#!/bin/sh
# For use with pam_exec.so
#
#   auth  optional  pam_exec.so  expose_authtok  /usr/lib/systemd/systemd-user-pam-ssh
#
# Takes a password from STDIN, starts the ssh-agent as a systemd user service,
# and decrypts the ssh key using the provided password, adding it to the agent.

# Handle inital checks as root
if [ $(id -u) = 0 ]
then
	# Don't execute if the systemd --user instance isn't running
	systemctl -q is-active user@$(id -u ${PAM_USER}) || exit 0

	# Re-execute this script as the user to add their key (while piping STDIN)
	cat | exec su ${PAM_USER} -c "$0 initialize"

# Handle adding the key as the user
else

  # Add key
  if [ "$1" = "initialize" ]; then
		# We need to specify the XDG_RUNTIME_DIR because pam_systemd won't have run
		export XDG_RUNTIME_DIR=/run/user/$(id -u)

		# Get the SSH_AUTH_SOCK variable from the user session
		export $(systemctl --user show-environment | grep ^SSH_AUTH_SOCK=)


		# Ensure the ssh-agent service is started
		systemctl --user start ssh-agent

		# Newer ssh-add won't read passphrase from stdin but will pipe it to askpass
		export SSH_ASKPASS="$0"
		cat | ssh-add
		exit 0
	
	# Double as askpass 
	else
		cat
    exit 0
	fi
fi