Beekeeper-studio: ssh-keys automatic connection request

Hey folks,
I’m the maintainer of Beekeeper Studio -

It’s an SQL client / database manager, it’s currently the featured development app! Source here -

I’m requesting the following auto-connections:

  • ssh-keys (please see my comment below)

Why

To connect to a production database, many users have to route their connections through an SSH tunnel. We provide this capability in the app, but currently users are unable to access hidden files in ~/.ssh, or elsewhere in their home directory.

Given that key-based ssh access (not password based) is standard practice, this is key to Beekeeper being useful for production databases.

Currently I have the home plug, but that is only for NON hidden files.

I haven’t submitted a new snap to the store with this plug requested yet (wasn’t sure the order that I should do things), but hoping I can get approved!

Thanks,

Matthew

Have you tried using the ssh-keys interface?

I have but wasn’t sure if that only provided access to the ssh-agent?

From reading the source code; it should provide access to both the ssh binary, the public and private key files, and the ssh config files.

It does not seem to give access to the ssh agent, but personal-files will not do that either.

Thanks for pointing me to the source!

So yes this would do the same as granting personal-files to just the .ssh directory for my purposes.

I’ve worked at 2 places that distributes keys to a different hidden directory on laptops (eg .company-name), so it feels like it would be frustrating to those users.

I think full access to $HOME would be preferred, but willing to defer to the community here if that seems like a bad idea overall.

Honestly I’m not sure the average user understands the limits on snap fs access.

Full access to $HOME this far excessive of what users would expect IMO - instead the ssh-keys interface clearly describes what access it grants so granting access to this may be more appropriate.

-1 from me for personal-files access to all of $HOME

If instead you wish to pursue ssh-keys auto-connection please change the topic of this thread and make an explicit request as a new comment for reviewers to vote on.

ok, will do!

Thanks @alexmurray and co

Reviewers:

I have changed this to a request for ssh-keys auto-connect.

Package: beekeeper-studio
Store: https://snapcraft.io/beekeeper-studio

Reason: SSH tunnels for Database connections that require private keys to work.

1 Like

@alexmurray are you a +1 if this is just for ssh-keys?

@rathboma Hmm yes whilst I suggested the use of ssh-keys above, this is not normally something which is granted auto-connect since this can clearly expose sensitive private keys (see Auto-connection request for lagoon-cli snap for instance as a historical precedent) - instead we recommend snap authors to try and detect if this interface is connected and if not prompt the user at the time this is required if the interface is not connected (which can be done via snapctl is-connected ssh-keys - which exits with a return code of 0 if it is connected or 1 if it is not). So unfortunately -1 for me for auto-connect of ssh-keys

So what is the workflow if ssh-keys is not auto-connected? Is there a built-in UI to enable that, or does the user have to drop to the terminal?

The user in our case is explicitly choosing the keyfile, rather than the app doing anything automatic, if that helps alleviate your concerns.

If your app is a graphical app, perhaps you could use the desktop portals, which allow your users to use any file from the system, provided they have xdg-desktop-portals installed.

1 Like

To answer your original question: Ubuntu Software and the Snap Store app have a UI to change the permissions of an app.

image

On Ubuntu 20.04 and onwards, users can also configure the permissions in Settings.

image

@rathboma

I created general documentation about using XDG desktop portals in snaps.

Beekeeper-studio is an electron app, however, and the support for xdg-desktop-portals is not merged yet in Electron itself. The author of the PR is looking for people to test his PR.

1 Like

Ok, so there is a UI for snap permissions on some systems.

If the user is on (for example) Arch and they wanted to enable ssh access they’d have to run a terminal command?

Yes, although Arch is a special one given nothing is installed by default :wink:

At the moment, you can’t really assume there is a UI installed to do this.

Ok, here’s what I’m going to do:

  • add ssh-keys to my permission request
  • add documentation for how to enable this on the terminal
  • add an in-app prompt if folks are using a snap to tell them to do this.

Do I need any special permission in this forum to add ssh-keys without auto-connection?

I’ve also been asked to let the app use credentials from the global ssh-agent, but not sure that’s possible with Snaps?

No special permission is required to plug ssh-keys for manual connection. Regarding access to the global ssh-agent - this is not possible at the moment but it has been discussed in the past Ssh-agent plug request

I’m also going to echo @alexmurray’s concerns and vote -1 for auto-connection.

Others have provided excellent advice and I’ll reiterate that your snap is free to plugs ‘ssh-keys’ without auto-connection and say your snap is in a position to snapctl is_connected ssh-keys to see if the interface is connected which gives your snap an opportunity to guide the user to connect. A cli experience could exit early if they invoke using ssh and a gui experience could provide a warning stating what to do if the user invokes the ssh feature.

There are also plans to provide APIs for snaps to use that would allow a snap to trigger the connection prompt themselves.

1 Like