Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OpenSSH 8.9 destination contraints. #296

Closed
korrone opened this issue Mar 25, 2020 · 3 comments
Closed

Support OpenSSH 8.9 destination contraints. #296

korrone opened this issue Mar 25, 2020 · 3 comments
Labels
enhancement
Projects
Enhancements

Comments

@korrone
Copy link

korrone commented Mar 25, 2020

Hi,
I just set up putty with KeePass/KeeAgent to log in to my server box. All works fine except this on little thing: I have several users with each having their own keys plus my administrative account (root). As an Administrator I have all those user-keys in my KeePass database and profiles for each user account with their respective user-ID configured in putty.
Is there an easy way to tell KeeAgent the user-ID from putty so that the agent returns immediatly the appropriate key instead of giving me the list of keys to select the appropriate one manually?
(Sometimes I want to act as the user instead of being administrator. I know I could su)
@codewing
Copy link

I think the currently prefered way of setting up this behavior would be this:
https://keeagent.readthedocs.io/en/stable/usage/tips-and-tricks.html

I think it would be incredibly useful if we could specify username@server combinations for each ssh key in their respective config instead of this somewhat tedious process

@bootstrap-prime
Copy link

It would be a good idea to check out the new ssh-add functionality coming in OpenSSH 8.9, it will support this workflow.
From https://www.openssh.com/agent-restrict.html:

OpenSSH 8.9 will include an experimental set of agent restrictions that meet the above requirements, though with some caveats (discussed below). These are built around some two simple agent protocol extensions and a small modification to the public key authentication protocol.

These extensions allow the user to add destination constraints to keys they add to a ssh-agent and have ssh enforce them. For example, this command:

$ ssh-add -h "perseus@cetus.example.org"
-h "scylla.example.org"
-h "scylla.example.org>medea@charybdis.example.org"
~/.ssh/id_ed25519

Adds a key that can only be used for authentication in the following circumstances:

From the origin host to scylla.example.org as any user.
From the origin host to cetus.example.org as user perseus.
Through scylla.example.org to host charybdis.example.org as user medea.

Could an implementer investigate this, and coordinate with keepassxreboot/keepassxc#1721?

@dlech dlech changed the title Auto-pick associated key for user Support OpenSSH 8.9 destination contraints. Jan 29, 2022
@hifi hifi mentioned this issue Jan 30, 2022
Closed
@ghost ghost mentioned this issue Feb 27, 2022
Closed
@dlech dlech added this to key selection in Enhancements May 23, 2022
dlech added a commit to dlech/SshAgentLib that referenced this issue May 25, 2022
@dlech
Initial support for OpenSSH destination constraint extensions.
0e92eb3 
See https://www.openssh.com/agent-restrict.html

Issue: dlech/KeeAgent#296
dlech added a commit that referenced this issue May 26, 2022
@dlech
Add UI for destination constraints.
892ec49 
Issue: #296
@dlech
Copy link
Owner

dlech commented Jul 17, 2022

support for destination constraints has been added in https://github.com/dlech/KeeAgent/releases/tag/v0.13.1

@dlech dlech closed this as completed Jul 17, 2022
@kgraefe kgraefe mentioned this issue Sep 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
Enhancements
key selection
KeeAgent v1.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dlech @codewing @korrone @bootstrap-prime