]>
Commit | Line | Data |
---|---|---|
1 | # NOTE: | |
2 | # our .zprofile can be expensive, so we keep track of what has been run | |
3 | # already, and only set up what is necessary. this also allows us to re-source | |
4 | # the file to reinitialize specific parts when desired. | |
5 | # | |
6 | # in order to ensure future interactive environments are set up as early as | |
7 | # possible, we source this file from .zshenv for non-login shells, under some | |
8 | # specific conditions outlined there. | |
9 | # | |
10 | # this file respects non-interactive sessions and will not intentionally emit | |
11 | # output. | |
12 | ||
13 | ### fix path after system profile scripts have possibly mangled it | |
14 | if [[ ! -v _sev_setup_path || -o login ]] { | |
15 | _sev_setpath | |
16 | export _sev_setup_path= | |
17 | } | |
18 | ||
19 | ### dbus | |
20 | if [[ ! -v DBUS_SESSION_BUS_ADDRESS && -v commands[dbus-launch] ]] { | |
21 | eval $(dbus-launch) | |
22 | export DBUS_SESSION_BUS_ADDRESS DBUS_SESSION_BUS_PID | |
23 | } | |
24 | ||
25 | ### gpg agent + forwarding | |
26 | # NOTE: while ssh manages its auth sock in-protocol when ForwardSsh is enabled, | |
27 | # GPG must be forwarded manually over Unix socket. to support this, we | |
28 | # forward the restricted gpg-agent extra socket to the remote host with a | |
29 | # RemoteForward rule in ~/.ssh/config that uses the _GNUPG_SOCK_* vars. | |
30 | # | |
31 | # to avoid conflicts with other ssh sessions where the same user is | |
32 | # connecting to the same host from different machines, gpg should utilize | |
33 | # its own forwarded socket for each session. previously, you could | |
34 | # provide a path to the agent socket in GPG_AGENT_INFO, but that was | |
35 | # deprecated in GPG v2.1; instead, we must replace the socket in gpg's | |
36 | # socket dir. | |
37 | # | |
38 | # gnupg commits fb88f37–aab8a0b moved sockets from GNUPGHOME by default | |
39 | # to directories under /run. aab8a0b in particular solidifies the | |
40 | # functionality shift to utilize systemd-logind's user runtime | |
41 | # directories. if the dir isn't found, gpg will fall back to the homedir. | |
42 | # since previous functionality allowed multiple homedirs with multiple | |
43 | # sockets, a provision was added where changing GNUPGHOME will also | |
44 | # change the socket dir to a hashed dir under the usual runtime dir. | |
45 | # | |
46 | # utilizing this information, we can conclude: | |
47 | # - on systems with user runtime dirs, changing GNUPGHOME will also | |
48 | # give us a unique socket dir under the user runtime dir; | |
49 | # - on other systems, the socket dir follows GNUPGHOME. | |
50 | # therefore, the safest way to ensure unique sockets while not having to | |
51 | # write specific logic for both scenarios is to simply change GNUPGHOME. | |
52 | # the easiest way to do this is to create a new dir and link the contents | |
53 | # of GNUPGHOME to the new home. we can then replace all of the agent | |
54 | # sockets wherever they now are with the forwarded one. in either case we | |
55 | # will be overwriting the session-specific sockets. | |
56 | # | |
57 | # NOTE: since Unix sockets are not supported under Windows, this will not work | |
58 | # under msys, cygwin, mingw, etc., but may work under wsl2. | |
59 | # | |
60 | # HACK: without SendEnv, which is disabled by default in most sshd configs, | |
61 | # there is no foolproof way to prevent race conditions via socket | |
62 | # filename collisions or to pass the desired forward path to the remote | |
63 | # host environment. we just have to guess the path we choose is good on | |
