goldwarden
goldwarden copied to clipboard
quexten
SSH keys not working
Ok I created an ssh key. Added the public key to the known_hosts. Made the change in .bashrc from the wiki. But it fails to login.
It is connecting to the agent but nothing happens. Am I missing something?
Jan 18 06:39:25 Archie goldwarden[1229]: [INF] [06:39] [Goldwarden > SSH] >>> SSH Agent connection accepted Jan 18 06:41:54 Archie goldwarden[1229]: [INF] [06:41] [Goldwarden > SSH] >>> SSH Agent connection from kgx>bash>ssh
Ok something else I noticed when I do goldwarden ssh list I get a reply but when I do ssh-add I get The Agent has no identities.
Thanks for the report. What's your $SSH_AUTH_SOCK set to? Which version are you running - flatpak or non-sandboxed?
What's the output of ssh-add -L and goldwarden ssh list (they should be the same)
$SSH_AUTH_SOCK=~/.goldwarden-ssh-agent.sock version 1.29 non-sandboxed. ssh-add -L shows nothing as said above and the ssh list shows the key.
Thanks for the info, could you also post the output of: goldwarden vault status (feel free to censor the number of login entries and note entries if you want to keep those private. just note if they are 0 or > 0)
I'm getting this too, on Arch KDE / Wayland. Using goldwarden from AUR so not sandboxed.
I've added a key so:
joe@jasper ~ % goldwarden ssh list
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF/rDeRGYI596Klz6CruHqXwHI8XIgPTOdEeaRXV85N9 jasper
But ssh-add -L gives me no identities:
joe@jasper ~ % SSH_AUTH_SOCK=~/.goldwarden-ssh-agent.sock ssh-add -L
The agent has no identities.
Output of status:
joe@jasper ~ % goldwarden vault status
{
"locked": false ,
"loginEntries": 163 ,
"noteEntries": 9 ,
"lastSynced": "2024-01-18 23:51:01 -0700 MST",
"websocketConnected": false ,
"pinSet": true ,
"loggedIn": true
}
Interesting. Could either of you try the build from here: https://github.com/quexten/goldwarden/actions/runs/7580732948 and post the daemon log? (You don't need to install the binary, just chmod it, run ./goldwarden daemonize and post the log. Make sure to censor any private data, should there be any (though usually this shouldn't be logged))
Here you go:
joe@jasper ~/Downloads % ./goldwarden_linux_x86_64 daemonize
[INF] [09:28] [Goldwarden > Keyring] >>> Creating new memguard keyring
[INF] [09:28] [Goldwarden > Agent] >>> Agent listening on /home/joe/.goldwarden.sock...
Blocking, press ctrl+c to continue...
[INF] [09:28] [Goldwarden > SSH] >>> SSH Agent listening on /home/joe/.goldwarden-ssh-agent.sock
[WRN] [09:28] [Goldwarden > Agent] >>> Could not monitor idle: The name is not activatable
[INF] [09:28] [Goldwarden > SSH] >>> SSH Agent connection from kitty>zsh>ssh-add
by user joe
[INF] [09:28] [Goldwarden > SSH] >>> SSH Agent connection accepted
[INF] [09:28] [Goldwarden > SSH] >>> List Request
[INF] [09:28] [Goldwarden > Pinentry] >>> Asking for pin |Unlock Goldwarden|Enter the vault PIN|
[INF] [09:28] [Goldwarden > Pinentry] >>> Got pin from user
[INF] [09:28] [Goldwarden > Keyring] >>> Unlocking keyring with account key
[INF] [09:28] [Goldwarden > Auth] >>> Refreshing token
[INF] [09:28] [Goldwarden > Auth] >>> Refreshing using API Key
[INF] [09:28] [Goldwarden > Websocket] >>> Connected to websocket server...
[INF] [09:28] [Goldwarden > Auth] >>> Token refreshed
[INF] [09:28] [Goldwarden > Bitwarden API] >>> Performing full sync...
[INF] [09:28] [Goldwarden > Bitwarden API] >>> Sync successful, initializing keyring and vault...
[INF] [09:28] [Goldwarden > Bitwarden API] >>> Reading 1 org keys...
[INF] [09:28] [Goldwarden > Bitwarden API] >>> Initializing keyring from user symmetric key...
[INF] [09:28] [Goldwarden > Keyring] >>> Unlocking keyring with account key
[INF] [09:28] [Goldwarden > Bitwarden API] >>> Clearing vault...
[INF] [09:28] [Goldwarden > Bitwarden API] >>> Adding 199 ciphers to vault...
[WRN] [09:28] [Goldwarden > SSH] >>> List request key skipped - Could not parse key: ssh: private key unexpected length
So Could not parse key: ssh: private key unexpected length seems to be the ticket.
I'm okay sharing this key because it's one I've generated for this test, so not using it anywhere (but I have changed some random characters to invalidate it for good measure). It does seem....short.
