Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open SSH-Agent on Login and avoid keep terminal opened #965

Open
FlorianRuen opened this issue Mar 1, 2023 · 27 comments
Open

Open SSH-Agent on Login and avoid keep terminal opened #965

FlorianRuen opened this issue Mar 1, 2023 · 27 comments

Comments

@FlorianRuen
Copy link

Hello there,

I'm using Keeper since many years now, but I'm new user of the SSH agent, to use all my keys stored in my Keeper Vault

For now, after my session opens, I need to :

  • launch keeper ssh-agent start
  • type my vault password
  • keep the terminal window open (or the ssh-agent will be stopped)
  • use another terminal window to run ssh user@host

My ideal solution would be to first be able to launch in the background, and if the ssh-agent can launch at startup, just my asking for the vault password or something (or even if, using a password from command line arguments or something ?)

There is a way to achieve this kind of behavior ?

Kindly,
@FlorianRuen
Copy link
Author

FlorianRuen commented Jul 11, 2023
edited
Loading

@sk-keeper
Any update on this ?

I've creatd a config.json, so I can launch using a alias keeper_ssh
So I don't need to type my vault password every time

But my terminal is still blocking after this, and If I close the terminal, the agent stop, and I can't connect to my ssh session without my key password beging entered ...

@sk-keeper
Copy link
Collaborator

It is not possible to start the Commander in background mode.
At least we have never tested this flow here in Keeper.

@craiglurey
Copy link
Contributor

Hi @FlorianRuen we're working on some improved developer tools and would like to get your feedback. Please shoot me an email at [email protected] so we can schedule a time.

@FlorianRuen
Copy link
Author

FlorianRuen commented Jul 17, 2023
edited
Loading

It is not possible to start the Commander in background mode. At least we have never tested this flow here in Keeper.

Thanks, but should be a very great feature to handle this use case (or at least an option, we launching Linux Keeper App, to start the SSH agent in background or something)

Hi @FlorianRuen we're working on some improved developer tools and would like to get your feedback. Please shoot me an email at [email protected] so we can schedule a time.

Sent!

@FlorianRuen
Copy link
Author

FlorianRuen commented Jul 21, 2023
edited
Loading

@sk-keeper I think a good way to proceed here can be a custom command such as kssh user@host (keeper ssh) that use ssh-agent directly

Maybe the infinite loop here isn't really useful here:

Commander/keepercommander/commands/ssh_agent.py

Line 800 in 5ecb335

while True:

Do you accept open PR on this repo ? If i find some time, I can suggest something
Don't know if it should be inside Commander or in separate project, but I know many ssh agent that works with this kind of command

@sk-keeper
Copy link
Collaborator

Commander already has ssh command.
https://docs.keeper.io/secrets-manager/commander-cli/command-reference/connection-commands/ssh
If this command finds ssh key on a record then it loads this key into system's ssh-agent and starts system's ssh command.
Similar mysql and postgresql commands make database connection.

There is also connect command that can run any system utility but it is confusing and hard to use.
https://docs.keeper.io/secrets-manager/commander-cli/command-reference/connection-commands/connection-to-hosts

@FlorianRuen
Copy link
Author

@sk-keeper I understand, and I agree the connect command isn't very easy to use, so not an option for me
So, there is no possibility to run the ssh-agent in background ? Because it can be a very helpful way to use keeper ssh keys

@sk-keeper
Copy link
Collaborator

Unfortunately Commander is not designed to be run in background.

@evilhamsterman
Copy link

The ssh and connect commands aren't very useful to other tools that use the ssh-agent like git. Once #1088 is resolved it could be run in a script on login/startup, though I'd argue that it's something that would be useful spun of into it's own agent.