64 | # the desination, and assume the newest matching socket is the correct | |
65 | # one after connecting. in theory, we could occlude the ssh binary on | |
66 | # PATH with an alias or script that would allow us to communicate with | |
67 | # the remote host before opening a shell, so that we can have the host | |
68 | # communicate back to the client where it wants a socket created or ask | |
69 | # the host if the path the client wants to use is writable. however, this | |
70 | # would open up too many edge cases where it wouldn't work or be too | |
71 | # clunky (e.g. asking for password twice) to make it worth it. | |
72 | function _gpg_socketpath { | |
73 | # dirs are percent-encoded: https://stackoverflow.com/a/64312099 | |
74 | echo -E - ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}} | |
75 | } | |
76 | if [[ ! -v _sev_setup_gpg_forward && -v commands[gpg] ]] { | |
77 | # XXX: assuming /tmp exists and is writable on destination | |
78 | export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward | |
79 | export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM | |
80 | export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT | |
81 | export _sev_gpg_forward_dir=$XDG_RUNTIME_DIR/gnupg/.ssh_forward | |
82 | _sev_zcleanup gpg-forward | |
83 | ||
84 | # find our forwarded socket | |
85 | s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1])) | |
86 | if [[ -n $s && -v SSH_CLIENT ]] { | |
87 | # create new forward dir | |
88 | export _sev_setup_gpg_forward= | |
89 | h=$_sev_gpg_forward_dir/$$ | |
90 | mkdir -pm700 $h | |
91 | for x (gpg{,-agent}.conf sshcontrol random_seed | |
92 | pubring.kbx{,~} trustdb.gpg private-keys-v1.d crls.d) { | |
93 | ln -s ${GNUPGHOME:-~/.gnupg}/$x $h | |
94 | } | |
95 | export GNUPGHOME=$h | |
96 | unset h | |
97 | for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do | |
98 | x=$(_gpg_socketpath ${x/#agent-*socket:}) | |
99 | if [[ ! -v primary ]] { | |
100 | # move forwarded socket to first valid agent socket path | |
101 | # XXX: if tmp is on different filesystem this may not work | |
102 | mv $s $x | |
103 | primary=$x | |
104 | } else { | |
105 | # make links to forwarded socket for any others | |
106 | ln -s $primary $x | |
107 | } | |
108 | done | |
109 | unset x primary | |
110 | } | |
111 | unset s | |
112 | ||
113 | # what we will forward if we start a new ssh connection | |
114 | # NOTE: do this after setting up GNUPGHOME to pick up new socket path; | |
115 | # if already connected over SSH, extra should be the remote one | |
116 | export _GNUPG_SOCK_SRC=$(_gpg_socketpath \ | |
117 | $(gpgconf --list-dirs agent-extra-socket)) | |
118 | } elif [[ ! -v _sev_setup_gpg_forward ]] { | |
119 | # required for RemoteForward to not error out if the vars are unset | |
120 | [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent | |
121 | [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent | |
122 | } | |
123 | ||
124 | ### gpg agent | |
125 | if [[ -v commands[gpg-connect-agent] && | |
126 | ( ! -v _sev_setup_gpgagent || -v _sev_refresh_gpgagent ) ]] { | |
127 | # avoid printing if we have already set up tty before | |
128 | [[ ! -v _sev_setup_gpgagent && -o interactive ]] && p=true || p=false | |
129 | if {$p} { | |
130 | print -nP '%F{blue}>>>%f GPG: ' | |
131 | if [[ -v _sev_setup_gpg_forward ]] { | |
132 | print -nP '%F{yellow}Forwarded agent ' | |
133 | } else { | |
134 | print -nP '%F{green}Agent ' | |
135 | } | |
136 | } | |
137 | gpg-connect-agent /bye >/dev/null 2>&1 | |
138 | if [[ $? -ne 0 ]] { | |
139 | $p && print -P '%F{red}communication error' | |
