Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH private key check prevents use of Yubikey via gpg-agent #209

Open
todd-a-jacobs opened this issue Sep 15, 2015 · 4 comments
Open

SSH private key check prevents use of Yubikey via gpg-agent #209

todd-a-jacobs opened this issue Sep 15, 2015 · 4 comments
Labels
enhancement - nice-to-have more information needed

Comments

@todd-a-jacobs
Copy link

The validation of SSH keys currently prevents the use of an RSA key stored on a Yubikey for authentication. Yubikeys support the use of on-card OpenPGP, which can then be loaded into the ssh-agent emulation of gpg-agent. The triple-net of all this is that you can generate an SSH public key, but the private key never leaves the device.

When you specify override.ssh.private_key_path, vagrant-digitalocean expects to find a private key, but only the public key is on disk. The private key is available to the agent, but isn't on-disk. As a result, you get messages like:

SSH:
* `private_key_path` file must exist: ~/.ssh/id_rsa

and there's no way (as far as I can tell) to point the plugin just to the public key (e.g. ~/.ssh/id_rsa.pub) for upload, as that results in:

`private_key_path` file must exist: ~/.ssh/id_rsa.pub.pub

It would be nice if there was a way to specify the public key to upload, and to rely on ssh-agent for loading the private keys.
@oogles
Copy link

oogles commented Jan 29, 2016

I would also love to see support for loading private keys from an agent. I also think support for uploading a public key should be optional, provided ssh_key_name refers to a public key already stored in your DO account.

@todd-a-jacobs
Copy link
Author

@seth-reeser You tagged this issue with "more information needed." What additional information do you need?

@carlhals
Copy link

Found this thread while searching for a solution to the same problem, thought I'd leave my workaround here in case someone else still needs it:
I use a Yubikey and have the public key from ssh-add -L in ~/ssh/yubikey.pub.
ssh.private_key_path points to this file.
Simply copying ~/ssh/yubikey.pub to ~/ssh/yubikey.pub.pub makes the plugin happy and allows gpg_agent to supply the private key when needed.

@zestysoft
Copy link

zestysoft commented Jan 31, 2020
edited
Loading

@seth-reeser If this helps the "more information needed" request, (and this isn't limited to yubikeys), once a private key has been entered into a ssh agent, one usually erases the private key file from the filesystem to keep it protected within the agent system. When ssh needs to know which identity to use, we point it to a file that contains the output of "ssh-add -L" for that key -- this output is the public ssh key for the private key(s) it contains. Using the SSH_AUTH_SOCK environment variable, ssh then talks with the agent to ask it if it has the private key for that public key and upon success, passes off the 'sign_and_send_pubkey' step to the agent. (The agent then passes that off to the yubikey if that's part of the picture here)

Ideally, it would be "nice to have" vagrant rely on ssh to use its default ~/.ssh/config file to provide the appropriate identity and just attempt to ssh as "vagrant" without explicitly needing to provide any identity information at all.

This is all we'd need in the config file to make vagrant work everywhere:

Host *
        IdentitiesOnly yes
        IdentityFile ~/.ssh/yubikey.pub

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement - nice-to-have more information needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@todd-a-jacobs @zestysoft @oogles @seth-reeser @carlhals