New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: ssh-agent: Implement destination constraints #10252
base: develop
Are you sure you want to change the base?
WIP: ssh-agent: Implement destination constraints #10252
Conversation
What does this actually do / why does this matter? |
It allows restricting access to the SSH agent when forwarded another host. Let's say I Currently I'm using multiple SSH agents with different keys per client. But that's cumbersome and of course it's not supported by KeepassXC so it prevents me from keeping my SSH keys in KeepassXC. see also the specification |
5ec70c3
to
34d0a9b
Compare
Does does the ca in "is_ca" refer to Certificate Authority? |
yes. I have not done this myself but apparently instead of relying on long-living host keys that are manually confirmed on first contact, you can use short-living host keys that are signed by a CA. In order to verify the host key you need the CA's public key. So if |
0497ce7
to
4edabff
Compare
Command: ./release-tool i18n lupdate Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
This change adds testing all KeeAgentSettings fields including their XML conversions by separately: - verifying the default value, - change the current to something else, - convert the KeeAgentSettings object to XML, - convert it back to a second KeeAgentSettings object, - compare both objects to be equal and - verify that the new value landed in the field of the second KeeAgentSettings object. Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
4edabff
to
58bf74c
Compare
CI fails because However, how should I proceed with this? I can think of either
|
e6ff96b
to
95f9e59
Compare
This change implements loading ssh-agent destination constraints from KeeAgent.settings into the ssh-agent. For now there is no UI so configuration must be done in KeePass2/KeeAgent. The ssh-agent constrain extension is described at [1]. However, I found it partly misleading: - in the constaint array each constraint is enveloped where in the keyspec arrays the keyspec are just appended to the constraint. - each constraint and host has an additional string field reserved for future use. The actual structure has been obtained from openssh ssh-add source code [2]. [1]: https://www.openssh.com/agent-restrict.html [2]: https://github.com/openssh/openssh-portable/blob/3ad669f81aabbd2ba9fbd472903f680f598e1e99/authfd.c#L538 Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
95f9e59
to
55c6cd2
Compare
Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
This change implements loading ssh-agent destination constraints from KeeAgent.settings into the ssh-agent. For now there is no UI so configuration must be done in KeePass2/KeeAgent.
The ssh-agent constrain extension is described at 1. However, I found it partly misleading:
TODO:
Fixes #9801
Screenshots
Testing strategy
Type of change