nassh: support ssh-agent forwarding for local imported keys |
||
Issue descriptionwe support ssh-agents that are other extensions, but there's no way currently to handle local keys that have been imported into Secure Shell itself. we should have a stub agent in nassh itself that handles the local keys. people can turn it on by passing a plain --ssh-agent option.
,
Sep 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/apps/libapps/+/1f0801d6008f91c456be8bfa5daba524be317bf9 commit 1f0801d6008f91c456be8bfa5daba524be317bf9 Author: Fabian Henneke <fabian@henneke.me> Date: Sun Sep 03 23:30:47 2017 nassh: Implement an extensible SSH agent The Agent class takes requests from the SSH client and passes them on to a set of dynamically registered backends. The responses from the backends are aggregated and reported back to the client. In the connection dialog, the user can choose the backends used by Agent by providing a list of backend IDs separated by commas as the value of the --ssh-agent relay option. So far, only the requests SSH_AGENTC_REQUEST_IDENTITIES and SSH_AGENTC_SIGN_REQUEST are supported, together with their respective responses. This change is backwards-compatible: If the value of --ssh-agent is just an extension ID, the old SSHAgentRelay is used instead of the new SSHAgent. The implementation introduces the following new classes: * nassh.agent.Agent: Initializes the backends, relays the requests to them and bundles up the responses. * nassh.agent.Agent.UserIO: Provides backends with uniform access to terminal IO. * nassh.agent.Backend: A minimal implementation of a backend which all other backends should derive from. It provides a backend under the ID 'stub' which can be used for testing purposes. * nassh.agent.Message: Parses and writes messages used in the SSH agent protocol. * nassh.Stream.SSHAgent: Inherits from nassh.Stream and relays raw SSH agent requests to the Agent class. BUG=chromium:712699 Change-Id: I0a4dfc6681839518f98d9ed461479fd5a461d6bd Reviewed-on: https://chromium-review.googlesource.com/550115 Tested-by: Fabian Henneke <fabian.henneke@gmail.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/doc/hack.md [modify] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/html/nassh_test.html [modify] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/libdot/js/lib_polyfill.js [modify] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/html/nassh.html [modify] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/js/nassh_stream.js [add] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/js/nassh_agent_message_types_tests.js [modify] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/doc/AUTHORS.md [add] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/js/nassh_agent_message_tests.js [add] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/js/nassh_agent_backend.js [modify] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/js/nassh_command_instance.js [add] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/js/nassh_stream_sshagent.js [modify] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/manifest.json [modify] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/doc/options.md [add] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/js/nassh_agent_message_types.js [add] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/js/nassh_agent_message.js [add] https://crrev.com/1f0801d6008f91c456be8bfa5daba524be317bf9/nassh/js/nassh_agent.js
,
Sep 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/apps/libapps/+/f1fccf1ba6a15270518f1672d23ff38365c350c2 commit f1fccf1ba6a15270518f1672d23ff38365c350c2 Author: Fabian Henneke <fabian@henneke.me> Date: Sun Sep 03 23:31:03 2017 nassh: Add Smart Card Connector library as a dependency Add the 1.2.10.0 release of the Google Smart Card Connector client library as a dependency. The current release of the library is available at https://github.com/GoogleChrome/chromeos_smart_card_connector/releases BUG=chromium:712699 Change-Id: I8913d56413d7d77b2d5d00f57ccaad55f30ee952 Reviewed-on: https://chromium-review.googlesource.com/550117 Tested-by: Fabian Henneke <fabian.henneke@gmail.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/f1fccf1ba6a15270518f1672d23ff38365c350c2/nassh/manifest.json [add] https://crrev.com/f1fccf1ba6a15270518f1672d23ff38365c350c2/nassh/third_party/google-smart-card/README.md [modify] https://crrev.com/f1fccf1ba6a15270518f1672d23ff38365c350c2/nassh/html/nassh.html [add] https://crrev.com/f1fccf1ba6a15270518f1672d23ff38365c350c2/nassh/third_party/google-smart-card/download-google-smart-card-client-library.py [add] https://crrev.com/f1fccf1ba6a15270518f1672d23ff38365c350c2/nassh/third_party/google-smart-card/LICENSE.md [add] https://crrev.com/f1fccf1ba6a15270518f1672d23ff38365c350c2/nassh/third_party/google-smart-card/METADATA [add] https://crrev.com/f1fccf1ba6a15270518f1672d23ff38365c350c2/nassh/third_party/google-smart-card/google-smart-card-client-library.js [modify] https://crrev.com/f1fccf1ba6a15270518f1672d23ff38365c350c2/libdot/bin/mkzip.sh
,
Sep 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/apps/libapps/+/c0506d92c455270e65de7a7142b887668a4e1e0c commit c0506d92c455270e65de7a7142b887668a4e1e0c Author: Fabian Henneke <fabian@henneke.me> Date: Sun Sep 03 23:31:15 2017 nassh: Add an agent backend for smart card keys Implements a 'gsc' backend for the SSH agent introduced in the previous commit. This backend enables the use of private keys stored on OpenPGP-enabled smart cards for SSH authentication. It relies on the Google Smart Card Connector client library to communicate with the Smart Card Connector app (khpfeaanjngmcnplbdlpegiifgpfgdco), which offers an NaCl port of PCSC-Lite and works with many popular smart cards. So far, only the requests SSH_AGENTC_REQUEST_IDENTITIES and SSH_AGENTC_SIGN_REQUEST are supported, together with their respective responses. When asked for SSH identities, the backend will read the authentication subkeys from all connected smart card readers. The backend only supports the OpenPGP applet and thus only identities of 'ssh-rsa' type. Support for the PIV applet and ECC identities can be added with only minor changes to the overall structure. The implementation introduces the following new classes: * nassh.agent.backends.GSC: Implementation of the interface nassh.agent.Backend which provides SSH identities stored on smart cards. * nassh.agent.backends.GSC.CommandAPDU: Represents command APDUs used in smart card communication. * nassh.agent.backends.GSC.DataObject: Represents a data object stored on a smart card. * nassh.agent.backends.GSC.SmartCardManager: Manages the lifecycle of a connection to a smart card reader and provides convenience functions for the command APDUs used in the SSH authentication scheme. * nassh.agent.backends.GSC.StatusBytes: Represents status bytes returned by smart cards. BUG=chromium:712699 Change-Id: I1a650141a7047e7973d4702df185ea5f55592300 Reviewed-on: https://chromium-review.googlesource.com/550116 Tested-by: Fabian Henneke <fabian.henneke@gmail.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/c0506d92c455270e65de7a7142b887668a4e1e0c/nassh/doc/hack.md [modify] https://crrev.com/c0506d92c455270e65de7a7142b887668a4e1e0c/nassh/manifest.json [modify] https://crrev.com/c0506d92c455270e65de7a7142b887668a4e1e0c/nassh/doc/options.md [modify] https://crrev.com/c0506d92c455270e65de7a7142b887668a4e1e0c/nassh/html/nassh.html [add] https://crrev.com/c0506d92c455270e65de7a7142b887668a4e1e0c/nassh/js/nassh_agent_backend_gsc.js
,
Sep 4
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||
►
Sign in to add a comment |
||
Comment 1 by bugdroid1@chromium.org
, Aug 24 2017