Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: add GPG forwarding to coder ssh #5482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jan 6, 2023
Merged

feat: add GPG forwarding to coder ssh #5482

merged 14 commits into from
Jan 6, 2023

Conversation

deansheather
Copy link
Member

@deansheather deansheather commented Dec 20, 2022
edited
Loading

This is a port of some really old code (since deleted) from Coder v1. Allows for forwarding GPG keys from the local machine to the workspace on both Linux and Windows (which has a more complicated process than Linux).

  • Adds support for Unix socket forwarding in either direction in the Go SSH server (gliderlabs SSH does not seem to supply any server-side code for unix socket forwarding other than SSH agent forwarding)
  • Adds --forward-gpg / -G flag to coder ssh
    • Copies public keys and ownertrust database from the client to the workspace
    • Forwards the agent extra socket from the client to the agent socket dir in the workspace

TODO:

  • Tests (might be very difficult to write tests TBH but I can try)
  • Manually trying it on linux, darwin and windows

I will do a follow-up PR to fix SSH forwarding on Windows (I don't think it works ATM)

@mafredri
Copy link
Member

I rarely use GPG anymore, but this is cool! Are you planning on fixing the RemoteForward option for SSH as well?

I think testing should be possible by generating the GPG config (GNUPGHOME=/tmp/..) and doing something similar to our agent forwarding test.

Re: agent forwarding on Windows, #4007.

@deansheather
Copy link
Member Author

I have written working agent forwarding in coder v1 on windows in the past so I'll try to implement that here too.

@ghuntley
Copy link
Contributor

This is cool (tm) specifically ability to forward YubiKeys/SmartCards for signing of commits. <3

@matifali
Copy link
Member

This is cool (tm) specifically ability to forward YubiKeys/SmartCards for signing of commits. <3

That would be nice. SO people are actually using YubiKeys.

@deansheather deansheather marked this pull request as ready for review January 4, 2023 17:38
@deansheather
Copy link
Member Author

I wrote a working test for Linux. I think writing a test for Windows will be much harder so I've avoided it and will stick to manually testing it instead, which I'll do tomorrow

mafredri
mafredri reviewed Jan 4, 2023
View reviewed changes
Copy link
Member

@mafredri mafredri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I only took a quick look as it's getting pretty late, I'll take another one tomorrow 👍🏻!

@deansheather
Copy link
Member Author

I've tested on windows, linux and darwin and it works. I couldn't get it to work with TTY-based pinentry (such as pinentry-curses or pinentry-tty) but I don't think those work well with GPG forwarding anyways. Works well with GUI-based pinentry (like pinentry-gtk-2 and pinentry-mac).

Video from windows:

firefox_Ba0si3hbaN.mp4

Video from darwin:

Screen_Recording_2023-01-05_at_10.57.44_pm.mp4

No linux video because I forgot to record one. You'll have to trust me that it works 😉

@deansheather deansheather requested a review from mafredri January 5, 2023 13:07
mafredri
mafredri approved these changes Jan 5, 2023
View reviewed changes
Copy link
Member

@mafredri mafredri left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work on this feature! Spotted some minor stuff but other than that this looks good to go.

My only complaint is the GPG password length on your Mac! 😉

agent/agent_test.go
}, testutil.WaitLong, testutil.IntervalFast)

conn, err := net.Dial("unix", remoteSocketPath)
require.NoError(t, err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

cli/ssh.go Outdated
echo "agent socket exists, attempting to kill it" >&2
gpgconf --kill gpg-agent
rm -f "$agent_socket"
sleep 2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the sleep purposeful here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found that sometimes gpgconf --kill gpg-agent didn't instantly kill the agent while testing one time so I added the sleep. I think 1 second should be enough though

@thalesfsp
Copy link

@deansheather Great work! Regarding Yubico key forwarding, I agree, that would be AWESOME! Thank you!

@deansheather deansheather enabled auto-merge (squash) January 6, 2023 07:46
@deansheather deansheather merged commit f1fe2b5 into main Jan 6, 2023
@deansheather deansheather deleted the dean/gpg-forward branch January 6, 2023 07:52
@github-actions github-actions bot locked and limited conversation to collaborators Jan 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mafredri mafredri mafredri approved these changes

@kylecarbs kylecarbs Awaiting requested review from kylecarbs

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@deansheather @mafredri @ghuntley @matifali @thalesfsp