Closed soupglasses closed 1 year ago
soupglasses
commented
1 year ago Using sk-ssh-ed25519@openssh.com as the start of the key instead of ssh-ed25519-sk results in a different error:
failed to convert 'sk-ssh-ed25519@openssh.com (... snip ...)': failed to parse ssh public key: illegal base64 data at input byte 4
Mic92
commented
1 year ago Maybe the keytype needs to be added here: https://github.com/Mic92/ssh-to-age/blob/9610d46f8f3cf0e7535570573d4f4cae50e5e31b/convert.go#L108
Here are the supported algorithm: https://pkg.go.dev/golang.org/x/crypto/ssh#pkg-constants
Note that I don't think this can work in combination with sops, which I think does not have support for yubikeys yet.
soupglasses
commented
1 year ago Well sops takes in the generated public/private age keys that ssh-to-age creates. So the input to generate it would not matter if it was a ssh-ed25519-sk key or a ssh-ed25519 key, as both should build down to age keys that sops can use?
Mic92
commented
1 year ago Correct for the public key but if the private key is stored on a yubikey than you cannot decrypt sops files with it afterwards since sops is not using the ssh agent for it's crypto operations but rather expects a age private key (that can not be generated with ssh-to-age)
soupglasses
commented
1 year ago Yeah. I think having the solution for this case be https://github.com/str4d/age-plugin-yubikey or simply GPG based secrets would be easier to support with yubikeys as a whole. Even if the ssh key is using the correct key-type to support ssh-to-age.
Mic92
commented
1 year ago Those plugins are not supported yet: https://github.com/mozilla/sops/issues/1103 I have not checked how age implements yet so I cannot tell yet what sops needs to do (it also uses the age library interface for decrypting)
BrokenStandards
commented
1 year ago I checked, all age's code handling plugins is in age/cmd. Plugin interface is still marked as internal. Sops probably can't really do anything without being hacky atm, like stealing the interfaces from cmds/plugins or outright calling age cmds.
If you want to take a look I would start at age/cmd/age/parse.go. parseRecipient and parseIdentity are the dispatcher functions. The plugin takes/is passed a client ui (so it can do things like pin entry and whatever) and cmd creates a pluginTerminalUI to handle that.
I'm not familiar enough with sops to know if that is actually a problem. But a cursory look suggest it is. Only pgp seems to handle password prompts. Azkv explicitly mentions not having support for it until they figure out how to handle it. So I guess no standard input method has been developed. I imagine they would want to pass in their own clientUI or a wrapper around pinentry one day in the future. But regardless I doubt anything is coming until plugin is not internal
soupglasses
commented
1 year ago Yeah i agree using Yubikey's pgp functionality is the way to go here. Instead of trying to translate a -sk key to age, when pgp functionality (with ed25519 support) is already built into to the Yubikey.
When attempting to use
ssh-to-agewith aned25519-skbased key, it will result in the following error: