Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Support host-side .ssh config file and agent authentication #7

Open
matthijskooijman opened this issue Jul 5, 2023 · 3 comments
Open

Feature request: Support host-side .ssh config file and agent authentication #7

matthijskooijman opened this issue Jul 5, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@matthijskooijman
Copy link
Contributor

We have a number of different of Verdin dev boards available for testing, so I added some aliases for them to my ~/.ssh/config file, also presetting the username:

Host my-verdin
        Hostname verdin-imx8mp-14773670.lan
        User torizon

I also set up key authentication by putting my SSH public key in ~/.ssh/authorized_keys file (using the ssh-copy-id tool), to prevent having to type the password. With that, I can just run:

ssh my-verdin

and get logged in.

So then I tried:

torizoncore-builder deploy --remote-host my-verdin

And was a bit disappointed that that did not work ;-)

That was a while ago - I have since learned that the real torizoncore-builder script runs inside docker and uses paramiko instead of OpenSSH. Both of which seem sensible choices to me, but complicate this feature request a bit.

Still, I would think that supporting SSH configs is convenient, and supporting agent auth is more secure (since passwords on the commandline can be leaked to other users).

To implement this, I think a few things are needed:

  • Using a volume/bindmount to get ~/.ssh/config and /run/user/1000/keyring/ssh (or whatever is in $SSH_AUTH_SOCK) into the container. This needs changes in tcb-env-setup.sh I think.
  • Using paramiko.config.SSHConfig to load ~/.ssh/config and pass the --remote-host value through its lookup() method.
  • Using paramiko.agent.Agent to connect to the agent and handle auth using it (I haven't looked in detail at how that would work).

Is this something you would consider implementing?
@leograba
Copy link
Member

Hi @matthijskooijman,

Authentication using a certificate instead of a password has been in our backlog for a while. It has been most requested so the VS Code extension configuration can use it.

Accepting the SSH config from the host system is a new request. I'll capture it in our backlog.

It will most likely take a while to be implemented on our side. If you feel like sending a PR, we will be glad to review it on a shorter timeline - though I understand that you have already had a look at the code, and perhaps would not be able to do it.

@matthijskooijman
Copy link
Contributor Author

Accepting the SSH config from the host system is a new request. I'll capture it in our backlog.

Thanks!

It will most likely take a while to be implemented on our side. If you feel like sending a PR, we will be glad to review it on a shorter timeline - though I understand that you have already had a look at the code, and perhaps would not be able to do it.

I would like to have a go at this, but realistically I will probably not find the time for this. I'm happy to help test or review something, though.

@leograba
Copy link
Member

Noted, thanks anyway for contributing by opening the request.

@leograba leograba added the enhancement New feature or request label Jul 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matthijskooijman @leograba