search

dlech / KeeAgent

ssh agent plugin for KeePass 2.x
http://lechnology.com/software/keeagent
Other
530 stars 35 forks source link

Support OpenSSH 8.9 destination contraints. #296

Closed korrone closed 2 years ago

korrone commented 4 years ago

Hi, I just set up putty with KeePass/KeeAgent to log in to my server box. All works fine except this on little thing: I have several users with each having their own keys plus my administrative account (root). As an Administrator I have all those user-keys in my KeePass database and profiles for each user account with their respective user-ID configured in putty. Is there an easy way to tell KeeAgent the user-ID from putty so that the agent returns immediatly the appropriate key instead of giving me the list of keys to select the appropriate one manually? (Sometimes I want to act as the user instead of being administrator. I know I could su)

codewing commented 4 years ago

I think the currently prefered way of setting up this behavior would be this: https://keeagent.readthedocs.io/en/stable/usage/tips-and-tricks.html

I think it would be incredibly useful if we could specify username@server combinations for each ssh key in their respective config instead of this somewhat tedious process

bootstrap-prime commented 2 years ago

It would be a good idea to check out the new ssh-add functionality coming in OpenSSH 8.9, it will support this workflow. From https://www.openssh.com/agent-restrict.html:

OpenSSH 8.9 will include an experimental set of agent restrictions that meet the above requirements, though with some caveats (discussed below). These are built around some two simple agent protocol extensions and a small modification to the public key authentication protocol.

These extensions allow the user to add destination constraints to keys they add to a ssh-agent and have ssh enforce them. For example, this command:

$ ssh-add -h "perseus@cetus.example.org"
-h "scylla.example.org"
-h "scylla.example.org>medea@charybdis.example.org"
~/.ssh/id_ed25519

Adds a key that can only be used for authentication in the following circumstances:

From the origin host to scylla.example.org as any user. From the origin host to cetus.example.org as user perseus. Through scylla.example.org to host charybdis.example.org as user medea.

Could an implementer investigate this, and coordinate with https://github.com/keepassxreboot/keepassxc/issues/1721?

dlech commented 2 years ago

support for destination constraints has been added in https://github.com/dlech/KeeAgent/releases/tag/v0.13.1