pyinfra icon indicating copy to clipboard operation
pyinfra copied to clipboard
verified publisher icon pyinfra-dev

Support for Kryptonite ssh keys

Open drcongo opened this issue 5 years ago • 5 comments

Hello. I'm very interested in this project as I'd love to replace all our infrastructure DSL stuff with Python that I can reason and debug. However I think I hit an issue at the first hurdle - my personal ssh key is stored in Kryptonite, which means that in my ~/.ssh/config I have a section like this...

# Added by Krypton
Host *
	IdentityAgent ~/.kr/krd-agent.sock
	ProxyCommand /usr/local/bin/krssh %h %p
	IdentityFile ~/.ssh/id_krypton
	IdentityFile ~/.ssh/id_ed25519
	IdentityFile ~/.ssh/id_rsa
	IdentityFile ~/.ssh/id_ecdsa
	IdentityFile ~/.ssh/id_dsa

This section forwards ssh key requests to a local process, which then requests authorisation from my iPhone. When I try the getting started demo from the docs (inventory and deploy files) I get this...

    Attempting to work in a virtualenv.
    If you encounter problems, please install pyinfra inside the virtualenv.

--> Loading config...
--> Loading inventory...

--> Connecting to hosts...
    [MY.SERVER.IP.ADDRESS] Could not connect ([Errno 2] No such file or directory: '/Users/myuser/.ssh/id_krypton')
--> pyinfra error: No hosts remaining!

So it looks like it's not following the ProxyCommand in ~/.ssh/config

drcongo avatar Jun 11 '20 14:06 drcongo

Hmm - so the ProxyCommand should be being followed (implemented here). I think the issue is pyinfra is trying to load up the first IdentityFile - does ~/.ssh/id_krypton exist on disk? Commenting out the identity file lines will confirm as it should at least connect.

Fizzadar avatar Jun 11 '20 14:06 Fizzadar

~/.ssh/id_krypton doesn't exist on disk, only on my phone. The public key exists in ~/.ssh/ but not the private.

I realise this is very niche though, so don't worry too much about it. If I find some time I might have a go at fixing it myself.

drcongo avatar Jun 11 '20 15:06 drcongo

I've done some digging on this now. As far as I can tell it's the IdentityAgent that's getting ignored. The ProxyCommand does seem to be doing what it's supposed to, but because the IdentityAgent is never queried the ProxyCommand doesn't know how to authenticate.

I've been trying to get a connection directly in Paramiko but failing there too, so this might be an upstream issue.

drcongo avatar Jun 12 '20 10:06 drcongo

Looking at Paramiko's code it does offer a bunch of agent classes (http://docs.paramiko.org/en/stable/api/agent.html). Need to investigate further but it looks like something in there might enable using IdentityAgent.

Fizzadar avatar Jun 12 '20 15:06 Fizzadar

Seems like paramiko currently does not support IdentityAgent, see https://github.com/paramiko/paramiko/issues/2315

JokerQyou avatar Dec 19 '23 14:12 JokerQyou