strongbox-password-safe / Strongbox

A KeePass/Password Safe Client for iOS and OS X
https://strongboxsafe.com
GNU Affero General Public License v3.0
1.34k stars 102 forks source link

FEATURE REQUEST: ssh agent should support "destination restrictions" #772

Open l4t3b0 opened 8 months ago

l4t3b0 commented 8 months ago

Currently if I have more than 6 ssh keys enabled in the strongbox profile we have difficulties using them. We get "Too many authentication failures" back from the server.

OpenSSH 8.9 includes the ability to control how and where keys in ssh-agent may be used, both locally and when forwarded. https://www.openssh.com/agent-restrict.html

In practice it means, that if we use ssh-add with the -h option, than we can have more than 6 private keys loaded into the agent and we won't run into the trouble of the too many authentication failures.

I request to implement the same behaviour ssh-agent/ssh-add has to avoid manually disabling ssh keys in strongbox.

strongbox-mark commented 8 months ago

Interesting, have you seen the help article on mitigating this issue:

https://strongbox.reamaze.com/kb/ssh-agent/ssh-agent

We have a specific section on this: SSH Key Limits, Multiple Github Accounts and Key Specification

l4t3b0 commented 8 months ago

Im aware of the solution editing the ssh config file and use the IdentityFile option.

But who wants to edit config files if it is not necessary and why export id files?

What I have tested - not with the ssh-agent solution of strongbox - but with the openssh ssh-agent is that I have installed the private keys for different computers. For example: ssh-add -h "not.real.computer1.com" id_ed25519_not.real.computer1.com ssh-add -h "not.real.computer2.com" id_ed25519_not.real.computer2.com ssh-add -h "not.real.computer3.com" id_ed25519_not.real.computer3.com ssh-add -h "not.real.computer4.com" id_ed25519_not.real.computer4.com ssh-add -h "not.real.computer5.com" id_ed25519_not.real.computer5.com ssh-add -h "not.real.computer6.com" id_ed25519_not.real.computer6.com ssh-add -h "not.real.computer7.com" id_ed25519_not.real.computer7.com

Please note that I have added more than 6 private keys.

After that I can create an ssh connection to any of the 7 computers without any additional ssh config. None the less If I want to create an ssh connection to an 8th computer than I won't get the result "Too many authentication failures", but asks for the password.

Since Strongbox already have the url property, Strongbox could parse the hostname from the url and make the similar behaviour like openssh ssh-agent does. If Strongbox detects to have multiple ssh keys for the same host (multiple GitHub example) the user could select the appropriate key to use. ... or with the username property stored in Strongbox it could select the proper key automatically.

strongbox-mark commented 8 months ago

Interesting idea. However, since there is already a well defined solution to this issue (config), it is unlikely we can schedule work on this anytime soon.