search

kryptco / kr

DEPRECATED A dev tool for SSH auth + Git commit/tag signing using a key stored in Krypton.
https://krypt.co/developers/
Other
1.59k stars 109 forks source link

Adding of the krypton ssh key by default to existing ssh-agent #278

Open nicolaevladescu opened 5 years ago

nicolaevladescu commented 5 years ago

Hello.

My use case: A bastion vm as a personal host just so that i can have a static ip (my home isp does not provide one) which is whitelisted to access the edge hosts that belong to my client and use different private keys, i don't want my private krypton key to end up on the edge machines in any way, just use it to get to the bastion, and add only the edge client keys to ssh-agent.

Right know it looks like it gets added automatically to my spawned ssh-agent.

eval $(ssh-agent)
ssh-add /path/to/specific/key/of/edge/hosts
ssh-add -L
(shows only the key i just added)
ssh -A bastion
ssh-add -L
(show the key i just added and my krypton key)

Can i disable the default forwarding of the krypton key?

FernandoMiguel commented 5 years ago

Just modify your .ssh/config to forward or not forward your key to the agent

nicolaevladescu commented 5 years ago

Hi @FernandoMiguel, i don't follow your suggestion, can you elaborate?

FernandoMiguel commented 5 years ago

take for example my ssh config file

Host github.com
    User git
    PreferredAuthentications publickey
    IdentityAgent ~/.kr/krd-agent.sock
    ProxyCommand /usr/local/bin/krssh %h %p
    IdentityFile ~/.ssh/id_krypton

Host *.REDACTED
    User root
    StrictHostKeyChecking no
    PreferredAuthentications publickey
    IdentityAgent ~/.kr/krd-agent.sock
    ProxyCommand /usr/local/bin/krssh %h %p
    IdentityFile ~/.ssh/fm_ed25519
    IdentityFile ~/.ssh/id_krypton

# Added by Krypton
Host *
    IdentityAgent ~/.kr/krd-agent.sock
    ProxyCommand /usr/local/bin/krssh %h %p
    IdentityFile ~/.ssh/id_krypton

each config there has its own key. it can also forward the key to the remote agent. just add a block for your bastion host

nicolaevladescu commented 5 years ago

Hi.

What i want to achieve is use krypton key for ssh -A user@bastion.host and have a ssh-agent running to which i ssh-add one or more specific keys, but not the krypton key. I don't have a problem with adding keys to ssh-agent, i have a problem with excluding the krypton key which adds itself to the ssh-agent without me adding it manually using ssh-add.

FernandoMiguel commented 5 years ago

then exclude the * block. it's the one sending your key

nicolaevladescu commented 5 years ago

Excerpt from the ssh-agent manual

The agent initially does not have any private keys. Keys are added using ssh-add(1). When executed without arguments, ssh-add(1) adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. If the identity has a passphrase, ssh-add(1) asks for the passphrase (using a small X11 application if running under X11, or from the terminal if running without X). It then sends the identity to the agent. Several identities can be stored in the agent; the agent can automatically use any of these identities. ssh-add -l displays the identities currently held by the agent.

I am adding a specific key giving it its full path using ssh-add, which program or command from the following block does this adding part automatically?

# Added by Krypton
Host *
    IdentityAgent ~/.kr/krd-agent.sock
    ProxyCommand /usr/local/bin/krssh %h %p
    IdentityFile ~/.ssh/id_krypton

I understand what you are suggesting but i don't see the logic or docs behind your suggestions unless you have some insight on krssh. If you do please explain.

nicolaevladescu commented 5 years ago

Replacing krypton ssh key with local key.

Scenario: Login to edge1.host via bastion.host using ssh-agent

id_rsa private key with pub key on bastion.host id_ed25519 private key with pub key on edge1.host

I have tested with just this stanza in cat ~/.ssh/config:

Host *
        IdentityFile ~/.ssh/id_rsa

Then i do the following on my machine:

$ eval $(ssh-agent)
Agent pid 76029
$ printenv | grep -i ssh_
SSH_AGENT_PID=76029
SSH_AUTH_SOCK=/var/folders/<redacted>/agent.76028
$ ssh-add -L
The agent has no identities.
$ ssh-add ~/.ssh/id_ed25519
$ ssh-add -L
ssh-ed25519 <redacted> user@MacBook-Pro.local
$ ssh -A user@bastion.host

Commands ran on bastion.host:

$ ssh-add -L
ssh-ed25519 <redacted> user@MacBook-Pro.local
ssh user@edge1.host

There are no other keys in ssh-agent except the one i added manually even thought my ~/.ssh/config is similar with what kr is setting up. Also i successfully login on edge1.host using id_ed25519 from ssh-agent but using id_rsa to login to bastion.host.

So there must be something kr os krssh is doing that add it's key to the ssh-agent.

nicolaevladescu commented 5 years ago

Ok so i retested everything using kr and now it seams that ONLY the krypton key gets added to ssh-agent when i do ssh-add -L on bastion.host.