140 | } else { | |
141 | if [[ ! -v _sev_setup_gpg_forward ]] { | |
142 | if [[ ${+GPG_TTY} -eq 0 && -o interactive ]] | |
143 | export GPG_TTY=$(tty) | |
144 | if [[ ( -v DISPLAY || -v WAYLAND_DISPLAY ) && | |
145 | ${PINENTRY_USER_DATA/USE_TTY=0} == $PINENTRY_USER_DATA ]] | |
146 | export PINENTRY_USER_DATA=USE_TTY=0 | |
147 | # XXX: we are assuming this is our pinentry from .local/bin | |
148 | sed -Ei 's\1f^([[:space:]]*pinentry-program[[:space:]]).*$\1f\1'$HOME'/.local/bin/pinentry\1f' \ | |
149 | ${GNUPGHOME:-~/.gnupg}/gpg-agent.conf 2>/dev/null | |
150 | # XXX: could check for changes before doing this to save perf | |
151 | gpg-connect-agent RELOADAGENT UPDATESTARTUPTTY /bye >/dev/null 2>&1 | |
152 | if {$p} { | |
153 | gpg-connect-agent /subst /serverpid \ | |
154 | "/echo pid \${get serverpid} on ${WAYLAND_DISPLAY:-${DISPLAY:-$GPG_TTY}}" /bye 2>/dev/null | |
155 | print -nP '%f' | |
156 | } | |
157 | } elif {$p} { | |
158 | print -P '%f' | |
159 | } | |
160 | export _sev_setup_gpgagent= | |
161 | } | |
162 | unset p _sev_refresh_gpgagent | |
163 | } | |
164 | ||
165 | ### ssh agent | |
166 | if [[ ! -v _sev_setup_ssh ]] { | |
167 | # NOTE: preferred order of agents to check: okcagent, gnupg, openssh | |
168 | # first block takes care of okcagent and openssh, second gnupg | |
169 | # XXX: doesn't actually check if ssh is enabled in gpg | |
170 | [[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}' | |
171 | if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] || | |
172 | ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] { | |
173 | okc=${commands[okc-ssh-agent]:+okc-} | |
174 | e=$_sev_tmp/${okc}ssh-agent-exports | |
175 | typeset sock= | |
176 | typeset -i pid= | |
177 | if [[ -f $e ]] { | |
178 | IFS=$'\0' read -r sock pid <$e | |
179 | } | |
180 | if [[ -S $sock && $pid > 0 ]] && kill -0 $pid >/dev/null 2>&1; then | |
181 | [[ -o interactive ]] && print -P "Reusing agent PID $pid%f" | |
182 | export SSH_AUTH_SOCK=$sock | |
183 | export SSH_AGENT_PID=$pid | |
184 | else | |
185 | # TODO: ensure ssh-agent path looks legit to avoid unsafe eval? | |
186 | # XXX: doesn't appear to be any other way to handle redirection. | |
187 | # because eval needs to write to current scope environment | |
188 | # subshells can't be used to capture output and print. | |
189 | c='TMPDIR=$_sev_tmp ${okc}ssh-agent' | |
190 | if [[ -o interactive ]] { | |
191 | eval $(eval $=c) | |
192 | print -nP '%f' | |
193 | } else { | |
194 | eval $(eval $=c) >/dev/null 2>&1 | |
195 | } | |
196 | echo -En - $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$e | |
197 | unset c | |
198 | fi | |
199 | unset okc e sock pid | |
200 | } elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] { | |
201 | # since gpg should have been started above, just export and notify | |
202 | if [[ -o interactive ]] { | |
203 | if [[ -v _sev_setup_gpg_forward ]] { | |
204 | echo 'Forwarded GPG agent' | |
205 | } else { | |
206 | gpg-connect-agent /subst /serverpid \ | |
207 | '/echo GPG agent pid ${get serverpid}' /bye | |
208 | } | |
209 | print -nP '%f' | |
210 | } | |
211 | export SSH_AUTH_SOCK=$(_gpg_socketpath \ | |
212 | $(gpgconf --list-dirs agent-ssh-socket)) | |
213 | } elif [[ -v SSH_AUTH_SOCK ]] { | |
214 | [[ -o interactive ]] && print -P 'Preconfigured agent%f' | |
215 | } else { | |
216 | [[ -o interactive ]] && print -P '%F{red}No agent available%f' | |
217 | } | |
218 | ||
219 | export _sev_setup_ssh= | |
220 | } | |
221 | unfunction _gpg_socketpath | |
222 | ||
223 | ### load site-specific | |
224 | load-site-dotfile zprofile |