diff options
author | Tobias Brunner <tobias@strongswan.org> | 2013-04-01 14:51:09 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2013-05-07 14:08:51 +0200 |
commit | ee7b73832c97c12932641ba61c52211810afde00 (patch) | |
tree | d635311b1e9dadc7d5c68a3513c0a206566dbee3 /src/charon-cmd/cmd | |
parent | 4dc50bf9de08e08abd6fbc85434c3f34a01e601f (diff) | |
download | strongswan-ee7b73832c97c12932641ba61c52211810afde00.tar.bz2 strongswan-ee7b73832c97c12932641ba61c52211810afde00.tar.xz |
charon-cmd: Add --agent option to authenticate using ssh-agent(1)
The socket path is read from the SSH_AUTH_SOCK environment variable.
So using this with sudo might require the -E command line (or an appropriate
sudoers config) to preserve the environment.
Diffstat (limited to 'src/charon-cmd/cmd')
-rw-r--r-- | src/charon-cmd/cmd/cmd_connection.c | 1 | ||||
-rw-r--r-- | src/charon-cmd/cmd/cmd_creds.c | 68 | ||||
-rw-r--r-- | src/charon-cmd/cmd/cmd_options.c | 2 | ||||
-rw-r--r-- | src/charon-cmd/cmd/cmd_options.h | 1 |
4 files changed, 72 insertions, 0 deletions
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 0aedf76ce..8b42befe9 100644 --- a/src/charon-cmd/cmd/cmd_connection.c +++ b/src/charon-cmd/cmd/cmd_connection.c @@ -387,6 +387,7 @@ METHOD(cmd_connection_t, handle, bool, this->identity = arg; break; case CMD_OPT_RSA: + case CMD_OPT_AGENT: this->key_seen = TRUE; break; case CMD_OPT_LOCAL_TS: diff --git a/src/charon-cmd/cmd/cmd_creds.c b/src/charon-cmd/cmd/cmd_creds.c index b70490915..178b77d49 100644 --- a/src/charon-cmd/cmd/cmd_creds.c +++ b/src/charon-cmd/cmd/cmd_creds.c @@ -47,6 +47,16 @@ struct private_cmd_creds_t { * Already prompted for password? */ bool prompted; + + /** + * Provide keys via ssh-agent + */ + bool agent; + + /** + * Local identity + */ + char *identity; }; /** @@ -119,6 +129,54 @@ static void load_key(private_cmd_creds_t *this, key_type_t type, char *path) this->creds->add_key(this->creds, privkey); } +/** + * Load a private and public key via ssh-agent + */ +static void load_agent(private_cmd_creds_t *this) +{ + private_key_t *privkey; + public_key_t *pubkey; + identification_t *id; + certificate_t *cert; + char *agent; + + agent = getenv("SSH_AUTH_SOCK"); + if (!agent) + { + DBG1(DBG_CFG, "ssh-agent socket not found"); + exit(1); + } + + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + KEY_RSA, BUILD_AGENT_SOCKET, agent, BUILD_END); + if (!privkey) + { + DBG1(DBG_CFG, "failed to load private key from ssh-agent"); + exit(1); + } + pubkey = privkey->get_public_key(privkey); + if (!pubkey) + { + DBG1(DBG_CFG, "failed to load public key from ssh-agent"); + privkey->destroy(privkey); + exit(1); + } + id = identification_create_from_string(this->identity); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_TRUSTED_PUBKEY, BUILD_PUBLIC_KEY, pubkey, + BUILD_SUBJECT, id, BUILD_END); + pubkey->destroy(pubkey); + id->destroy(id); + if (!cert) + { + DBG1(DBG_CFG, "failed to create certificate for ssh-agent public key"); + privkey->destroy(privkey); + exit(1); + } + this->creds->add_cert(this->creds, TRUE, cert); + this->creds->add_key(this->creds, privkey); +} + METHOD(cmd_creds_t, handle, bool, private_cmd_creds_t *this, cmd_option_type_t opt, char *arg) { @@ -130,9 +188,19 @@ METHOD(cmd_creds_t, handle, bool, case CMD_OPT_RSA: load_key(this, KEY_RSA, arg); break; + case CMD_OPT_IDENTITY: + this->identity = arg; + break; + case CMD_OPT_AGENT: + this->agent = TRUE; + break; default: return FALSE; } + if (this->agent && this->identity) + { + load_agent(this); + } return TRUE; } diff --git a/src/charon-cmd/cmd/cmd_options.c b/src/charon-cmd/cmd/cmd_options.c index 312d12964..6b7df6d93 100644 --- a/src/charon-cmd/cmd/cmd_options.c +++ b/src/charon-cmd/cmd/cmd_options.c @@ -35,6 +35,8 @@ cmd_option_t cmd_options[CMD_OPT_COUNT] = { "trusted certificate, for authentication or trust chain validation" }, { CMD_OPT_RSA, "rsa", required_argument, "path", "RSA private key to use for authentication" }, + { CMD_OPT_AGENT, "agent", no_argument, "", + "use SSH agent for authentication"}, { CMD_OPT_LOCAL_TS, "local-ts", required_argument, "subnet", "additional traffic selector to propose for our side" }, { CMD_OPT_REMOTE_TS, "remote-ts", required_argument, "subnet", diff --git a/src/charon-cmd/cmd/cmd_options.h b/src/charon-cmd/cmd/cmd_options.h index addbb50d8..a14896f83 100644 --- a/src/charon-cmd/cmd/cmd_options.h +++ b/src/charon-cmd/cmd/cmd_options.h @@ -35,6 +35,7 @@ enum cmd_option_type_t { CMD_OPT_REMOTE_IDENTITY, CMD_OPT_CERT, CMD_OPT_RSA, + CMD_OPT_AGENT, CMD_OPT_LOCAL_TS, CMD_OPT_REMOTE_TS, CMD_OPT_PROFILE, |