WIP: ssh-agent: Implement destination constraints #10252
Conversation
|
What does this actually do / why does this matter? |
It allows restricting access to the SSH agent when forwarded another host. Let's say I Currently I'm using multiple SSH agents with different keys per client. But that's cumbersome and of course it's not supported by KeepassXC so it prevents me from keeping my SSH keys in KeepassXC. see also the specification |
kgraefe
force-pushed
the
feature/ssh-agent-destination-contraints
branch
from
5ec70c3
to
34d0a9b
Compare
|
Does does the ca in "is_ca" refer to Certificate Authority? |
yes. I have not done this myself but apparently instead of relying on long-living host keys that are manually confirmed on first contact, you can use short-living host keys that are signed by a CA. In order to verify the host key you need the CA's public key. So if |
kgraefe
force-pushed
the
feature/ssh-agent-destination-contraints
branch
2 times, most recently
from
0497ce7
to
4edabff
Compare
Command: ./release-tool i18n lupdate Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
This change adds testing all KeeAgentSettings fields including their XML conversions by separately: - verifying the default value, - change the current to something else, - convert the KeeAgentSettings object to XML, - convert it back to a second KeeAgentSettings object, - compare both objects to be equal and - verify that the new value landed in the field of the second KeeAgentSettings object. Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
kgraefe
force-pushed
the
feature/ssh-agent-destination-contraints
branch
from
4edabff
to
58bf74c
Compare
|
CI fails because However, how should I proceed with this? I can think of either
|
kgraefe
force-pushed
the
feature/ssh-agent-destination-contraints
branch
2 times, most recently
from
e6ff96b
to
95f9e59
Compare
This change implements loading ssh-agent destination constraints from KeeAgent.settings into the ssh-agent. For now there is no UI so configuration must be done in KeePass2/KeeAgent. The ssh-agent constrain extension is described at [1]. However, I found it partly misleading: - in the constaint array each constraint is enveloped where in the keyspec arrays the keyspec are just appended to the constraint. - each constraint and host has an additional string field reserved for future use. The actual structure has been obtained from openssh ssh-add source code [2]. [1]: https://www.openssh.com/agent-restrict.html [2]: https://github.com/openssh/openssh-portable/blob/3ad669f81aabbd2ba9fbd472903f680f598e1e99/authfd.c#L538 Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
kgraefe
force-pushed
the
feature/ssh-agent-destination-contraints
branch
from
95f9e59
to
55c6cd2
Compare
Signed-off-by: Konrad Gräfe <kgraefe@paktolos.net>
This change implements loading ssh-agent destination constraints from KeeAgent.settings into the ssh-agent. For now there is no UI so configuration must be done in KeePass2/KeeAgent.
The ssh-agent constrain extension is described at 1. However, I found it partly misleading:
TODO:
Fixes #9801
Screenshots
Testing strategy
Type of change