Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

containers/ws: Support using an external SSH agent #21202

Merged
merged 1 commit into from
Dec 13, 2024
Merged

containers/ws: Support using an external SSH agent #21202

merged 1 commit into from
Dec 13, 2024

Conversation

engelant
Copy link

@engelant engelant commented Oct 31, 2024
edited by martinpitt
Loading

In unprivileged mode, support to an already running SSH agent
for sharing SSH private keys.

Thanks to Anton Engelhardt [email protected] for the idea and
initial implementation sketch!

Fixes #21170

ws container: Support sharing host ssh-agent

For SSH key authentication, the cockpit/ws container has supported bind-mounting private SSH keys into the container for a long time. That mode is appropriate for server system containers or deploying in e.g. Kubernetes.

For desktop use cases similar to Cockpit Client it is preferable to instead run the ws container as your own user, and share your user session's SSH agent. This provides a more comfortable login experience as you don't have to unlock private keys with your passphrases on the Cockpit login page again, and this also avoids exposing the private key to the web server.

Please see the "SSH authentication: Share SSH agent with container" section in the container documentation for details.

martinpitt
martinpitt previously requested changes Nov 1, 2024
View reviewed changes
Copy link
Member

@martinpitt martinpitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This also needs an integration test, but I'm happy to create that - unless you want to, of course!

containers/ws/README.md Outdated Show resolved Hide resolved
containers/ws/README.md Outdated Show resolved Hide resolved
containers/ws/label-run Outdated Show resolved Hide resolved
containers/ws/label-run Outdated Show resolved Hide resolved
@martinpitt martinpitt changed the title Ws container auth socket ws: conditional start of ssh-agent Nov 15, 2024
@martinpitt
Copy link
Member

@engelant Do you still want to continue with this? No pressure, we all have other work to do, I was just curious if you lost interest or just don't have time. I.e. I can finish this at some point too, just don't want to step on your toes.

@engelant
Copy link
Author

@martinpitt terribly sorry for the long response time, but yeah stuff...

Anyhow, as for the selinux part,, :z is propably insufficent, as this only affects the mount ns and not the ipc one afaik.
Imho this useage example is kind of out of scope, or I would just go with the --privileged for now.

Further more the integration tests, I'm not sure what's required there.
So if you want to drag this over the finish line here I'd very much welcome that.

@martinpitt martinpitt force-pushed the ws-container-auth-socket branch from 0aefb47 to e4734cc Compare December 12, 2024 16:22
@martinpitt martinpitt changed the title ws: conditional start of ssh-agent containers/ws: Support using an external SSH agent Dec 12, 2024
@martinpitt
Copy link
Member

@engelant Took me a while to find some time to work this out, but I think I've got something now. Please have a look at let me know if this works for you? Thanks for the idea, this is really neat!

@martinpitt martinpitt dismissed their stale review December 12, 2024 16:24

fixed up, and now it's my code

@martinpitt

This comment was marked as resolved.

Sign in to view
@martinpitt
containers/ws: Support using an external SSH agent
9a84586 
In unprivileged mode, support connecting to an already running SSH agent
for sharing SSH private keys.

Thanks to Anton Engelhardt <[email protected]> for the idea and
initial implementation sketch!

Fixes cockpit-project#21170
@martinpitt martinpitt force-pushed the ws-container-auth-socket branch from e4734cc to 9a84586 Compare December 12, 2024 17:58
@martinpitt martinpitt requested review from jelly and mvollmer December 13, 2024 04:11
jelly
jelly reviewed Dec 13, 2024
View reviewed changes
Copy link
Member

@jelly jelly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the only concern here is that I don't know what happens when the ssh socket dies we might get some unhandled errors?

@martinpitt
Copy link
Member

Not "unhandled" as such, you just get the same behaviour as with the ssh command line: if the agent isn't available, it falls back to other auth mechanisms like user+password. I think that's okay?

@martinpitt martinpitt merged commit b1c8d57 into cockpit-project:main Dec 13, 2024
69 checks passed
@engelant engelant deleted the ws-container-auth-socket branch December 13, 2024 10:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinpitt martinpitt martinpitt left review comments

@jelly jelly jelly approved these changes

@mvollmer mvollmer Awaiting requested review from mvollmer

Assignees
No one assigned
Labels
release-note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cockpit-ws bastion/unprivilleged forced ssh-agent
3 participants
@engelant @martinpitt @jelly