Ssh-agent plug request

I have a utility that I would like to snap which connects to SFTP servers. To achieve this it will need access to the .ssh/known_hosts file and preferably access to the ssh-agent running on a system. ssh-agent will probably need to require a new plug, so this post is the request for such an interface.

As a followup question is the home plug sufficient to access the .ssh/known_hosts file or is that folder specifically excluded via preventing access to files and folders beginning with a dot when the home plug is used? If there is no way currently then I would like to request another plug for, or for the above ssh-agent plug to include, accessing the ssh known_hosts file.

I advise that such plugs need to be sure not to expose any private keys in the .ssh folder.

5 Likes

Dot files are excluded from the home interface, as such .ssh is not accessible.

@daniel - the security team has added this to our queue, but it is pretty far down. If you, someone else or another team needs this sooner, please feel free to submit a PR.

1 Like

FYI, now that the ssh keys interfaces are available, it is possible for a snap to ship its own agent, then do something like (untested within the context of a snap):

SSH_ENV=$HOME/.ssh/environment

function start_agent {
        echo "Initialising new SSH agent..."
        ssh-agent > "${SSH_ENV}"
        chmod 600 "${SSH_ENV}"
        . "${SSH_ENV}" > /dev/null
        ssh-add
}

# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
        . "${SSH_ENV}" > /dev/null
        ps "${SSH_AGENT_PID}" > /dev/null || {
                start_agent;
        }
else
        start_agent;    
fi

This allows each snap to manage its own agent for keys the snap has unlocked, rather than have access to the global agent, gaining access to all unlocked keys.

1 Like

There are multiple situations where tools packaged as snaps may need access to the agent running for the user itself. Having the plug would be really helpful as an interface doesn’t really cut it.

The plug would also need to give access to ~/.ssh for reasons mentioned in the first post including ~/.ssh/config as it may have aliases, jump hosts etc. configured that are necessary to gain access to certain systems.

What is the current priority of this plug?

Considering that a snap can configure its own agent, this is not prioritized. If you are Iable, I suggest submitting a PR to https://github.com/snapcore/snapd.

1 Like

I would like to take a look at implementing this.

Can someone more knowledgable than me point me towards a plug that has a similar implementation that I could use to draft from?

In particular it looks like the snap would need:

  • to be able to read SSH_AUTH_SOCK environment variable
  • to be able to connect to the Socket in that variable