Is an ssh-agent contribution welcome?

[ryantm]

I have an application where many files need to be decrypted and re-encrypted at the same time, and support for ssh-agent in decrypting password protected ssh keys would be really nice.

@str4d, are you open to a contribution that adds support for ssh-agent?

[str4d]

The plan for agent support is that we first get plugin support (#99) finished and merged, and then the plugin protocol can be used to implement an agent, by having a short-lived agent plugin that calls out to the long-lived agent process. It should be possible to write an age plugin that literally just wraps ssh-agent.

[jstasiak]

I've also been looking at this and I'm not sure if the ssh-agent protocol allows age-compatible decryption, the one operation using private key it can perform is generating signatures, while (r)age need access to the raw private key, right?

https://github.com/leighmcculloch/sshcrypt works around this by signing a challenge through ssh-agent and using the signature as the symmetric encryption key.

[str4d]

Aah, darn. In that case, it will need to be part of an age-aware agent, but would still be implemented as a plugin.

[RaitoBezarius]

Without re-opening the issue, I am wondering if it is possible to implement a "re-use passphrase" feature in rage, e.g. by intercepting the passphrase and giving it again to further invocations of rage in some way?

I would try to use SSH_ASKPASS to do it properly, it seems like rage supports pinentry programs, but I have not been able to make it use it, it would be nice if there was AGE_PINENTRY or something, so I can be certain rage is finding the binary I am providing.

[RaitoBezarius]

An interesting finding would be to reuse existing infrastructure around keyctl, kernel keyring and systemd-ask-password if possible rather than pinentry: https://antofthy.gitlab.io/info/crypto/passwd_input.txt so it is easy to leverage password caching (with a frontend flag --accept-cached) and would be really cool.