Use fingerprint during validation instead of identity file

blessclient/bless_config.py

@@ -41,7 +41,7 @@ def parse_config_file(self, config_file):
                 'update_script': config.get('CLIENT', 'update_script'),
                 'user_session_length': int(config.get('CLIENT', 'user_session_length')),
                 'usebless_role_session_length': int(config.get('CLIENT', 'usebless_role_session_length')),
-                'update_sshagent': config.getboolean('CLIENT', 'update_sshagent'),
+                'update_sshagent': config.getboolean('CLIENT', 'update_sshagent')
             },
             'BLESS_CONFIG': {
                 'ca_backend': config.get('MAIN', 'ca_backend'),

blessclient/client.py

@@ -161,7 +161,7 @@ def get_blessrole_credentials(iam_client, creds, blessconfig, bless_cache):
     role_creds = mfa_sts_client.assume_role(
         RoleArn=role_arn,
         RoleSessionName='mfaassume',
-        DurationSeconds=blessconfig.get_client_config()['usebless_role_session_length'],
+        DurationSeconds=blessconfig.get_client_config()['usebless_role_session_length']
     )['Credentials']
 
     logging.debug("Role Credentials: {}".format(role_creds))
@@ -348,12 +348,14 @@ def save_cached_creds(token_data, bless_config):
     with open(cache_file_path, 'w') as cache:
         json.dump(_token_data, cache)
 
-
 def ssh_agent_remove_bless(identity_file):
     DEVNULL = open(os.devnull, 'w')
+    identity_fp = subprocess.check_output(['ssh-keygen','-lf',identity_file]).decode('UTF-8') #Get SHA256 fingerprint of the identity file
+
     try:
         current = subprocess.check_output(['ssh-add', '-l']).decode('UTF-8')
-        match = re.search(re.escape(identity_file), current)
+        match = re.search(re.escape(identity_fp), current)
+        #match = re.search(re.escape(identity_file), current)
         if match:
             subprocess.check_call(
                 ['ssh-add', '-d', identity_file], stderr=DEVNULL)
@@ -364,9 +366,14 @@ def ssh_agent_remove_bless(identity_file):
 
 def ssh_agent_add_bless(identity_file):
     DEVNULL = open(os.devnull, 'w')
-    subprocess.check_call(['ssh-add', identity_file], stderr=DEVNULL)
+    identity_fp = subprocess.check_output(['ssh-keygen','-lf',identity_file]).decode('UTF-8') #Get SHA256 fingerprint of the identity file
+    try:
+      subprocess.check_call(['ssh-add', identity_file], stderr=DEVNULL)
+    except Exception:
+        logging.debug("Private Key has password")
     current = subprocess.check_output(['ssh-add', '-l']).decode('UTF-8')
-    if not re.search(re.escape(identity_file), current):
+    #if not re.search(re.escape(identity_file), current):
+    if not re.search(re.escape(identity_fp), current):
         logging.debug("Could not add '{}' to ssh-agent".format(identity_file))
         sys.stderr.write(
             "Couldn't add identity to ssh-agent")
@@ -722,21 +729,24 @@ def bless(region, nocache, showgui, hostname, bless_config):
                 SerialNumber=mfa_arn,
                 TokenCode=mfa_pin
             )['Credentials']
+
         except (ClientError, ParamValidationError):
             sys.stderr.write("Incorrect MFA, no certificate issued\n")
             sys.exit(1)
 
         if creds:
             save_cached_creds(creds, bless_config)
+
+        role_creds = get_blessrole_credentials(
+            aws.iam_client(), creds, bless_config, bless_cache)
+
         kmsauth_token = get_kmsauth_token(
-            creds,
+            role_creds,
             kmsauth_config,
             username,
             cache=bless_cache
         )
         logging.debug("Got kmsauth token: {}".format(kmsauth_token))
-        role_creds = get_blessrole_credentials(
-            aws.iam_client(), creds, bless_config, bless_cache)
 
     bless_lambda = BlessLambda(bless_lambda_config, role_creds, kmsauth_token, region)