The goal of this script is to share a locally plugged HSM to a remote host using SSH tunnel.
This script is written to be launched on the local machine, so the token plugged in is shared to remote.
PKI and HSM in a SME
This script is part of the tutorial i wrote called PKI and HSM in a SME.
You can view it here: https://fladnag.net/?page_id=167
- A local machine (tested on Debian 9 stretch amd64)
- A remote machine (tested on Debian 9 stretch amd64)
- A HSM (tested with a Nitrokey)
- The PKCS11 library to communicate to your HSM (tested with OpenSC, as Nitrokey is a OpenSmartCard implementation)
- Compiled p11-kit on local AND remote machine (Debian stretch one is not recent enough to have the remote functionality working)
- The p11-kit-client systemd service (see below)
- Present user the parameters used for the script
- Enable and start local and remote systemd user service if needed
- Look if a sharing is already in progress on the remote
- Test if local and remote PKCS11 providers are present
- Start the token sharing on the first (and only one) token found, from local to remote
- Test if remote can see the SSH-tunneled token
- Test if EJBCA is present on remote
- Restart EJBCA on remote
Clean up script
In case you have a problem, or main script seems stuck for more than a minute, interrupt execution of
cleanup.sh, then try again.
p11-kit client Systemd Service (to do on local and remote machines)
Its only goal is to create a folder in
/run/user/`id -u` where the Unix socket file will be kept, locally and remotely.
You need to have the following service to be created at
[Unit] Description=p11-kit client [Service] Type=oneshot RemainAfterExit=true RuntimeDirectory=p11-kit ExecStart=/bin/true [Install] WantedBy=default.target
After installation, don't forget to run
$ systemctl --user daemon-reload and
systemctl --user enable p11-kit-client.service && systemctl --user start p11-kit-client.service.
You can check everything is ok with
$ ls /run/user/`id -u`/: if a
p11-kitfolder exists, we're okay to go :)