forked from obel1x/fedora-OEMDRV
Daniel unbrot Pätzold
a708e4fa6e
Provisions ~/.ssh/id_ed25519 once and stores it in the FreeIPA KRA vault so the key persists across reinstalls/new machines instead of being regenerated each time. Guards against silently overwriting an existing vault key on transient failures (missing ~/.ssh, vault-add errors, ssh-keygen failures) before archiving. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
21 lines
931 B
Markdown
21 lines
931 B
Markdown
# 0060_ssh_key
|
|
|
|
Provisions a per-user `~/.ssh/id_ed25519` key and escrows it in the FreeIPA
|
|
KRA vault (`SSH_PRIV_KEY`), so the same key is reused across machines instead
|
|
of generating a new one on every install.
|
|
|
|
Run as the logged-in user via `client_software/user_run.sh` (needs the
|
|
`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
|
|
|
|
Behavior:
|
|
- If `~/.ssh/id_ed25519` already exists locally, it's left untouched.
|
|
- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
|
|
- found → key is fetched, permissions fixed to `0600`, public key derived.
|
|
- not found → a new vault is created, a new key pair is generated, and the
|
|
private key is archived to the vault.
|
|
- Requires `IPAVAULTUSE=true` (KRA available); otherwise the script is a
|
|
no-op.
|
|
|
|
Note: this only handles private-key escrow. Publishing the public key to the
|
|
user's FreeIPA entry (`ipa user-mod --sshpubkey`) is not done by this script.
|