Add ssh-agent (or equivalent)

[joeshaw]

Blink 0.916.26

Having to type in your passphrase repeatedly is a pain. It'd be nice if Blink had some sort of equivalent to ssh-agent so I could unlock my keys once when first required (or after some timeout) and they'd be used for all subsequent requests.

[joeshaw]

vaguely related to #58

[carloscabanero]

Agreed. Thinking about a way to make everything work together. Still haven't figured out a way to do TouchID that doesn't bother me. If you have any suggestions on what the experience would look like, please shoot :)

[melo]

I think TouchID is great, but only for those who have it :)

I would appreciate if the ssh-agent-like functionality would not be tied up to TouchID. I don't have a problem typing my passphrase, but please make it only once, then keep the unencrypted key in memory, just like ssh-agent does.

You could ask the passphrase just before connecting to a host that uses a key that is not present in your agent.

edited: I'm also following #58, the discussion is longer there...

[rcarmo]

Well, it's been a while, so I thought I'd bump this thread, for the following reasons:

• it's VERY tedious to keep typing in my pass phrase on every connection
• without agent forwarding, I can't check out git repos on the remote host

Both of these, put together, mean I can't currently use Blink effectively, so I've gone back to Prompt and am putting up with it's slowness...

[Blaok]

I would be strongly against storing the key in memory and prompt nothing when it is used, as ssh-agent does. I guess ssh-agent is designed for personal computera where access is restricted, instead of servers. The remote machine can be shared and someone else can ask for your key without your permission (at least that is my understanding, please let me know if that is not the case). Please at least ask for confirmation when the key stored in memory is requested, if this feature is added some day.

[docwhat]

I think the correct way, in iOS 10+, is to use the keychain to store the keys in. Let the keychain unlock and provide the keys for you. Then you don’t have problems with keeping unlocked keys in memory, etc.

[rcarmo]

And you can leverage TouchID, etc.

[rcarmo]

I’m going to bump this, since it’s been open since 2016 and is still the main reason I can’t use Blink daily.

[schelhorn]

Apparently, the mosh protocol does not support ssh-agent; the mosh people have therefore, after having having been asked for support, built their own agent implementation, which also is supposed to be compatible with ssh and offers additional security features, as is described in the research paper.

The implementation of the guardian-agent is located here. It's in go, though, so I don't know how integration into iOS will look like. Seems to be the clearly superior solution from a technical point of view, though.

May I suggest that this implementation could serve as basis for the blink agent support?

[brandonshough]

BUMP. :)

[tmm1]

The implementation of the guardian-agent is located here. It's in go, though, so I don't know how integration into iOS will look like.

FYI, you can use gomobile to generate obj-c bindings and a dylib for iOS.

[prg3]

I would disagree that this is Done from @yury's work, that adds agent to ssh connections, but doesn't deal with the Mosh connections at all? As @schelhorn mentions, guardian-agent appears to be the official Mosh supported way to have agent-like functionality.

[rcarmo]

Would be nice to have updated docs. The binaries are there, but without the niceties of a standard shell it’s tricky to set these up.

[rcarmo]

How far along is this? I’ve been checking in every 6 months, and keep using Prompt because a) it understands agents and b) it stores the password for my private key.

Every time I fire up Blink after an update I keep bumping up against it not even saving the private key password (and no, logging in via a password to many servers is not feasible - some I don’t even have passwords for, just the key).

[brandonshough]

Keep dreaming @rcarmo

[yury]

Agents are working, just run ssh-agent in separate tab and run ssh-agent.

Private key passwords are rudimental thing since we storing keys in Secure Enclave.

[rcarmo]

Exactly why do I need to run ssh-agent on a separate tab? Last time I tried there was no documentation about that (only comments on issues here), and I would expect it to be integrated into options...

[yury]

Agreed here, we need better integration.

[rcarmo]

And docs. I’m trying ssh-agent right now, and ssh-add apparently does nothing (no idea where it’s looking for keys).

[yury]

ssh-add <key_name> like ssh-add id_rsa
or path to your key in file system.

[rcarmo]

Thanks. Not having a default nor any output from the command when invoked without arguments made it hard to figure out.

Too bad this needs to be done every time I start the app, it’s quite kludgy.

[yury]

Yep, agreed here too. That is why this issue is not closed yet.

[rcarmo]

Any progress on this? I’ve just had another run in with ssh_agent and really wish this was seamless and only needed to be done once.

[yury]

Not yet, sir.

[rcarmo]

Hi there again. I was wondering what was the state of affairs here, since I tried Blink again and I still can’t seem to get ssh-agent to work seamlessly (sometimes not at all).

[dakira]

@rcarmo This has been working flawless for me for a very long time. It would certainly be nice if it were easier to use (i.e. the agent running automatically and keys being added automatically) but it's really not that much of an inconvenience.

1. run ssh-agent
2. douple-tap for new terminal
3. run ssh-add id_rsa (or whatever your key is called)
4. connect normally (i.e. ssh -A user@server).

As ctrl+R works, the setup takes seconds.

