise, tries ipa vault-retrieve for SSH_PRIV_KEY:
    • found → key is fetched, permissions fixed to 0600, public key derived.
    • not found → a new vault is created, a new key pair is generated, and the private key is archived to the vault.
  • Requires IPAVAULTUSE=true (KRA available); otherwise the script is a no-op.

Note: this only handles private-key escrow. Publishing the public key to the user's FreeIPA entry (ipa user-mod --sshpubkey) is not done by this script.

View Git Blame Copy Permalink