-----BEGIN OPENSSH PRIVATE KEY-----
c3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAAgAAAAMwAAAAtx
c2gtZWQyNTUxOQAAACBuNMtHZfdkV6IOcaIPd8w7AAAAAAAAAAAgAAAAAAAAAAAA
dHhDG5qCQxdaggAAAAtzc2gtZWQyNTUxOQgggCBuNMtHZfdkV6IOcNIPd8w7AAAA
AAAAAgAAAAAAAAAAAAAAADAwLgIBADAFBgMrZXAEIgQgKzX70n8tNT5yGnFulN31
1m40y0dl92RXog6w0g93zDsAAAAAAQIbBAU=
-----END OPENSSH PRIVATE KEY-----
So for fun, I cloned the note and replaced the contents with a real key:
joe@jasper ~ % SSH_AUTH_SOCK=~/.goldwarden-ssh-agent.sock ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIHMzKl0aqD+8bFNydZc5bJGD7aoB5A5GSPToQ5zRZTgUx+SIl3RvSa8RLiWVcBbrTXcolhv9wqKIsBDlNdQurVzuJg/PhQwP+yC7s+jz5VdEztuERJVMNEBr6z1XPSKnOhM3VlIOywOhmk5DtSOWYANgNjiRW9633q6FNxyCQGJklMWwBoB0xAoebXtZEDnAtAnr9phus2J1O/qJt0lWrkQqZhORwN2SpHM0PUmSP+UWZ9u4B1AhRBtz55pkDS6o/qovj+sQKK7SUv91YV1pmEPC77FTEiQIKFOhcH+6FowLpf5XY26aFjiBmpkTer7dX2TFj44PnjF3kJsUgADLmAFtDFN5wsXG/SJl9ohXN5iVQ9D0uwAQQPB9VevwnFUriH+fDtd024nkmjJgAH8cBULyM2ZF81WJkOSQ+t8KPTrmolrZz3T4JBH+yusIDKkpJaVDiA/bkABn+oLq5KZKN0SmyhXZ4o3S6rLmNMrWznmuawnJLHlrceT0b2pxcROE= jasper - Clone
This did fail to be useful though:
joe@jasper ~ % SSH_AUTH_SOCK=~/.goldwarden-ssh-agent.sock ssh my.server.com
sign_and_send_pubkey: signing failed for RSA "/home/joe/.ssh/id_rsa" from agent: agent refused operation
<daemon output>
[INF] [09:37] [Goldwarden > SSH] >>> Sign Request for key: SHA256:HE1IYTNYads9NKDodHylonxx10kOMYNTCdka85z9I44
2024/01/19 09:37:52 agent 13: ssh: private key unexpected length
So even with a real key we're getting unexpected length. Whitespace in the note or something?
Thanks, that's already getting closer to uncovering why it's not working. Did you add the ssh key manually in another client as a secure note, or did you generate it via goldwarden ssh add?
I am also getting this with a key I generated outside of the app and works when used outside goldwarden.
[INF] [19:25] [Goldwarden > SSH] >>> SSH Agent connection from kgx>bash>ssh
by user todd
[INF] [19:25] [Goldwarden > SSH] >>> SSH Agent connection accepted
[INF] [19:25] [Goldwarden > SSH] >>> List Request
[WRN] [19:25] [Goldwarden > SSH] >>> List request key skipped - Could not parse key: ssh: private key unexpected length
Ah, actually I am able to reproduce this with a key I just generated. It seems like a regression in the generation code.
Most likely fixed on https://github.com/quexten/goldwarden/actions/runs/7592197322 . The bug was in the encoding of the generated keys. Make sure to delete the old securenote, and generate a new key.
Success!
joe@jasper ~/Downloads % ./goldwarden_linux_x86_64 ssh list
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl6MobzK40KlWzva2HvyIcMjK2imvbj+LYAUxm+mmHl jasper
joe@jasper ~/Downloads % SSH_AUTH_SOCK=~/.goldwarden-ssh-agent.sock ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl6MobzK40KlWzva2HvyIcMjK2imvbj+LYAUxm+mmHl jasper
Thanks so much!
Didn't fix for me. Installed version 0.2.10. Deleted the secure note and getting the same error.
Just to make sure, did you restart the daemon after updating? (I don't think the packages do that automatically at the moment)
My mistake I did goldwarden ssh add name xxxxxx instead of goldwarden ssh add --name xxxxx
It works after doing it correctly.
Is this problem back? For the 2nd day I am trying to set up goldwarden for the first time and getting only a bit closer. Using v0.3.2 flatpak.