[carloscabanero]

The agent functionality was improved a few releases ago.

I agree maybe the agent could run in the background or prompt if you would like to store it within the agent every time, just for convenience. But reality is that for this to be secure, and considering how often iOS clears the app from the background, you will get prompted often anyway.

Having a passphrase for your key on Blink is less necessary as keys are kept within the Secure Enclave anyway, which is already an encrypted area. So you may be better just getting rid of it.

If you may still need it for some reason, it would help to know exactly what isn’t working, other than the UI. Is there anything different when it works and when it doesn’t? What key type of key is it? What type of encoding and encryption?

The agent has been considered to work for a long time, we even have started to add support for hardware keys to it. We want to definitely make it better and for the UI we added some stuff in this Blink 13 so we can finally finish the implementation. But the UI won’t be enough with the “sometimes it works and sometimes doesn’t”

[rcarmo]

Hi there. I very strongly disagree that it would be OK to get rid of the private key passphrase - I do not want any of my private keys to be potentially unguarded on any system, regardless of where they are stored, and favor explicit unlocking of them.

And yes, the UI is the matter here, since manually starting an agent every time I open Blink (which, incidentally, currently gets killed randomly by iOS 13.2 every time it goes to the background) is untenable (even if 13.2 gets fixed).

The agent does work, except for agent forwarding (for some reason it has never really worked for me, whereas Panic's Prompt "just works").

But I really want to use Blink, and would prefer the experience be as seamless as possible - i.e., that the agent be started in the background, and that the private key password be stored as well and provided automatically upon connection, mirroring the experience I have on Linux and macOS with keychain (get prompted to unlock key upon first connection, then never again).

An option to explicitly use TouchID/FaceID to unlock keys would also be welcome, but that is almost orthogonal to the agent experience.

[carloscabanero]

100% agree on the Agent in the background without requiring to explicitly start it. I may agree on the extra Passphrase for the private key, although the Secure Enclave is a HW encrypted area too, I understand some cases require extra security.

Will take another look at agent forwarding, but would help to know which cases it isn’t working for you or for what type of keys. We have been able to even forward keys into our Bunkr agent.

Now to the important we should decide on functionality, here is the trick:

On Linux and MacOS, the agent can keep the private key decrypted in memory (or the Passphrase, which is equivalent), and survive some time until the agent is required to be locked again. In iOS keeping it in memory will require for you to introduce it again every time it gets removed from memory.

So the experience will never be the same no matter what. It will be difficult to reproduce the “introduce it once and forget”.

We could keep the Passphrase for the key also stored within the Secure Enclave, and then use TouchID/FaceID. I would discard this method though as it would be the same as just keeping the Private Key without the Passphrase.

We could investigate if maybe we could use the “Secure Enclave” for temporary secure storage. So under some conditions the decrypted key would get removed from there. Not sure about the conditions or possibilities of the API though.

Any other ideas?

[carloscabanero]

It took us a while but I am happy to report that on 13.90.3.273 we have a new built-in Agent. The agent should just work and it does not require any special loading outside, just load the keys and you are good to go from anywhere. We have a deeper integration now and we are getting ready a few cooler things as well.

Want to say that although it took us a while to get this done, Blink has grown a lot in the last years and we can now finally put more resources in order to get more things out the door. You will see us pushing a lot of these old issues now :)

[ssgelm]

This is super exciting! I tried the beta and had two small issues:

• Keys that were there pre-upgrade can't be added to the agent. I had to delete and re-add the key, otherwise it said "invalid format"
• ssh-add -l doesn't work - it either segfaults or complains about missing the key name.

Regardless this is very cool and works great!

[carloscabanero]

Nice catch! It looks like I forgot to cleanup the keys before adding them to the agent, will fix on next version.

On ssh-add -l, it should be available next week. We just wanted people to start testing this asap.

[ssgelm]

Awesome! While I'm asking, would it be possible to get a toggle in the key settings page to auto-add to the agent? Not at all a big deal but it'd be nice to save the typing.

[carloscabanero]

Yeah, so now we can actually create multiple agents, for each type of "environment", kinda like suggested here: http://rabexc.org/posts/pitfalls-of-ssh-agents. The idea is to provide a simple interface where you attach keys to agents and then the agent to the host.

[ssgelm]

Ah that sounds amazing. Feel free to reach out if you need help testing any of this!

[carloscabanero]

Sure! We have it available on TestFlight, send us a DM over Twitter or Discord if you would like to give it a try.

[dakira]

This works perfectly for me, thanks!

ssh-add <keyname>
ssh -A jumhost
ssh finalhost

[carloscabanero]

You can now also use -J for the Jumphost sequence (one or many separated by commas)

[rsepassi]

This is great! Any plans to support Mosh as well with guardian?

[rverrips]

Similar, but different - 1Password can now store and securely provide ssh keys on MacOS with the following ssh config

Host *
	IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Would need to check with that team, but I'd assume the 1Password iOS App could be setup to do the same if there were a sh that would use it Hint Hint