search

pyinfra-dev / pyinfra

pyinfra turns Python code into shell commands and runs them on your servers. Execute ad-hoc commands and write declarative operations. Target SSH servers, local machine and Docker containers. Fast and scales from one server to thousands.
https://pyinfra.com
MIT License
3.84k stars 374 forks source link

Support for Kryptonite ssh keys #306

Open drcongo opened 4 years ago

drcongo commented 4 years ago

Hello. I'm very interested in this project as I'd love to replace all our infrastructure DSL stuff with Python that I can reason and debug. However I think I hit an issue at the first hurdle - my personal ssh key is stored in Kryptonite, which means that in my ~/.ssh/config I have a section like this...

# Added by Krypton
Host *
    IdentityAgent ~/.kr/krd-agent.sock
    ProxyCommand /usr/local/bin/krssh %h %p
    IdentityFile ~/.ssh/id_krypton
    IdentityFile ~/.ssh/id_ed25519
    IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/id_ecdsa
    IdentityFile ~/.ssh/id_dsa

This section forwards ssh key requests to a local process, which then requests authorisation from my iPhone. When I try the getting started demo from the docs (inventory and deploy files) I get this... 

    Attempting to work in a virtualenv.
    If you encounter problems, please install pyinfra inside the virtualenv.

--> Loading config...
--> Loading inventory...

--> Connecting to hosts...
    [MY.SERVER.IP.ADDRESS] Could not connect ([Errno 2] No such file or directory: '/Users/myuser/.ssh/id_krypton')
--> pyinfra error: No hosts remaining!

So it looks like it's not following the ProxyCommand in ~/.ssh/config

Fizzadar commented 4 years ago

Hmm - so the ProxyCommand should be being followed (implemented here). I think the issue is pyinfra is trying to load up the first IdentityFile - does ~/.ssh/id_krypton exist on disk? Commenting out the identity file lines will confirm as it should at least connect.

drcongo commented 4 years ago

~/.ssh/id_krypton doesn't exist on disk, only on my phone. The public key exists in ~/.ssh/ but not the private.

I realise this is very niche though, so don't worry too much about it. If I find some time I might have a go at fixing it myself.

drcongo commented 4 years ago

I've done some digging on this now. As far as I can tell it's the IdentityAgent that's getting ignored. The ProxyCommand does seem to be doing what it's supposed to, but because the IdentityAgent is never queried the ProxyCommand doesn't know how to authenticate.

I've been trying to get a connection directly in Paramiko but failing there too, so this might be an upstream issue.

Fizzadar commented 4 years ago

Looking at Paramiko's code it does offer a bunch of agent classes (http://docs.paramiko.org/en/stable/api/agent.html). Need to investigate further but it looks like something in there might enable using IdentityAgent.

JokerQyou commented 9 months ago

Seems like paramiko currently does not support IdentityAgent, see https://github.com/paramiko/paramiko/issues/2315