PrivateKeyCommand config idea
Damien Miller
djm at mindrot.org
Sun Mar 10 19:38:44 AEDT 2024
On Fri, 8 Mar 2024, openssh at tr.id.au wrote:
> G'day,
>
> In our infrastructure we're trying to be more diligent about switching
> to sk keys (and/or certs backed by sk keys.) However, there are some
> services like Gerrit and Jenkins which are written in java and I guess
> they will never support sk keys, or at least, it seems like it won't
> happen any time soon.
>
> For such services, typical practices at the moment include putting
> passphrases on the keys using OpenSSH's built-in AES128 encryption,
> and using GnuPG's ssh integration to create gpg-backed keys. These
> existing solutions cause various inconveniences, like needing to
> switch to a different terminal to get the passphrase out of Pass,
> or running into problems when trying to do agent-forwarding with
> gpg-backed keys on non-Linux OSes. Even on Linux, I think such a
> workflow can be a bit flaky at times.
>
> I wondered if there would be support for adding a new configuration
> option called something like PrivateKeyCommand, analogous to existing
> "*Command" configs like AuthorizedKeysCommand. In practice I imagine
> it looks like this:
>
> Host gerrit.example.com
> PrivateKeyCommand pass show ssh/gerrit_ed25519
>
> I suppose another possibility for the name could be IdentityCommand,
> analogous to IdentityFile.
>
> If you like, and time permitting, I may be interested in trying to
> implement such a patch -- but before I invest the work, I wondered if
> there would be support for including it, or would it introduce some
> sort of issue that I've probably overlooked?
Would you be able to do this using the ssh-agent protocol? It's
relatively easy to make custom agent implentations for special use
cases, e.g. using https://pkg.go.dev/golang.org/x/crypto/ssh/agent#Agent
-d
More information about the openssh-unix-dev
mailing list