onlykey
commented
3 years ago Yes, the new SSH agent allows using stored keys so you will have the same public key on every host. This sounds like its exactly what you are looking for. https://docs.crp.to/onlykey-agent.html#ssh-agent-quickstart-guide-stored-keys
First you have to load a private key to use, the easiest way is to use an X25519 OpenPGP key since this can be loaded using the OnlyKey App. However, you can also load raw keys (X25519 have a 32 byte ECC private key), this is not documented well as its not preferred. Right now we don't have a direct way to load keys that are in the SSH private key format, if OpenPGP key can't be used then it is possible to extract the 32 byte key from an SSH key and load through the 'Advanced' tab in the OnlyKey App. Here is a document that tells how to do that -https://docs.google.com/document/d/14RxoaqBLEhU8nizZeeB2RbZVJAG6sxXD7epkdt7Ukls/edit?usp=sharing
To create an X25519 private key $ openssl genpkey -algorithm X25519 -out X25519.key
To display the raw private key $ openssl pkey -in X25519.key -noout -text 2>/dev/null | sed -n '/priv:/,/pub:/p' | grep -o '[0-9a-f]{2}' | tr -d ' \n'
40ca822f00a80728e506976af39ff43d14b2e8e923b714bf32ec94f8ce98fc5
Copy/paste this like this:
Notice we set as signature key since this is for SSH. Slot 2 actually means 102 for ECC keys.
Use the key like this: $ onlykey-agent myuser@jumpbox.public -sk 102
So method described above is possible, however not documented because its not at all user friendly. Using an OpenPGP key is the recommended way.
mr-sour
I see theres this from a PR awhile back, https://github.com/trustcrypto/onlykey-agent/pull/8 which sounds like what I want.
My use case is that I use a jumpbox to ssh into various machines that I dont expose to public web like so
ssh -J myuser@jumpbox.public myuser@securebox.private. I have a script that will sync my public key(s) on the jumpbox to every host that can be connected from it. but here lies my issue currently only-key generates a unique public key depending on the hostname which isn't want because that means I would have to deal generating 100's of public keys for every host not to mention it really doesn't do me any good cause Ill just upload every public key to every host anyways. Now with the latest version of ssh I can use the new *-sk keys which is preferred if its available but not every host has the latest version of openssh. But I am quite excited because I saw in the the release notes "Improved OnlyKey Agent SSH support - OnlyKey SSH agent now supports both derived keys and stored keys for users who wish to use a single key to log into multiple servers" but I guess I'm a little green when it comes to how these keys work because the guide kinda chalked it all up under advanced, and I was lost. So I guess my question is do I even need that PR if I can just load a key and then those dont derive new keys for each host?Does the flow look like this
create a X25519 pgp key (or can I load a open ssh ed25519 key?). Load key into a slot. whats the difference between Keys->OpenPGP Private Key and Advanced->Add Private Key? then once its in a slot I can do something like
onlykey-agent myuser@jumpbox.public -sk 102and then take that public key and distribute it to all my servers?I would be more then happy todo contribute a guide to the docs detailing this use case and even include ssh agent forwarding as I'm sure i'm not the only one who uses a jump-box but some pointers about how I can accomplish this would be greatly appreciated.
On a side note 10/10 product can't wait for the new models!