X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fshare%2Fm%2Fsubkey_to_ssh_agent;h=36eab4f751ce21cdc1baefef000a0d5cc0782da5;hb=e3bb810e188cae2d40a5191500a501c85cb93381;hp=ec596bd76e148eadf4380dda3793dd79a8a62df0;hpb=ef9a47ba86dbd16bbff44cc01e5a2485823bbbdd;p=monkeysphere.git diff --git a/src/share/m/subkey_to_ssh_agent b/src/share/m/subkey_to_ssh_agent index ec596bd..36eab4f 100644 --- a/src/share/m/subkey_to_ssh_agent +++ b/src/share/m/subkey_to_ssh_agent @@ -27,7 +27,7 @@ subkey_to_ssh_agent() { local kname # if there's no agent running, don't bother: - if [ -z "$SSH_AUTH_SOCK" ] || ! which ssh-add >/dev/null ; then + if [ -z "$SSH_AUTH_SOCK" ] || ! type ssh-add >/dev/null ; then failure "No ssh-agent available." fi @@ -37,26 +37,34 @@ subkey_to_ssh_agent() { if [ "$sshaddresponse" = "2" ]; then failure "Could not connect to ssh-agent" fi - - # get list of secret keys (to work around bug - # https://bugs.g10code.com/gnupg/issue945): - secretkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ - --fingerprint | \ - grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }') - - if [ -z "$secretkeys" ]; then - failure "You have no secret keys in your keyring! + + # if the MONKEYSPHERE_SUBKEYS_FOR_AGENT variable is set, use the + # keys specified there + if [ "$MONKEYSPHERE_SUBKEYS_FOR_AGENT" ] ; then + authsubkeys="$MONKEYSPHERE_SUBKEYS_FOR_AGENT" + + # otherwise find all authentication-capable subkeys and use those + else + # get list of secret keys + # (to work around bug https://bugs.g10code.com/gnupg/issue945): + secretkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ + --fingerprint | \ + grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }') + + if [ -z "$secretkeys" ]; then + failure "You have no secret keys in your keyring! You might want to run 'gpg --gen-key'." - fi + fi - authsubkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ - --fingerprint --fingerprint $secretkeys | \ - cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \ - grep '^fpr::' | cut -f3 -d: | sort -u) - - if [ -z "$authsubkeys" ]; then - failure "no authentication-capable subkeys available. -You might want to 'monkeysphere gen-subkey'" + authsubkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ + --fingerprint --fingerprint $secretkeys | \ + cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \ + grep '^fpr::' | cut -f3 -d: | sort -u) + + if [ -z "$authsubkeys" ]; then + failure "no authentication-capable subkeys available. +You might want to run 'monkeysphere gen-subkey'." + fi fi workingdir=$(msmktempdir) @@ -68,7 +76,16 @@ You might want to 'monkeysphere gen-subkey'" # through to ssh-add. should we limit it to known ones? For # example: -d or -c and/or -t - for subkey in $authsubkeys; do + for subkey in $authsubkeys; do + # test that the subkey has proper capability + capability=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ + --fingerprint --fingerprint "0x${subkey}!" \ + | egrep -B 1 "^fpr:::::::::${subkey}:$" | grep "^ssb:" | cut -d: -f12) + if ! check_capability "$capability" 'a' ; then + log error "Did not find authentication-capable subkey with key ID '$subkey'." + continue + fi + # choose a label by which this key will be known in the agent: # we are labelling the key by User ID instead of by # fingerprint, but filtering out all / characters to make sure @@ -81,14 +98,14 @@ You might want to 'monkeysphere gen-subkey'" if [ "$1" = '-d' ]; then # we're removing the subkey: - gpg_user --export "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" + gpg_user --export --no-armor "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" (cd "$workingdir" && ssh-add -d "$kname") || keysuccess="$?" else # we're adding the subkey: mkfifo "$workingdir/$kname" gpg_user --passphrase-fd 3 3<"$workingdir/passphrase" \ --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \ - --export-secret-subkeys "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" & + --export-secret-subkeys --no-armor "0x${subkey}!" | openpgp2ssh "$subkey" > "$workingdir/$kname" & (cd "$workingdir" && DISPLAY=nosuchdisplay SSH_ASKPASS=/bin/false ssh-add "$@" "$kname"