search

maxgoedjen / secretive

Store SSH keys in the Secure Enclave
MIT License
6.99k stars 155 forks source link

Support for certificates and TrustedUserCAKeys #452

Closed chriseldredge closed 1 year ago

chriseldredge commented 1 year ago

I have a scenario where I want my private key to be managed in a secure enclave by secretive, and I want to be able to include a signed certificate for my public key in my agent forwarding.

For example, when I configure using standard OpenSSH ssh-agent, I see this in ssh-add -l:

ssh-add -l
256 SHA256:xyz user@example.com (ECDSA)
256 SHA256:xyz user@example.com (ECDSA-CERT)

But when I use Secretive, I don't see any way to include a certificate. So I only see:

ssh-add -l
256 SHA256:xyz user@example.com (ECDSA)

In practice this means that agent forwarding cannot work with hosts configured to use TrustedUserCAKeys.

Can secretive be somehow configured to support including certificates in available identities?

chriseldredge commented 1 year ago

Upon closer inspection of the source code, it looks like this is already supported to some extent, but not documented and not without some friction.

The Secretive UI says that my public key exists on disk at e.g. /Users/me/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/<handle>.pub, but the PublicKeys directory was not present. If I manually create this directory before creating a key, then the public key will be written to this location.

Further, if a get that key signed and place the certificate adjacent in /Users/me/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/<handle>-cert.pub, then ssh-add -l will show this certificate in the list of identities. However, instead of appending the certificate to the list, it replaces the keypair.

This doesn't work in my environment. My ssh server needs a keypair and certificate to authenticate me. I can force this to work by using ssh -i /Users/me/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/<handle>.pub and letting it discover the certificate via the agent, but this is cumbersome.

It would be nice if Agent.identities() did not choose either/or, but include both like the standard OpenSSH agent does.

Finally, I have an automated process that produces new certificates in ~/.ssh/ and I'd prefer not to have to modify or extend it to instead write to ~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys. It would be nice if this location were configurable.