agenix icon indicating copy to clipboard operation
agenix copied to clipboard
verified publisher icon ryantm

Support for ssh-keys with passphrases

Open bbigras opened this issue 5 years ago • 11 comments

If I run agenix -e secret1.age and hit CTRL+C when it's asking for my passphrase. Then if I try to type stuff in my prompt, I don't see what I type.

[bbigras@desktop:~/nix-config]$ agenix -e secret1.age
Type passphrase for OpenSSH key '/home/bbigras/.ssh/id_ed25519':

Maybe it's a problem with the askpass thing or whatever.

Peek 18-12-2020 14-54

Feel free to rename the issue's title.

bbigras avatar Dec 18 '20 19:12 bbigras

That's cool that it is asking for your password is working at all! In my past experience it doesn't work at all. I guess Rage has support for it. This may be an upstream bug with Rage, have to look into it more.

ryantm avatar Dec 18 '20 20:12 ryantm

Post about why SSH key passwords might not be so useful: https://groups.google.com/g/age-dev/c/Xe6zW4haGx8/m/m_jYh7YTAgAJ

ryantm avatar Dec 18 '20 20:12 ryantm

That's cool that it is asking for your password is working at all! In my past experience it doesn't work at all. I guess Rage has support for it. This may be an upstream bug with Rage, have to look into it more.

One weird thing I that it doesn't work on the first try. Maybe it's trying to decrypt every key or something. I was using 2 for my test.

Post about why SSH key passwords might not be so useful

I'm not sure passphrase protected ssh keys will stop being the norm anytime soon.

bbigras avatar Dec 18 '20 23:12 bbigras

Oh, I'm remembering better now. It wasn't that it doesn't support asking for the password, the problem is it doesn't support the ssh-agent, so it ask for the password EVERY time. So, say you rekey 20 secrets, it asks you for the password 20 times.

ryantm avatar Dec 18 '20 23:12 ryantm

I added a notice warning people about password-protected ssh keys not working well https://github.com/ryantm/agenix#notices

Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.

ryantm avatar Dec 18 '20 23:12 ryantm

I confirmed that I have the same problem with echoing mentioned in the top post.

ryantm avatar Dec 19 '20 03:12 ryantm

the problem is it doesn't support the ssh-agent, so it ask for the password EVERY time

Status for discoverability: rage has a plugin interface but ssh-agent doesn't expose the raw key, so an age-aware agent would need to be written (or existing agent extended) https://github.com/str4d/rage/issues/160#issuecomment-757459072

edrex avatar Apr 05 '21 19:04 edrex

I can confirm, that the repeated asking for the password of your ssh key comes from rage and is not a problem with nixage. You can switch to the original age implementation which doesn't suffer from this issue: https://github.com/ryantm/agenix#overriding-age-binary

You will still get asked for the password for every operation on age files but at least only once. So if you only want to edit one single file you only get asked once which is fine.

For rekeying this is still annoying but at least it works correctly. Teaching age how to use the ssh agent for key retrieval would be a nice feature but has to be requested with the age or rage project and not with nixage I guess.

XenGi avatar Nov 29 '23 14:11 XenGi