@sk-keeper
Copy link
Collaborator

We are open to any suggestion on how to make this area more useful.
connect command (ssh is a special version of it) can load private keys into the system's ssh-agent and run other programs that may use it. The key are removed from ssh-agent when program exits.
There is no any command that just loads keys keeping them in the ssh-agent.
We haven't had such request and we do not want to add commands that leak sensitive data outside of the Commander.

ssh-agent command replaces the system's ssh-agent. We know it lacks key management from the Commander: add/remove keys. It requires Commander to be running.

Are you looking for a command that loads private key into the system's ssh-agent and leaves it their?

@craiglurey
Copy link
Contributor

We're discussing and will revert back to you with some ideas. If you have additional suggestions on these types of tools please keep sending them over.

@evilhamsterman
Copy link

The ssh and connect commands don't integrate well with tools like git or sftp which don't really connect to a server it just uses SSH as a transport. I'm not even sure how it would work through either of them, ssh just opens a ssh session but you aren't doing that for git, and connect appears to require setting up the command to run in the record, which I'm not going to edit a record everytime to run things like git pull and git push. I guess you could setup connect to load the key in agent and connect to a random server so the key stays in the agent while you run git but that is a horrible workflow. Plus your own documentation says the connect command is deprecated since 16.5.8.

I can see how, once my issue mentioned above is resolved, you could have a script that runs and backgrounds a keeper process to keep the agent running. But either loading/unloading keys into the system agent or run the keeper ssh-agent by itself in the background would be much better. Adding and removing keys isn't important if you are using Keeper to store them, though that would be a nice feature later, maybe even some way to save keys loaded into the agent to your vault, or have keeper generate keys for you. Something like keeper keygen -t ed25519 -T "my new key" generates the key, saves it to a record called "my new key" and loads it in the agent.

I'm sure some of this overlaps with KCM, but that's a full suite, this would be useful for smaller use cases like personal accounts. Basically though if you're going to offer an ssh-agent it should be like any other agent and able to be run as a daemon/background process.

@theo-abel
Copy link

Is there any updates on this issue ?

@AlexisPPLIN
Copy link

AlexisPPLIN commented Jan 8, 2024
edited
Loading

I also have this issue.
So I made a little bash script to work around this problem:
https://github.com/AlexisPPLIN/keeper-ssh-agent-daemon

I hope it can help some people out there.
(Contributions are open obviously)

@FlorianRuen
Copy link
Author

@craiglurey any update on this, to improve the connect feature ?

@craiglurey
Copy link
Contributor

craiglurey commented Aug 1, 2024 via email

@evilhamsterman
Copy link

@craiglurey I don't think you quite understand the request. We don't want to launch SSH connections from the vault. We want to use our existing tooling that utilizes SSH and can speak to and SSH agent to authenticate. For instance Ansible uses SSH to connect to servers to perform configuration and maintenance. Unless launching from the vault supplies an ssh-agent socket I'm not sure how Ansible can utilize that.

And honestly it's not a feature I think I would use frequently, when I'm working in the terminal it's faster and easier for me to just type ssh <user>@<hostname> or many times I even create aliases for frequent hosts. I don't want to have to leave my terminal, open the vault, authenticate if needed, find the server I want to connect to, click the button and wait for it to open a terminal whether that's in the vault directly or opening a new terminal window.

@evilhamsterman
Copy link

@craiglurey it's like my comment earlier. SSH is much more than just a remote shell that we want to use to connect to a server terminal. It's more like a encrypted transport protocol. There are many tools that utilize it to establish a secure session and transmit more than just text back and forth for a terminal. To integrate those tools need to communicate with a ssh-agent socket, otherwise we have to store the key on disk either in cleartext or encrypted. Cleartext is obviously bad, and if it's encrypted unless it's loaded in an agent we have to type the password everytime to decrypt it, and when you're running Ansible on several hundred systems that gets tedious realllly fast

@FlorianRuen
Copy link
Author

FlorianRuen commented Aug 23, 2024
edited
Loading

@craiglurey @evilhamsterman I agree with that, and I would also go further, apart from ssh, I use scp quite regularly to copy files to a host and a remote server, which also requires access to the key ...

