The goal of this script is to share a locally plugged HSM to a remote host using SSH tunnel.
This script is written to be launched on the local machine, so the token plugged in is shared to remote.
This script is part of the tutorial i wrote called PKI and HSM in a SME.
You can view it here: https://fladnag.net/?page_id=167
You'll need:
- A local machine (tested on Debian 9 stretch amd64)
- A remote machine (tested on Debian 9 stretch amd64)
- A HSM (tested with a Nitrokey)
- The PKCS11 library to communicate to your HSM (tested with OpenSC, as Nitrokey is a OpenSmartCard implementation)
- Compiled p11-kit on local AND remote machine (Debian stretch one is not recent enough to have the remote functionality working)
- The p11-kit-client systemd service (see below)
- Present user the parameters used for the script
- Enable and start local and remote systemd user service if needed
- Look if a sharing is already in progress on the remote
- Test if local and remote PKCS11 providers are present
- Start the token sharing on the first (and only one) token found, from local to remote
- Test if remote can see the SSH-tunneled token
- Test if EJBCA is present on remote
- Restart EJBCA on remote
In case you have a problem, or main script seems stuck for more than a minute, interrupt execution of remote-hsm.sh
and execute cleanup.sh
, then try again.
Its only goal is to create a folder in /run/user/`id -u`
where the Unix socket file will be kept, locally and remotely.
You need to have the following service to be created at ~/.config/systemd/user/p11-kit-client.service
:
[Unit]
Description=p11-kit client
[Service]
Type=oneshot
RemainAfterExit=true
RuntimeDirectory=p11-kit
ExecStart=/bin/true
[Install]
WantedBy=default.target
After installation, don't forget to run $ systemctl --user daemon-reload
and systemctl --user enable p11-kit-client.service && systemctl --user start p11-kit-client.service
.
You can check everything is ok with $ ls /run/user/`id -u`/
: if a p11-kit
folder exists, we're okay to go :)