Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is an ssh-agent contribution welcome? #160

Closed
ryantm opened this issue Dec 18, 2020 · 5 comments
Closed

Is an ssh-agent contribution welcome? #160

ryantm opened this issue Dec 18, 2020 · 5 comments

Comments

@ryantm
Copy link
Contributor

ryantm commented Dec 18, 2020

I have an application where many files need to be decrypted and re-encrypted at the same time, and support for ssh-agent in decrypting password protected ssh keys would be really nice.

@str4d, are you open to a contribution that adds support for ssh-agent?

@str4d
Copy link
Owner

str4d commented Dec 29, 2020

The plan for agent support is that we first get plugin support (#99) finished and merged, and then the plugin protocol can be used to implement an agent, by having a short-lived agent plugin that calls out to the long-lived agent process. It should be possible to write an age plugin that literally just wraps ssh-agent.

@ryantm ryantm closed this as completed Dec 30, 2020
@jstasiak
Copy link

I've also been looking at this and I'm not sure if the ssh-agent protocol allows age-compatible decryption, the one operation using private key it can perform is generating signatures, while (r)age need access to the raw private key, right?

https://github.com/leighmcculloch/sshcrypt works around this by signing a challenge through ssh-agent and using the signature as the symmetric encryption key.

@str4d
Copy link
Owner

str4d commented Jan 10, 2021

Aah, darn. In that case, it will need to be part of an age-aware agent, but would still be implemented as a plugin.

@RaitoBezarius
Copy link

Without re-opening the issue, I am wondering if it is possible to implement a "re-use passphrase" feature in rage, e.g. by intercepting the passphrase and giving it again to further invocations of rage in some way?

I would try to use SSH_ASKPASS to do it properly, it seems like rage supports pinentry programs, but I have not been able to make it use it, it would be nice if there was AGE_PINENTRY or something, so I can be certain rage is finding the binary I am providing.

@RaitoBezarius
Copy link

An interesting finding would be to reuse existing infrastructure around keyctl, kernel keyring and systemd-ask-password if possible rather than pinentry: https://antofthy.gitlab.io/info/crypto/passwd_input.txt so it is easy to leverage password caching (with a frontend flag --accept-cached) and would be really cool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants