search

hakoerber / git-repo-manager

A git tool to manage worktrees and integrate with GitHub and GitLab
https://hakoerber.github.io/git-repo-manager/
GNU General Public License v3.0
62 stars 9 forks source link

Cloning with authentication via FIDO2 SSH security key fails #68

Open stepanstipl opened 3 months ago

stepanstipl commented 3 months ago

Cloning git repo while using FIDO2 security key (Yubikey 5c)^1 for authentication fails with the following error:

stepan@x> grm repos sync config --config "grm.yml"
[⚙] Cloning into "/Users/stepan/Projects/xxx" from "git@github.com:abc/xxx.git"
[✘] xxx: Repository failed during clone: remote rejected authentication: Failed getting response; class=Ssh (23); code=Auth (-16)

I'm using Yubikey configured in native FIDO2 security key mode for authentication, via ssh-agent. Cloning the same repo directly with git clone command works fine.

I'm guessing that the issue is that the key requires touch (this is mandatory, GitHub currently does not support using keys without user presence confirmation). It will not fail immediately, but hang for a while. I.e. it seems like it's waiting for the touch confirmation until some timeout.

With normal git clone the command will print an interactive prompt, e.g.:

Confirm user presence for key ED25519-SK SHA256:[SHA_REDACTED]

and wait for user touching the key. Once done, it will print confirmation:

User presence confirmed

I'm using grm 0.7.15.

hakoerber commented 2 months ago

Phew, I guess you'd have to configure libgit2 for interactive cloning. I guess this would involve some callbacks in git-rs' RepoBuilder::fetch_options. See also RemoteCallbacks. I will not be able to tackle that in the near future, maybe you can give it a shot?

As a sidenote: What would your workflow look like? If you clone a lot of repositories, you'd have to touch your Yubikey for each one. I guess you are using private repositories (or have --force-ssh set), otherwise cloning would use HTTPS. I have the same problem with a bunch of private repos, and no good idea how to solve it.

stepanstipl commented 4 weeks ago

Thanks for looking at this @hakoerber, and for pointers. I'm not proficient with Rust, although wanted to have a closer look for a while (I guess this might be a good opportunity 🤣).

Yes, I'm using private repos, and as mentioned, GitHub only allows keys with mandatory touch. Good point about requiring multiple touches for each repo, that's is certainly a bummer and I don't have a good answer for that. Ideal would be smth. like ykman openpgp set-touch sig cached 1, unfortunately that only works for GPG keys at the moment.