vagrant-digitalocean icon indicating copy to clipboard operation
vagrant-digitalocean copied to clipboard
verified publisher icon devopsgroup-io

SSH private key check prevents use of Yubikey via gpg-agent

Open todd-a-jacobs opened this issue 10 years ago • 4 comments

The validation of SSH keys currently prevents the use of an RSA key stored on a Yubikey for authentication. Yubikeys support the use of on-card OpenPGP, which can then be loaded into the ssh-agent emulation of gpg-agent. The triple-net of all this is that you can generate an SSH public key, but the private key never leaves the device.

When you specify override.ssh.private_key_path, vagrant-digitalocean expects to find a private key, but only the public key is on disk. The private key is available to the agent, but isn't on-disk. As a result, you get messages like:

SSH:
* `private_key_path` file must exist: ~/.ssh/id_rsa

and there's no way (as far as I can tell) to point the plugin just to the public key (e.g. ~/.ssh/id_rsa.pub) for upload, as that results in:

`private_key_path` file must exist: ~/.ssh/id_rsa.pub.pub

It would be nice if there was a way to specify the public key to upload, and to rely on ssh-agent for loading the private keys.

todd-a-jacobs avatar Sep 15 '15 21:09 todd-a-jacobs

I would also love to see support for loading private keys from an agent. I also think support for uploading a public key should be optional, provided ssh_key_name refers to a public key already stored in your DO account.

oogles avatar Jan 29 '16 05:01 oogles

@seth-reeser You tagged this issue with "more information needed." What additional information do you need?

todd-a-jacobs avatar Jan 29 '16 23:01 todd-a-jacobs

Found this thread while searching for a solution to the same problem, thought I'd leave my workaround here in case someone else still needs it: I use a Yubikey and have the public key from ssh-add -L in ~/ssh/yubikey.pub. ssh.private_key_path points to this file. Simply copying ~/ssh/yubikey.pub to ~/ssh/yubikey.pub.pub makes the plugin happy and allows gpg_agent to supply the private key when needed.

carlhals avatar Feb 18 '16 09:02 carlhals

@seth-reeser If this helps the "more information needed" request, (and this isn't limited to yubikeys), once a private key has been entered into a ssh agent, one usually erases the private key file from the filesystem to keep it protected within the agent system. When ssh needs to know which identity to use, we point it to a file that contains the output of "ssh-add -L" for that key -- this output is the public ssh key for the private key(s) it contains. Using the SSH_AUTH_SOCK environment variable, ssh then talks with the agent to ask it if it has the private key for that public key and upon success, passes off the 'sign_and_send_pubkey' step to the agent. (The agent then passes that off to the yubikey if that's part of the picture here)

Ideally, it would be "nice to have" vagrant rely on ssh to use its default ~/.ssh/config file to provide the appropriate identity and just attempt to ssh as "vagrant" without explicitly needing to provide any identity information at all.

This is all we'd need in the config file to make vagrant work everywhere:

Host *
        IdentitiesOnly yes
        IdentityFile ~/.ssh/yubikey.pub

zestysoft avatar Jan 31 '20 01:01 zestysoft