From: Tobias Brunner Date: Mon, 1 Apr 2013 12:51:09 +0000 (+0200) Subject: charon-cmd: Add --agent option to authenticate using ssh-agent(1) X-Git-Tag: 5.1.0dr1~150^2~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ee7b73832c97c12932641ba61c52211810afde00;p=thirdparty%2Fstrongswan.git charon-cmd: Add --agent option to authenticate using ssh-agent(1) The socket path is read from the SSH_AUTH_SOCK environment variable. So using this with sudo might require the -E command line (or an appropriate sudoers config) to preserve the environment. --- diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 0aedf76cea..8b42befe96 100644 --- a/src/charon-cmd/cmd/cmd_connection.c +++ b/src/charon-cmd/cmd/cmd_connection.c @@ -387,6 +387,7 @@ METHOD(cmd_connection_t, handle, bool, this->identity = arg; break; case CMD_OPT_RSA: + case CMD_OPT_AGENT: this->key_seen = TRUE; break; case CMD_OPT_LOCAL_TS: diff --git a/src/charon-cmd/cmd/cmd_creds.c b/src/charon-cmd/cmd/cmd_creds.c index b704909156..178b77d49d 100644 --- a/src/charon-cmd/cmd/cmd_creds.c +++ b/src/charon-cmd/cmd/cmd_creds.c @@ -47,6 +47,16 @@ struct private_cmd_creds_t { * Already prompted for password? */ bool prompted; + + /** + * Provide keys via ssh-agent + */ + bool agent; + + /** + * Local identity + */ + char *identity; }; /** @@ -119,6 +129,54 @@ static void load_key(private_cmd_creds_t *this, key_type_t type, char *path) this->creds->add_key(this->creds, privkey); } +/** + * Load a private and public key via ssh-agent + */ +static void load_agent(private_cmd_creds_t *this) +{ + private_key_t *privkey; + public_key_t *pubkey; + identification_t *id; + certificate_t *cert; + char *agent; + + agent = getenv("SSH_AUTH_SOCK"); + if (!agent) + { + DBG1(DBG_CFG, "ssh-agent socket not found"); + exit(1); + } + + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + KEY_RSA, BUILD_AGENT_SOCKET, agent, BUILD_END); + if (!privkey) + { + DBG1(DBG_CFG, "failed to load private key from ssh-agent"); + exit(1); + } + pubkey = privkey->get_public_key(privkey); + if (!pubkey) + { + DBG1(DBG_CFG, "failed to load public key from ssh-agent"); + privkey->destroy(privkey); + exit(1); + } + id = identification_create_from_string(this->identity); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_TRUSTED_PUBKEY, BUILD_PUBLIC_KEY, pubkey, + BUILD_SUBJECT, id, BUILD_END); + pubkey->destroy(pubkey); + id->destroy(id); + if (!cert) + { + DBG1(DBG_CFG, "failed to create certificate for ssh-agent public key"); + privkey->destroy(privkey); + exit(1); + } + this->creds->add_cert(this->creds, TRUE, cert); + this->creds->add_key(this->creds, privkey); +} + METHOD(cmd_creds_t, handle, bool, private_cmd_creds_t *this, cmd_option_type_t opt, char *arg) { @@ -130,9 +188,19 @@ METHOD(cmd_creds_t, handle, bool, case CMD_OPT_RSA: load_key(this, KEY_RSA, arg); break; + case CMD_OPT_IDENTITY: + this->identity = arg; + break; + case CMD_OPT_AGENT: + this->agent = TRUE; + break; default: return FALSE; } + if (this->agent && this->identity) + { + load_agent(this); + } return TRUE; } diff --git a/src/charon-cmd/cmd/cmd_options.c b/src/charon-cmd/cmd/cmd_options.c index 312d129642..6b7df6d93e 100644 --- a/src/charon-cmd/cmd/cmd_options.c +++ b/src/charon-cmd/cmd/cmd_options.c @@ -35,6 +35,8 @@ cmd_option_t cmd_options[CMD_OPT_COUNT] = { "trusted certificate, for authentication or trust chain validation" }, { CMD_OPT_RSA, "rsa", required_argument, "path", "RSA private key to use for authentication" }, + { CMD_OPT_AGENT, "agent", no_argument, "", + "use SSH agent for authentication"}, { CMD_OPT_LOCAL_TS, "local-ts", required_argument, "subnet", "additional traffic selector to propose for our side" }, { CMD_OPT_REMOTE_TS, "remote-ts", required_argument, "subnet", diff --git a/src/charon-cmd/cmd/cmd_options.h b/src/charon-cmd/cmd/cmd_options.h index addbb50d81..a14896f831 100644 --- a/src/charon-cmd/cmd/cmd_options.h +++ b/src/charon-cmd/cmd/cmd_options.h @@ -35,6 +35,7 @@ enum cmd_option_type_t { CMD_OPT_REMOTE_IDENTITY, CMD_OPT_CERT, CMD_OPT_RSA, + CMD_OPT_AGENT, CMD_OPT_LOCAL_TS, CMD_OPT_REMOTE_TS, CMD_OPT_PROFILE,