-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: use hardware backed storage for keypair #14
Comments
This would intrinsically solve #13 as the private key would be bound to the hardware. This feature request is not the same as #5 but orthogonal to it. Even though the keypair would be stored as a "certificate" in Chrome (or in the smart card), regular SSH public key authentication is still used. You could combine SSH certificates with hardware backed keys, where the SSH public key is signed by the CA. |
Looks like CACKey is adding an SSH-Agent feature. |
someone proposed it, but i'm not sure anyone will actually post CLs to merge it :) |
Well I just realized that the built-in gsc agent supports Smart Cards @vapier, might be good to add that info to the FAQ. Still, using Chrome OS's builtin certificate store would be great for anyone who doesn't want to deal with smart cards. |
in my ideal vision of the world, Secure Shell has a modular backend of agents that users can select from, one of which would be a chrome.platformKeys backend. this chrome-ssh-agent extension wouldn't even exist ... but it does because Secure Shell provides no solution itself currently. but i don't have a timeline for that :/. |
Yeah this extension being based on GoLang's SSH Agent is probably not the best place to add the platformKeys integration. A separate purpose built extension might be more appropriate. |
This agent extension would be a great place to add support for "Keychains" to Secure Shell.
The user could import (and bind for hardware backing) a certificate in Chrome's store (chrome://settings/certificates) and the extension would access those using the
chrome.platformKeys
API.I guess the X.509 certificate would have to contain dummy information as only the public and private key are useful. The extension could help with generating the certificate for import by converting the OpenSSH keypair.
An additional way to support hardware backed keys would be through Smart Cards, similar to how OpenSSH's agent can use a PKCS11 module.
I'm guessing this agent extension would need to implement a middleware for the Smart Card Connector extension.
The text was updated successfully, but these errors were encountered: