k3sup
k3sup copied to clipboard
alexellis
Support for different ssh-agent (smartcards)
I am using https://github.com/FiloSottile/yubikey-agent as my ssh-agent. That especially means that there is no private key on my hard drive, but it only lives on the smart card, where it can not be extracted from.
For my normal ssh related things, I set export SSH_AUTH_SOCK="/usr/local/var/run/yubikey-agent.sock" and have the agent running in the background.
This https://github.com/alexellis/k3sup/issues/226#issuecomment-650816305 user ha similar issues with a gpg-agent and a smart card.
Expected Behaviour
> export SSH_AUTH_SOCK="/usr/local/var/run/yubikey-agent.sock"
> k3sup install --ip 192.168.168.46 --user username
# do things
Current Behaviour
SSH_AUTH_SOCK="/usr/local/var/run/yubikey-agent.sock"
> k3sup install --ip 192.168.168.46 --user username
Public IP: 192.168.168.46
ssh -i /Users/oliver/.ssh/id_rsa -p 22 [email protected]
Error: unable to load the ssh key with path "/Users/oliver/.ssh/id_rsa": open /Users/oliver/.ssh/id_rsa: no such file or directory
Possible Solution
Steps to Reproduce (for bugs)
- Use different ssh-agent
Context
Can't log into machines
- Operating System and version (e.g. Linux, Windows, MacOS): macOS 10.15.5
Thanks for the feedback @oschrenk, do you think this issue can be closed as a duplicate of #226 which you referenced?
Using a Yubikey for storing SSH keys appears to have certain server-side requirements, that may need to be considered -> https://news.ycombinator.com/item?id=23130053
SSH 8.2+ is mentioned as a requirement. My RPi running Raspbian has OpenSSH_7.9p1. Tutorial: https://cryptsus.com/blog/how-to-configure-openssh-with-yubikey-security-keys-u2f-otp-authentication-ed25519-sk-ecdsa-sk-on-ubuntu-18.04.html
As with #226, I would welcome solutions and suggestions from the community.
Having refreshed my memory, this issue doesn't appear to be a duplicate of #226, however I would like to make this issue properly scoped to your specific needs.
My immediate suggestions are for you to look at other projects that use SSH to automate infrastructure, and browse their past issues:
- https://github.com/ansible/ansible/issues
- https://github.com/kubicorn/kubicorn/issues
- https://github.com/kubernetes/kops/issues
Do you strictly consider a Yubikey to be a pre-requisite to using k3sup in any form, or is it more of a preference, and unpleasant surprise that it's not supported yet?
This is the code that loads a public key:
- https://github.com/alexellis/k3sup/blob/7c4f752287ebe456207b2b5a2bf4e8e510ef15b1/cmd/install.go#L307
And this code configures the connection: https://github.com/alexellis/k3sup/blob/master/cmd/install.go#L142
It would imply that the traditional ssh-agent is supported and that it honours SSH_AUTH_SOCK.
https://github.com/alexellis/k3sup/blob/master/cmd/install.go#L279
FYI: I use a similar mechanism, but using gpg-agent instead instead of this custom yubikey agent:
export SSH_AUTH_SOCK="/run/user/$(id -u)/gnupg/S.gpg-agent.ssh
The key is stored as a GPG key on the yubikey, and then offered as SSH key through the GPG agent.
I use gpg-agent as my ssh agent and even with SSH_AUTH_SOCK set, k3sup still wants a key under $HOME/.ssh.
I use gpg-agent as my ssh agent and even with SSH_AUTH_SOCK set, k3sup still wants a key under $HOME/.ssh
Yes, it's the same issue I am facing.