> printenv | grep SSH
SSH_AUTH_SOCK=/home/me/.var/app/com.quexten.Goldwarden/data/ssh-auth-sock
> alias -p | grep goldwarden
alias goldwarden='flatpak run --command=/app/bin/goldwarden com.quexten.Goldwarden'
> ssh -v web@www
...
debug1: Offering public key: web@www ED25519 SHA256:w6K6k6y...I agent
debug1: Server accepts key: web@www ED25519 SHA256:w6K6k6y...I agent
sign_and_send_pubkey: signing failed for ED25519 "web@www" from agent: agent refused operation
...
For the above I generated a key using goldwarden ssh add (same version). I also tried adding my existing ssh-rsa key for the same server but this one is not even handled by agent (not listed in ssh -v but listed in goldwarden ssh list) - even though I copied all custom fields correctly - are only ed25519 supported?
I even tried goldwarden ssh add and replace public/private with my own key - but it seems bw does not support multiline text input? How do you guys add existing keys to BW so goldwarden can support them?
A bit of background: I really want to move from keepass to bitwarden, not just because I have a free linked family subscription but because it has better browser support and has cloud sync with other family members (collections).
And a rant: Why BW team are so slow with introducing changes? Today instead of working I compiled BW desktop client and changed Text to textarea just to test above if I entered SSH key without newlines would this be a problem. Sure, it needs some style tweaking but this is one of top requested features and I feel the pain @quexten you did a really nice SSH support PR and it just went over decision making because it was not perfect enough? Multiline text have been requested for years.
Sorry I just needed to unload my inner anger as I thought moving from keepass would be an improvement while in fact I replace need to install plugins to need to install an app, a complementary app (made surely to counter BW development defficiencies) , just to find out that it just won't work :(
Why BW team are so slow with introducing changes? Today instead of working I compiled BW desktop client and changed Text to textarea just to test above if I entered SSH key without newlines would this be a problem. Sure, it needs some style tweaking but this is one of top requested features and I feel the pain @quexten you did a really nice SSH support PR and it just went over decision making because it was not perfect enough? Multiline text have been requested for years.
I cannot comment on internal discussions/priorities. But one reason we have the feature here, but not in Bitwarden Desktop, is that this requires a lot more to be in a non-unofficial, production software (such as Bitwarden Desktop). A whole new item type (ssh keys), tooling to generate keys in the apps, ssh-agent implementation for the desktop that is also security audited, import/export, testing.
I might bring this up again sometime, but not sure for a timeline on that. I would really like to see it in the official clients, but this is not that small of a feature to implement. (Until then, Goldwarden should work in most cases :) )
Is this problem back? For the 2nd day I am trying to set up goldwarden for the first time and getting only a bit closer. Using v0.3.2 flatpak.
> printenv | grep SSH SSH_AUTH_SOCK=/home/me/.var/app/com.quexten.Goldwarden/data/ssh-auth-sock > alias -p | grep goldwarden alias goldwarden='flatpak run --command=/app/bin/goldwarden com.quexten.Goldwarden' > ssh -v web@www ... debug1: Offering public key: web@www ED25519 SHA256:w6K6k6y...I agent debug1: Server accepts key: web@www ED25519 SHA256:w6K6k6y...I agent sign_and_send_pubkey: signing failed for ED25519 "web@www" from agent: agent refused operation ...For the above I generated a key using goldwarden ssh add (same version). I also tried adding my existing ssh-rsa key for the same server but this one is not even handled by agent (not listed in ssh -v but listed in goldwarden ssh list) - even though I copied all custom fields correctly - are only ed25519 supported?
I even tried goldwarden ssh add and replace public/private with my own key - but it seems bw does not support multiline text input? How do you guys add existing keys to BW so goldwarden can support them?
A bit of background: I really want to move from keepass to bitwarden, not just because I have a free linked family subscription but because it has better browser support and has cloud sync with other family members (collections).
And a rant: Why BW team are so slow with introducing changes? Today instead of working I compiled BW desktop client and changed Text to textarea just to test above if I entered SSH key without newlines would this be a problem. Sure, it needs some style tweaking but this is one of top requested features and I feel the pain @quexten you did a really nice SSH support PR and it just went over decision making because it was not perfect enough? Multiline text have been requested for years.
Sorry I just needed to unload my inner anger as I thought moving from keepass would be an improvement while in fact I replace need to install plugins to need to install an app, a complementary app (made surely to counter BW development defficiencies) , just to find out that it just won't work :(
I've not tested RSA but I have gotten user reports of it working. Though, #132 is not yet implemented, so importing manually might lead to slightly different formatting, breaking things. Do keys generated through goldwarden ssh add work for you though? Is it just imported keys breaking?
Do keys generated through goldwarden ssh add work for you though? Is it just imported keys breaking?
Thank you for taking time to reply. Unfortunately generated keys do not work as well, only ed25519 keys show some trace in ssh -v, rsa are just ignored. I am unsure how to enable more logging in flatpak as goldwarden is the only app I have in flatpak (good reason of sandboxing). I am using Arch latest ssh, it works fine with keepass ssh agent but I am obviously switching socket to test goldwarden.