Bug 577052 - ssh: support config AddKeysToAgent
Summary: ssh: support config AddKeysToAgent
Status: RESOLVED FIXED
Alias: None
Product: JGit
Classification: Technology
Component: JGit (show other bugs)
Version: 6.0   Edit
Hardware: All All
: P3 enhancement (vote)
Target Milestone: 6.1   Edit
Assignee: Project Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on: 577542
Blocks:
  Show dependency tree
 
Reported: 2021-11-04 04:08 EDT by Thomas Wolf CLA
Modified: 2022-01-30 11:51 EST (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Wolf CLA 2021-11-04 04:08:20 EDT
Possible values:
* yes -- unconditionally add loaded keys without restrictions
* no -- never add keys loaded from files to the agent
* ask -- ask the user for each key loaded from a file
* confirm -- unconditionally add keys with a flag that makes the agent ask
  the user each time the key is used (for signing)
* time spec -- lifetime of the key in the agent in seconds; the agent
  automatically removes the key after that time.
* confirm + time spec

If switched on, OpenSSH adds private keys to the agent once successfully loaded if they're not yet in the agent. (Before even trying to use them for authentication.) Interestingly some other combinations that appear useful are not supported by OpenSSH, for instance "ask time-spec" or "ask confirm time-spec".

This can be implemented in org.eclipse.jgit.ssh.apache once Apache MINA sshd 2.8.0 is released. 2.7.0 is missing some required bits. (I did already provide the necessary upstream changes.)
Comment 1 Thomas Wolf CLA 2021-11-04 15:50:29 EDT
Also support SecurityKeyProvider here. The value is a string, which should be the path to a middleware library the agent uses for FIDO keys (sk-* keys). This string is passed along to the agent also as a key constraint, like confirm or the lifetime.

I'm not sure Apache MINA sshd handles these keys correctly, though. But passing along that value to the agent for sk-* keys is easy to implement if one does AddKeysToAgent, and then the implementation would be complete at least from the JGit side. (At least for OpenSSH-compatible agents.)
Comment 2 Eclipse Genie CLA 2022-01-07 04:50:09 EST
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/189376