diff options
Diffstat (limited to 'src/seckey2sshagent')
| -rwxr-xr-x | src/seckey2sshagent | 114 |
1 files changed, 72 insertions, 42 deletions
diff --git a/src/seckey2sshagent b/src/seckey2sshagent index 4b765dc..a516256 100755 --- a/src/seckey2sshagent +++ b/src/seckey2sshagent @@ -14,17 +14,17 @@ # Authors: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, # Jameson Rollins <jrollins@fifthhorseman.net> - -cleanup() { - echo -n "removing temp gpg home... " 1>&2 - rm -rf "$TMPPRIVATE" - echo "done." 1>&2 -} - explanation() { - echo -n "The basic strategy of seckey2sshagent is to dump your -OpenPGP authentication key(s) into your agent. + cat <<EOF +Usage: $0 [GPGID [FILE]] + +The basic strategy of seckey2sshagent is to dump your OpenPGP +authentication key(s) into your agent or a file. With no arguments, +it will add all secret keys in your keyring to the agent. With one +argument, it adds only the specified key to the agent. With two +arguments, it dumps the specified key to FILE, with the pub key in +FILE.pub. This script is a gross hack at the moment. It is done by creating a new, temporary private keyring, letting the user remove the @@ -51,8 +51,37 @@ You can check on it with: ssh-add -l -" +EOF +} + +cleanup() { + echo -n "removing temp gpg home... " 1>&2 + rm -rf "$TMPPRIVATE" + echo "done." 1>&2 +} + +export_sec_key() { + gpg --export-secret-key "$GPGID" | GNUPGHOME="$TMPPRIVATE" gpg --import + GNUPGHOME="$TMPPRIVATE" gpg --edit-key "$GPGID" + + # idea to script the password stuff. not working. + # read -s -p "enter gpg password: " PASSWD; echo + # cmd=$(cat <<EOF + # passwd + # $PASSWD + # \n + # \n + # \n + # yes + # save + # EOF + # ) + # echo -e "$cmd" | GNUPGHOME="$TMPPRIVATE" gpg --command-fd 0 --edit-key $GPGID + + # export secret key to file + GNUPGHOME="$TMPPRIVATE" gpg --export-secret-keys "$GPGID" | \ + openpgp2ssh "$GPGID" } # if no hex string is supplied, just print an explanation. @@ -62,52 +91,53 @@ if [ "$(echo "$1" | tr -d '0-9a-fA-F')" ]; then exit fi -trap cleanup EXIT +# set the file creation umask +umask 077 GPGIDS="$1" +if [ "$2" -a ! -e "$2" ] ; then + FILE="$2" +fi if [ -z "$GPGIDS" ]; then # hack: we need to get the list of secret keys, because if you # --list-secret-keys with no arguments, GPG fails to print the # capability flags (i've just filed this as # https://bugs.g10code.com/gnupg/issue945) - KEYIDS=$(gpg2 --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:) + KEYIDS=$(gpg --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:) # default to using all fingerprints of authentication-enabled keys - GPGIDS=$(gpg --with-colons --fingerprint --fingerprint --list-secret-keys $KEYIDS | egrep -A1 '^(ssb|sec):.*:[^:]*a[^:]*:$' | grep ^fpr: | cut -d: -f10) + GPGIDS=$(gpg --with-colons --fingerprint --fingerprint --list-secret-keys $KEYIDS | egrep -A1 '^(ssb|sec):.*:[^:]*a[^:]*:$' | grep ^fpr: | cut -d: -f10) fi +trap cleanup EXIT + for GPGID in $GPGIDS; do TMPPRIVATE=$(mktemp -d) - gpg --export-secret-key "$GPGID" | GNUPGHOME="$TMPPRIVATE" gpg --import - -# idea to script the password stuff. not working. -# read -s -p "enter gpg password: " PASSWD; echo -# cmd=$(cat <<EOF -# passwd -# $PASSWD -# \n -# \n -# \n -# yes -# save -# EOF -# ) -# echo -e "$cmd" | GNUPGHOME="$TMPPRIVATE" gpg --command-fd 0 --edit-key $GPGID - - GNUPGHOME="$TMPPRIVATE" gpg --edit-key "$GPGID" - - KEYNAME='MonkeySphere Key '$(echo "$GPGID" | tr -c -d '0-9a-fA-F')'' -# creating this alias so the key is named "monkeysphere-key" in the -# comment stored by the agent, while never being written to disk in -# SSH form: - ln -s /dev/stdin "$TMPPRIVATE/$KEYNAME" - - GNUPGHOME="$TMPPRIVATE" gpg --export-secret-keys "$GPGID" | \ - openpgp2ssh $GPGID | (cd "$TMPPRIVATE" && ssh-add -c "$KEYNAME") + # if specified, write key to fail and passprotect + if [ "$FILE" ] ; then + # export secret key to file + export_sec_key > "$TMPPRIVATE/key" + # passprotect file + ssh-keygen -f "${TMPPRIVATE}/key" -p + # move into place + mv "${TMPPRIVATE}/key" "$FILE" + + # export public key + gpg --export "$GPGID" | openpgp2ssh "$GPGID" > "${FILE}.pub" + + # otherwise add to agent + else + KEYNAME='MonkeySphere Key '$(echo "$GPGID" | tr -c -d '0-9a-fA-F')'' + + # creating this alias so the key is named "monkeysphere-key" in the + # comment stored by the agent, while never being written to disk in + # SSH form: + ln -s /dev/stdin "${TMPPRIVATE}/${KEYNAME}" + + # export secret key to agent + export_sec_key | (cd "$TMPPRIVATE" && ssh-add -c "$KEYNAME") + fi - cleanup done - - |