And so in this case, from what I understand the subject will still be a problem, because using the vault will open a session directly (maybe by providing a path to the key, or a different method), but nothing more

@craiglurey
Copy link
Contributor

craiglurey commented Aug 23, 2024 via email

@FlorianRuen
Copy link
Author

FlorianRuen commented Aug 23, 2024
edited
Loading

@craiglurey

Current Workflow

To use the standard SSH command, we currently have to launch Commander, start the SSH agent, and keep Commander running since the SSH agent cannot run in the background. This setup is cumbersome because Commander needs to remain open for the SSH agent to be active.

Proposed Solution

A better approach would be to log in to Keeper (either through the Commander CLI or the desktop app). If the SSH agent is enabled, it should automatically use the SSH keys stored in Keeper whenever an SSH command is run.

Ideal Implementation

This process could be triggered at Linux login, with automatic authentication using a Keeper password stored in a file. This way, the SSH keys would be available immediately after login without needing to manually start Commander each time.

@evilhamsterman
Copy link

Understood. We are adding the SSH agent service to the Keeper Desktop app
as well. This will function exactly how Commander loads up the keys and
makes them available from any terminal. Does this address the issue or are
you looking for an installed service outside of the desktop app and
Commander? It seems redundant to add another installed service but we are
open to the suggestions.

Running the ssh-agent in the Desktop app is a great solution and exactly what we need. Will it be available on all platforms or just *nix? With the inclusion of ssh in Windows now we have more people using the ssh client from there.

@FlorianRuen I don't think that having the agent unlock using a file saved on your desktop is a good idea. That isn't much better than just storing your ssh key in the clear. If you want something like Keychain from the OS those integrate with the security chip like a TPM to decrypt. I think that's another question altogether.

@FlorianRuen
Copy link
Author

@evilhamsterman I mean, the ssh agent can try to find the key on Keeper, if locked ask for the Master password one time (and expire after X minutes) and continue the login to ssh instance

Without more action than ssh host@password

@evilhamsterman
Copy link

Thinking a little bit more, the Desktop App is a great option, but I do think having a CLI only option would still be good too. Sometimes you could easily forward the agent from a desktop but other times not as easily. I'm thinking for situations that don't have a GUI but you don't access via ssh like Codespaces.

@evilhamsterman
Copy link

@evilhamsterman I mean, the ssh agent can try to find the key on Keeper, if locked ask for the Master password one time (and expire after X minutes) and continue the login to ssh instance

Without more action than ssh host@password

That sounds like what @craiglurey is proposing with the desktop app. I assume you start the desktop app like you normally do now, but it would start an ssh-agent socket with any keys it finds

@FlorianRuen
Copy link
Author

So if its the case, seems a good solution!

@craiglurey
Copy link
Contributor

Yes, so there are many ways that people will be able to connect via SSH to targets (or just open SSH tunnels) with this new system:

  1. Using the SSH agent service running on either Desktop App or Commander alongside your vault (Commander SSH agent is live today, desktop app is coming soon)
  2. Installing the Keeper Connection Manager docker container and using a web browser to open connections to targets (without sharing the SSH key or password).
  3. Using the all new Keeper Privilege Access Manager feature which lets you open a visual session directly from the Keeper vault through the Keeper Gateway, without having to share keys or passwords.
  4. Using the new "Tunneling" feature of the Keeper Privilege Access Manager built into Keeper Desktop that lets you establish an encrypted tunnel from local desktop app (127.0.0.1 on some port) through the Keeper Gateway into the target infrastructure. Combining this with the SSH agent, you can then access any system via the Keeper Gateway without having to use SSH keys locally. Coming soon.

If you're interested in a demo, I can show you what's coming.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@evilhamsterman @craiglurey @FlorianRuen @sk-keeper @theo-abel @AlexisPPLIN