piv-agent icon indicating copy to clipboard operation
piv-agent copied to clipboard
verified publisher icon smlx

feature request: "normal" listening socket

Open martinpaljak opened this issue 11 months ago • 5 comments

Thanks for a great piece of software!

I'm looking for PKCS#11-free access to PIV hardware in the context of SSH, and piv-agent seems to have all needed building blocks: support for multiple connected devices and multiple slots in those devices as well.

When using SSH agent protocol as the composition layer in a project, the requirement to run the agent via launchd on macos (or Linux, in that matter) is a real blocker - I'd like to run the agent only when needed on a socket I could specify, do what I need to via the socket, and kill the agent, and leave the setup and associated desktop environment integration for a default user agent a separate task.

Would be lovely if piv-agent supported this mode as well.

martinpaljak avatar Jan 05 '25 10:01 martinpaljak

Sorry, socket activation is an integral part of piv-agent's operation and security model.

If your environment doesn't support socket activation you could write a wrapper for piv-agent to emulate the systemd or launchd protocols.

smlx avatar Jan 14 '25 08:01 smlx

What's the rationale, especially from security perspective?

martinpaljak avatar Jan 14 '25 08:01 martinpaljak

Cached passphrases and PCSC transactions are dropped after a timeout period by exiting the process, which the simplest and strongest guarantee of clearing sensitive data from memory.

smlx avatar Jan 14 '25 08:01 smlx

Automatically killing the agent after some time makes sense as a protection in certain use cases, but what I'd need would be to start up the agent on a given path, do what I need via that socket, and then kill the agent manually after I'm done.

I'd expect to have zero caching of secrets (PIN-s) and be able to either have exclusive access to the reader on PC/SC level or "operation-bound" transactions.

Based on prior experience I can only say that it is almost impossible to have a sane default that works for all cases when it comes to PCSC exclusive access and transactions, unless a very specific/opinionated use case is the only supported one.

martinpaljak avatar Jan 14 '25 08:01 martinpaljak

Automatically killing the agent after some time makes sense as a protection in certain use cases, but what I'd need would be to start up the agent on a given path, do what I need via that socket, and then kill the agent manually after I'm done.

It works this way already. The manual kill command would be systemctl --user stop piv-agent.

I'd expect to have zero caching of secrets (PIN-s) and be able to either have exclusive access to the reader on PC/SC level or "operation-bound" transactions. Based on prior experience I can only say that it is almost impossible to have a sane default that works for all cases when it comes to PCSC exclusive access and transactions, unless a very specific/opinionated use case is the only supported one.

It is the latter, see this section of the README.

smlx avatar Jan 14 '25 11:01 smlx