funtoo / keychain

keychain ssh-agent front-end
http://www.funtoo.org
GNU General Public License v2.0
757 stars 107 forks source link

Generate output file of bare environment variable assignments #116

Open scruloose opened 5 years ago

scruloose commented 5 years ago

It would be very helpful for keychain to produce an additional output file, similar to the ones it currently puts in .keychain/$HOSTNAME-foo, but consisting of only the environment variables in VARIABLE=value format, one per line, with no additional stuff.

This would provide an easy mechanism for people who want to use Keychain in an environment other than the supported shells to simply read the values from a file and use the syntax of whatever shell or scripting/programming language they're using to do the actual assignment.

My particular use-case for this is systemd 'system' services. I don't want to use keychain's built-in --systemd flag, because setting the env-vars globally for all 'system' units doesn't make sense. I can't source the $HOSTNAME-sh file because the .mount unit type has no Exec= or PreExec= directive, it's just hardcoded to call mount. Fortunately, there is the EnvironmentFile= directive, so any systemd unit of any type can read env-vars from a file and set them just for the scope of that unit. For example, one can load a passphrase-protected ssh key into a root-owned keychain, then set up a mount/automount pair of 'system' systemd units to do on-demand mounting of an sshfs share, IF one can set the SSH_AUTH_SOCK and SSH_AGENT_PID env-vars in the .mount unit file. Unsurprisingly, pointing the EnvironmentFile= directive at the $HOSTNAME-sh script fragment does not work.

Maybe some day the systemd people will fix Bug 73809 and 'user' .mount units using FUSE will be possible, but for now they can only be root-owned 'system' units. Other systemd-managed jobs that need to run as root, such as a nightly full-system backup to a remote server, would still face the same problem.

The workaround I'm using currently is a wrapper script around Keychain that uses cut -f1 -d ";" to strip the extraneous export statements from the $HOSTNAME-sh file and create a $HOSTNAME-env file from the result. I'm happy to report that this does work, and (contrary to all the howtos out there) it is possible to have sshfs on-demand automounts using a passphrase-protected key. It would be nice not to have to resort to the hacky wrapper script to do it, though.

I think the effort involved in implementing this would be minimal and, of course, the output file I'm requesting would offer an open-ended solution for anyone employing Keychain in whatever other unanticipated context their needs might dictate.

mrl5 commented 2 years ago

hello @scruloose - if you'd like to report a bug kindly use https://bugs.funtoo.org/

you can also reach us on Discord - for more info check https://www.funtoo.org/Welcome