Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: use hardware backed storage for keypair #14

Closed
mhofman opened this issue Feb 15, 2019 · 6 comments
Closed

Feature request: use hardware backed storage for keypair #14

mhofman opened this issue Feb 15, 2019 · 6 comments

Comments

@mhofman
Copy link

mhofman commented Feb 15, 2019

This agent extension would be a great place to add support for "Keychains" to Secure Shell.

The user could import (and bind for hardware backing) a certificate in Chrome's store (chrome://settings/certificates) and the extension would access those using the chrome.platformKeys API.

I guess the X.509 certificate would have to contain dummy information as only the public and private key are useful. The extension could help with generating the certificate for import by converting the OpenSSH keypair.

An additional way to support hardware backed keys would be through Smart Cards, similar to how OpenSSH's agent can use a PKCS11 module.
I'm guessing this agent extension would need to implement a middleware for the Smart Card Connector extension.
@mhofman
Copy link
Author

mhofman commented Feb 15, 2019

This would intrinsically solve #13 as the private key would be bound to the hardware.

This feature request is not the same as #5 but orthogonal to it. Even though the keypair would be stored as a "certificate" in Chrome (or in the smart card), regular SSH public key authentication is still used. You could combine SSH certificates with hardware backed keys, where the SSH public key is signed by the CA.

@mhofman
Copy link
Author

mhofman commented Feb 15, 2019
edited

Looks like CACKey is adding an SSH-Agent feature.
I'll have to see if that middleware supports any Smart Card such as a Yubikey.

@vapier
Copy link
Member

vapier commented Feb 15, 2019

someone proposed it, but i'm not sure anyone will actually post CLs to merge it :)

@mhofman
Copy link
Author

mhofman commented Feb 15, 2019
edited

Well I just realized that the built-in gsc agent supports Smart Cards

@vapier, might be good to add that info to the FAQ.

Still, using Chrome OS's builtin certificate store would be great for anyone who doesn't want to deal with smart cards.

@vapier
Copy link
Member

vapier commented Feb 15, 2019

in my ideal vision of the world, Secure Shell has a modular backend of agents that users can select from, one of which would be a chrome.platformKeys backend. this chrome-ssh-agent extension wouldn't even exist ... but it does because Secure Shell provides no solution itself currently.

but i don't have a timeline for that :/.

@mhofman
Copy link
Author

mhofman commented Feb 15, 2019

Yeah this extension being based on GoLang's SSH Agent is probably not the best place to add the platformKeys integration. A separate purpose built extension might be more appropriate.

@mhofman mhofman closed this as completed Feb 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mhofman @vapier