diff --git a/blessclient/bless_config.py b/blessclient/bless_config.py index 05ea153..a46db71 100644 --- a/blessclient/bless_config.py +++ b/blessclient/bless_config.py @@ -41,7 +41,7 @@ def parse_config_file(self, config_file): 'update_script': config.get('CLIENT', 'update_script'), 'user_session_length': int(config.get('CLIENT', 'user_session_length')), 'usebless_role_session_length': int(config.get('CLIENT', 'usebless_role_session_length')), - 'update_sshagent': config.getboolean('CLIENT', 'update_sshagent'), + 'update_sshagent': config.getboolean('CLIENT', 'update_sshagent') }, 'BLESS_CONFIG': { 'ca_backend': config.get('MAIN', 'ca_backend'), diff --git a/blessclient/client.py b/blessclient/client.py index e8b2439..e840131 100755 --- a/blessclient/client.py +++ b/blessclient/client.py @@ -161,7 +161,7 @@ def get_blessrole_credentials(iam_client, creds, blessconfig, bless_cache): role_creds = mfa_sts_client.assume_role( RoleArn=role_arn, RoleSessionName='mfaassume', - DurationSeconds=blessconfig.get_client_config()['usebless_role_session_length'], + DurationSeconds=blessconfig.get_client_config()['usebless_role_session_length'] )['Credentials'] logging.debug("Role Credentials: {}".format(role_creds)) @@ -348,12 +348,14 @@ def save_cached_creds(token_data, bless_config): with open(cache_file_path, 'w') as cache: json.dump(_token_data, cache) - def ssh_agent_remove_bless(identity_file): DEVNULL = open(os.devnull, 'w') + identity_fp = subprocess.check_output(['ssh-keygen','-lf',identity_file]).decode('UTF-8') #Get SHA256 fingerprint of the identity file + try: current = subprocess.check_output(['ssh-add', '-l']).decode('UTF-8') - match = re.search(re.escape(identity_file), current) + match = re.search(re.escape(identity_fp), current) + #match = re.search(re.escape(identity_file), current) if match: subprocess.check_call( ['ssh-add', '-d', identity_file], stderr=DEVNULL) @@ -364,9 +366,14 @@ def ssh_agent_remove_bless(identity_file): def ssh_agent_add_bless(identity_file): DEVNULL = open(os.devnull, 'w') - subprocess.check_call(['ssh-add', identity_file], stderr=DEVNULL) + identity_fp = subprocess.check_output(['ssh-keygen','-lf',identity_file]).decode('UTF-8') #Get SHA256 fingerprint of the identity file + try: + subprocess.check_call(['ssh-add', identity_file], stderr=DEVNULL) + except Exception: + logging.debug("Private Key has password") current = subprocess.check_output(['ssh-add', '-l']).decode('UTF-8') - if not re.search(re.escape(identity_file), current): + #if not re.search(re.escape(identity_file), current): + if not re.search(re.escape(identity_fp), current): logging.debug("Could not add '{}' to ssh-agent".format(identity_file)) sys.stderr.write( "Couldn't add identity to ssh-agent") @@ -722,21 +729,24 @@ def bless(region, nocache, showgui, hostname, bless_config): SerialNumber=mfa_arn, TokenCode=mfa_pin )['Credentials'] + except (ClientError, ParamValidationError): sys.stderr.write("Incorrect MFA, no certificate issued\n") sys.exit(1) if creds: save_cached_creds(creds, bless_config) + + role_creds = get_blessrole_credentials( + aws.iam_client(), creds, bless_config, bless_cache) + kmsauth_token = get_kmsauth_token( - creds, + role_creds, kmsauth_config, username, cache=bless_cache ) logging.debug("Got kmsauth token: {}".format(kmsauth_token)) - role_creds = get_blessrole_credentials( - aws.iam_client(), creds, bless_config, bless_cache) bless_lambda = BlessLambda(bless_lambda_config, role_creds, kmsauth_token, region)