search

maxgoedjen / secretive

Store SSH keys in the Secure Enclave
MIT License
6.99k stars 155 forks source link

Make it possible to get a public key from the name chosen in Secretive via shell/CLI #499

Open ari-becker opened 6 months ago

ari-becker commented 6 months ago

At the moment, ssh-add -l only shows the hash of the keys added via Secretive, but no metadata (like the name of the key). The data under ~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys is junk.

If I want to write a script that adds a particular key to the remote, then I need to already know the fingerprint of the key I created, which is less convenient than having a convention for key names and fetching the correct key via its name.

maxgoedjen commented 6 months ago

Hey @ari-becker there's a few reasons for this right now:

Overall, basically Secretive is not designed to be managed from a CLI currently. A few people have requested that over the years so it's kind of on my radar, although not with any particular timetable now. If you have specific thoughts on what an ideal CLI interface for your specific use case would be, I'd be interested in hearing it.

ari-becker commented 6 months ago

@maxgoedjen 

* The hash is the canonical unique identifier for the secret. Other fields (particularly names) do not have uniqueness constraints, so it's entirely possible and valid to have two keys with the same name right now (whether or not that was a good idea is certainly debatable, but that is a setup people do have in the wild right now)

Ah, I see.

Overall, basically Secretive is not designed to be managed from a CLI currently. A few people have requested that over the years so it's kind of on my radar, although not with any particular timetable now. If you have specific thoughts on what an ideal CLI interface for your specific use case would be, I'd be interested in hearing it.

Basically I'm trying to write a bootstrap / new-hire / new-laptop kind of script, something like:

brew install secretive
secretive create-new-key --username "$(whoami)" --label "super-special-bootstrap"
gcloud compute os-login ssh-keys add --key-file=$(secretive get-key-file --username "$(whoami)" --label "super-special-bootstrap")

But at the moment this appears to be a non-automatable segment, where I need to ask the user to go do some stuff manually, which is kind of a bummer and more likely to fail compared to running ssh-keygen directly (which is less secure than Secretive).

torarnv commented 5 months ago

I was looking at this today, trying to use ssh-copy-id to copy my public key to another machine. There's two issues right now:

Having to give Terminal.app/iTerm2.app full access to other applications is not ideal, as it means any other process that you run in the terminal (or any of its children) also have that access to these apps.

A solution that might solve this is to add an option in Secretive to write the public key (and empty private key) into ~/.ssh. This would require letting the user choose the location via a file dialog, which then gives Secretive access to that folder. The access can be persisted and shared between the Secretive agent and UI via bookmarks, as described here.

Has this been considered?

martinpaljak commented 5 months ago

For the original issue of mapping key labels to keys, adding the key name as comment to the .pub file the same way it is in the copy-enabled screen section of Secretive could help, and be easy to accomplish ? grep -l $keyname /Users/$USER/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/*.pub