Cryptostick on Ubuntu

We use the following puppet recipe to get our CryptoStick (v1.2) working on Ubuntu. This enables the gpg-agent to be used as ssh-agent as well. There might be unnecessary code in here, but I'm too lazy to remove that :) Do leave me a message if you find mistakes or just if it helped you! You need to run puppet as root (just sudo is enough) to deploy the modification the script makes. Reboot after it's been applied.

## VARIABLES - CHANGE THESE

$user = "tim"

You probably no longer need to change these, but check them just in case

$vendorId = "04e6"

$productId = "5115"

DON'T CHANGE BELOW THIS LINE

define line ( $ensure = "present", $file, $content = false ) {

if ! $content {
    $content = $name
}

case $ensure {
    default: {
        fail("Unknown ensure value: ${ensure}.")
    }
    present: {
        exec { "line $name":
            command => "/bin/echo '${content}' >> '${file}'",
            unless  => "/bin/grep -Fx '${content}' '${file}'";
        }
    }
    absent: {
        exec { "line $name":
            command => "/usr/bin/perl -ni -e 'print unless /^\\Q${content}\\E\$/' '${file}'",
            onlyif  => "/bin/grep -Fx '${content}' '${file}'";
        }
    }
}

}

line { "Start of default.desktop": content => "[Desktop Entry]", file => "/usr/share/xsessions/default.desktop"; "default.desktop, Encoding": content => "Encoding=UTF-8", require => Line["Start of default.desktop"], file => "/usr/share/xsessions/default.desktop"; "default.desktop, Name": content => "Name=default", require => Line["Start of default.desktop"], file => "/usr/share/xsessions/default.desktop"; "default.desktop, Comment": content => "Comment=Default session", require => Line["Start of default.desktop"], file => "/usr/share/xsessions/default.desktop"; "default.desktop, Exec": content => "Exec=default", require => Line["Start of default.desktop"], file => "/usr/share/xsessions/default.desktop"; "default.desktop, Type": content => "Type=Application", require => Line["Start of default.desktop"], file => "/usr/share/xsessions/default.desktop"; }

Not sure if this part is still needed, but does no harm.

line { "Xsession: OPTIONFILE": content => 'OPTIONFILE=${OPTIONFILE:-/etc/X11/Xsession.options}', file => "/etc/X11/Xsession.d/01x11-common_setup-vars"; "Xsession: SYSRESOURCES": content => 'SYSRESOURCES=${SYSRESOURCES:-/etc/X11/Xresources}', file => "/etc/X11/Xsession.d/01x11-common_setup-vars"; "Xsession: USRRESOURCES": content => 'USRRESOURCES=${USRRESOURCES:-$HOME/.Xresources}', file => "/etc/X11/Xsession.d/01x11-common_setup-vars"; "Xsession: SYSSESSIONDIR": content => 'SYSSESSIONDIR=${SYSSESSIONDIR:-/etc/X11/Xsession.d}', file => "/etc/X11/Xsession.d/01x11-common_setup-vars"; "Xsession: USERXSESSION": content => 'USERXSESSION=${USERXSESSION:-$HOME/.xsession}', file => "/etc/X11/Xsession.d/01x11-common_setup-vars"; "Xsession: USERXSESSIONRC": content => 'USERXSESSIONRC=${USERXSESSIONRC:-$HOME/.xsessionrc}', file => "/etc/X11/Xsession.d/01x11-common_setup-vars"; "Xsession: ALTUSERXSESSION": content => 'ALTUSERXSESSION=${ALTUSERXSESSION:-$HOME/.Xsession}', file => "/etc/X11/Xsession.d/01x11-common_setup-vars"; "Xsession: ERRFILE": content => 'ERRFILE=${ERRFILE:-$HOME/.xsession-errors}', file => "/etc/X11/Xsession.d/01x11-common_setup-vars"; }

We need these packages.

package { ["gnupg-agent","pinentry-gtk2","openssh-client","gpgsm","pcscd"]: ensure => installed, }

line { "Disable use-ssh-agent in Xsession.options": ensure => absent, file => "/etc/X11/Xsession.options", content => "use-ssh-agent"; "Personal xsession start": ensure => present, file => "/home/${user}/.xsession", content => "#!/bin/bash"; "Start gpg-agent with the correct variables from .Xsession": ensure => present, file => "/home/${user}/.xsession", content => "eval $(/usr/bin/gpg-agent --daemon --sh --write-env-file=/home/${user}/.gnupg/gpg-agent-info-$(hostname) --enable-ssh-support)", require => Line["Personal xsession start"]; "Make sure X11 reads user options": ensure => present, file => "/etc/X11/Xsession.options", content => "allow-user-xsession"; "Kill scdaemon when we insert a new card in the SCM reader": ensure => present, file => "/etc/udev/rules.d/smartcard.rules", content => "ACTION==\"add\", SUBSYSTEM==\"usb\", SYSFS{idVendor}==\"${vendorId}\", SYSFS{idProduct}==\"${productId}\", PROGRAM==\"/usr/bin/killall -9 scdaemon\""; "Kill scdaemon when we insert a cryptocard": ensure => present, file => "/etc/udev/rules.d/smartcard.rules", content => 'ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="Crypto Stick v1.2", PROGRAM=="/usr/bin/killall -9 scdaemon"'; "Make gnupg use the agent": ensure => present, file => "/home/${user}/.gnupg/gpg.conf", content => "use-agent"; }

file { "/home/${user}/.xsession": ensure => file, mode => 755, owner => "${user}", }

Remove this file, please.

file { "/etc/xdg/autostart/gnome-keyring-ssh.desktop": ensure => absent; "/etc/xdg/autostart/gnome-keyring-gpg.desktop": ensure => absent; }

Change the gnome settings

exec { "/bin/su - ${user} -c '/usr/bin/gconftool-2 --set -t bool /apps/gnome-keyring/daemon-components/ssh false'": unless => "/bin/su - ${user} -c '[ $(/usr/bin/gconftool-2 --get /apps/gnome-keyring/daemon-components/ssh) == \"false\" ]'", }

Comments

Comments powered by Disqus