pijul_org / pijul

#304 yubikey and ssh-agent

Opened by mkm, on September 5, 2018
Closed
mkm commented on September 5, 2018

Pijul can handle password-protected keys, but cannot talk to the OpenSSH key agent (essentially because of diverging views about cryptography).

I have a hardware token that contains my private key and it performs the actual signing only when I touch the token with my finger.

The ssh binary interfaces with this hardware token through the ssh-agent protocol (implemented by gpg-agent fwiw).

Could you elaborate what are the diverging views about cryptography?

From what I can see, with pijul I'd end up using a less secure mechanism (storing my key, albeit encrypted) in place where it can be copied at will, instead of storing it on a place that ensures that if I want to use that key from a different computer I literally have to use another key (this is a good way to enforce that our coworkers are not accidentally putting copies of their keys at random places)

pmeunier commented on September 5, 2018

Pijul can actually talk to an OpenSSH agent now, where does that sentence come from? We used pretty strict standards of cryptography in the past, but this is "solved" now :-)

More precisely, Thrussh was using an amazing project called *ring*, which aims at rustyfying as much code as possible from BoringSSL. This turned out to be way too strict for us, as most of our users wouldn't understand why we were not supporting their SSH keys generated fifteen years ago with "good old cryptography".

I acknowledged that mistake in our vision a few months ago, and switched to OpenSSL, which does support pretty old standards. On Linux, Pijul was linking to OpenSSL anyway, for other purposes. The fact that Libpijul now depends on OpenSSL as well is certainly a concern (both in terms of security and of ease of use).

mkm commented on September 5, 2018

where does that sentence come from? https://pijul.org/manual/the_nest/public_keys.html

I only read about that because pijul push mkm@nest.pijul.com:mytest --set-remote nest didn't work for me (it asked me for a password) and I appears to not even try to talk to the agent (didn't debug deeply, just noticed the hardware token didn't blink)

I'm running pijul 0.10.0

pmeunier commented on September 27, 2018

I've just published new versions of Thrussh and Thrussh-keys, Pijul 0.11 will incorporate those changes, and I'd like to release it today.

Please reopen after testing again, I'd love to see this issue solved.