-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for ssh-keys with passphrases #4
Comments
That's cool that it is asking for your password is working at all! In my past experience it doesn't work at all. I guess Rage has support for it. This may be an upstream bug with Rage, have to look into it more. |
Post about why SSH key passwords might not be so useful: https://groups.google.com/g/age-dev/c/Xe6zW4haGx8/m/m_jYh7YTAgAJ |
One weird thing I that it doesn't work on the first try. Maybe it's trying to decrypt every key or something. I was using 2 for my test.
I'm not sure passphrase protected ssh keys will stop being the norm anytime soon. |
Oh, I'm remembering better now. It wasn't that it doesn't support asking for the password, the problem is it doesn't support the ssh-agent, so it ask for the password EVERY time. So, say you rekey 20 secrets, it asks you for the password 20 times. |
I added a notice warning people about password-protected ssh keys not working well https://github.com/ryantm/agenix#notices
|
I confirmed that I have the same problem with echoing mentioned in the top post. |
Status for discoverability: rage has a plugin interface but ssh-agent doesn't expose the raw key, so an age-aware agent would need to be written (or existing agent extended) str4d/rage#160 (comment) |
I can confirm, that the repeated asking for the password of your ssh key comes from rage and is not a problem with nixage. You can switch to the original age implementation which doesn't suffer from this issue: https://github.com/ryantm/agenix#overriding-age-binary You will still get asked for the password for every operation on age files but at least only once. So if you only want to edit one single file you only get asked once which is fine. For rekeying this is still annoying but at least it works correctly. Teaching age how to use the ssh agent for key retrieval would be a nice feature but has to be requested with the age or rage project and not with nixage I guess. |
Actually if you need to rekey 20 secrets with 5 keys, you will have to enter your password 100 times. |
For reference, here is the author's reasoning: |
I am wondering how passphrase protected SSH keys can work when the agenix.service is running oneshot to symlink all secrets. I tried that and the service died because there is no prompt where I can enter the ssh key. So would that then work automatically if age would support an agent? Is the agent like the |
If I run
agenix -e secret1.age
and hit CTRL+C when it's asking for my passphrase. Then if I try to type stuff in my prompt, I don't see what I type.Maybe it's a problem with the askpass thing or whatever.
Feel free to rename the issue's title.
The text was updated successfully, but these errors were encountered: