Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve spire's use of ssh agent when multiple private keys are available. #149

Open
retrogradeorbit opened this issue Apr 2, 2022 · 2 comments
Open

Improve spire's use of ssh agent when multiple private keys are available. #149

retrogradeorbit opened this issue Apr 2, 2022 · 2 comments
Labels
enhancement New feature or request

Comments

@retrogradeorbit
Copy link
Member

retrogradeorbit commented Apr 2, 2022
edited
Loading

  1. start with a clean ssh-agent.

  2. use spire to initiate an ssh connection to a machine that has your ssh RSA key as an authorized key.

  3. key decryption box appears. key cannot be decrypted with valid passphrase.

  4. ctrl-c

  5. use ssh to connect with same agent.

  6. key decryption box appears. key can now be decrypted. ssh connects

  7. logout the ssh shell

  8. now try spire connection again. now it works.

  9. use ssh-add -D to delete all decrypted keys

  10. try again. fails.
@retrogradeorbit retrogradeorbit added the bug Something isn't working label Apr 2, 2022
@retrogradeorbit retrogradeorbit changed the title new ssh core cant/wont load existing ssh keys into ssh-agent, but will use them if already loaded into ssh-agent. spire cant/wont decrypt existing ssh keys into ssh-agent when multiple valid keys present, but will use them if already loaded into ssh-agent. Apr 3, 2022
@retrogradeorbit
Copy link
Member Author

Problem predates new Jsch. Have never seen it until now because ssh agent is usually full of decrypted keys.

Appears to be a problem with the way spire's ssh-agent implementation calls the agent. It just issues a sign request straight away on the key. It does not offer the key first to see if the key would be accepted.

ssh does:

debug1: Offering public key: RSA SHA256:j3c87ySHbCUN5CETVky5nRNqABI5Mj8JuqSeBLd8kwk /home/crispin/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:j3c87ySHbCUN5CETVky5nRNqABI5Mj8JuqSeBLd8kwk
debug3: sign_and_send_pubkey: RSA SHA256:j3c87ySHbCUN5CETVky5nRNqABI5Mj8JuqSeBLd8kwk

notice it sends message 50 first (SSH2_MSG_USERAUTH_REQUEST), then receives response 60 (SSH2_MSG_USERAUTH_PK_OK) and then issues the sign_and_send_pubkey call.

spire just takes the first identity and uses that for auth. I was getting confused because the order is different to ssh order.

In spire, when the first key tried fails, the whole auth fails. It does not then try the next key like ssh does.

@retrogradeorbit retrogradeorbit changed the title spire cant/wont decrypt existing ssh keys into ssh-agent when multiple valid keys present, but will use them if already loaded into ssh-agent. Improve spire's use of ssh agent when multiple private keys are available. Apr 3, 2022
@retrogradeorbit retrogradeorbit added enhancement New feature or request and removed bug Something isn't working labels Apr 3, 2022
@retrogradeorbit
Copy link
Member Author

Spire needs more of the ssh-agent protocol implemented. It should offer ssh keys one after the other if you don't decrypt one, like ssh does.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@retrogradeorbit