cfg/bin/vault-sshadd

#!/bin/bash

set -e
set -o pipefail

source "${HOME}/bin/script_framework.sh"

if ! (which vault >/dev/null); then
  error "vault is required."
  exit 2
fi

# Require something to be passed to this command
if [ $# -eq 0 ]; then
  error "You need to specify a key name."
  exit 2
fi

# Create a helper script to send STDIN data to ssh-add
HELPER=$(mktemp)
chmod 0700 ${HELPER}
trap "rm ${HELPER}" EXIT

cat -s <<EOF >${HELPER}
#!/bin/bash
vault read -field=private "/secret/ssh-key/\$1" | exec ssh-add -t 3600 -
EOF

for KEY_NAME in $@; do
  fingerprint=$(vault read -field=public "/secret/ssh-key/$1" | ssh-keygen -l -f -)

  # If this key is already in the agent we don't need to do anything
  if (ssh-add -l | grep -q "${fingerprint}"); then
    info "[${KEY_NAME}] Key already present."
    continue
  fi

  # Retrieve key from LastPass
  PWD=$(vault read -field=passphrase "/secret/ssh-key/${KEY_NAME}")
  # In case LastPass exitted non-zero we have no password
  if ! [ $? -eq 0 ]; then
    error "[${KEY_NAME}] Unable to get password. Not trying to unlock."
    continue
  fi

  # Fill password to ssh-add utility
  expect <<EOF >/dev/null
spawn ${HELPER} ${KEY_NAME}

expect "Enter passphrase"
send "$PWD\n"

expect "added:" {exit 0} timeout {exit 1}
EOF

  if [ $? -eq 0 ]; then
    info "[${KEY_NAME}] Should be loaded by now."
    vault-patch --log-level=warn secret/ssh-key/${KEY_NAME} last_used=$(date +%Y-%m-%dT%H:%M:%S%z)
  else
    error "[${KEY_NAME}] Was not added successfully."
  fi

done
add local scripts 2016-07-21 13:48:49 +00:00			`#!/bin/bash`

Set error handling options Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-09-13 13:45:32 +00:00			`set -e`
			`set -o pipefail`

Unify scripts by using a common color / function framework Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-09-19 10:10:53 +00:00			`source "${HOME}/bin/script_framework.sh"`
add local scripts 2016-07-21 13:48:49 +00:00
Throw shfmt against bash scripts Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-03-10 11:47:55 +00:00			`if ! (which vault >/dev/null); then`
add local scripts 2016-07-21 13:48:49 +00:00			`error "vault is required."`
			`exit 2`
			`fi`

			`# Require something to be passed to this command`
			`if [ $# -eq 0 ]; then`
			`error "You need to specify a key name."`
			`exit 2`
			`fi`

Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`# Create a helper script to send STDIN data to ssh-add`
Use mktemp instead of tempfile for OSX compatibility 2017-01-11 16:50:13 +00:00			`HELPER=$(mktemp)`
			`chmod 0700 ${HELPER}`
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`trap "rm ${HELPER}" EXIT`
add local scripts 2016-07-21 13:48:49 +00:00
Throw shfmt against bash scripts Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-03-10 11:47:55 +00:00			`cat -s <<EOF >${HELPER}`
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`#!/bin/bash`
Load ssh-keys for one hour Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-05-14 20:02:29 +00:00			`vault read -field=private "/secret/ssh-key/\$1" \| exec ssh-add -t 3600 -`
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`EOF`
add local scripts 2016-07-21 13:48:49 +00:00
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`for KEY_NAME in $@; do`
Search for fingerprint instead of key name Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-08-14 13:17:09 +00:00			`fingerprint=$(vault read -field=public "/secret/ssh-key/$1" \| ssh-keygen -l -f -)`

add local scripts 2016-07-21 13:48:49 +00:00			`# If this key is already in the agent we don't need to do anything`
Throw shfmt against bash scripts Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-03-10 11:47:55 +00:00			`if (ssh-add -l \| grep -q "${fingerprint}"); then`
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`info "[${KEY_NAME}] Key already present."`
add local scripts 2016-07-21 13:48:49 +00:00			`continue`
			`fi`

			`# Retrieve key from LastPass`
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`PWD=$(vault read -field=passphrase "/secret/ssh-key/${KEY_NAME}")`
add local scripts 2016-07-21 13:48:49 +00:00			`# In case LastPass exitted non-zero we have no password`
			`if ! [ $? -eq 0 ]; then`
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`error "[${KEY_NAME}] Unable to get password. Not trying to unlock."`
add local scripts 2016-07-21 13:48:49 +00:00			`continue`
			`fi`

			`# Fill password to ssh-add utility`
			`expect <<EOF >/dev/null`
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`spawn ${HELPER} ${KEY_NAME}`

add local scripts 2016-07-21 13:48:49 +00:00			`expect "Enter passphrase"`
			`send "$PWD\n"`
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00
			`expect "added:" {exit 0} timeout {exit 1}`
add local scripts 2016-07-21 13:48:49 +00:00			`EOF`

Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`if [ $? -eq 0 ]; then`
			`info "[${KEY_NAME}] Should be loaded by now."`
Ensure compatibility to BSD date Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-06-20 08:38:09 +00:00			`vault-patch --log-level=warn secret/ssh-key/${KEY_NAME} last_used=$(date +%Y-%m-%dT%H:%M:%S%z)`
add local scripts 2016-07-21 13:48:49 +00:00			`else`
Load SSH-Keys from Vault instead of filesystem 2016-12-29 12:43:45 +00:00			`error "[${KEY_NAME}] Was not added successfully."`
add local scripts 2016-07-21 13:48:49 +00:00			`fi`

			`done`