Replies: 17 comments 10 replies
-
Oh this is interesting. It's definitely too soon because age is not even stable yet, but I want to think about this when thinking about the agent strategy. I didn't know the ssh-agent protocol was so extensible. If it's a sane protocol we might even adopt it as the one age agent protocol. Might as well. |
Beta Was this translation helpful? Give feedback.
-
Relevant post on the mailing list: https://groups.google.com/d/msg/age-dev/Xe6zW4haGx8/m_jYh7YTAgAJ |
Beta Was this translation helpful? Give feedback.
-
ssh-agent support would also make it unnecessary to use something like |
Beta Was this translation helpful? Give feedback.
-
Is there any plan to look at this before 1.0 release? |
Beta Was this translation helpful? Give feedback.
-
This would also be helpful in the case someone encrypts a message to a GitHub user's SSH key. In my case I use a smart card with GPG for my SSH keys, so this ssh-agent support would make this usable in the first-place for my use-case. Also this means we can update the |
Beta Was this translation helpful? Give feedback.
-
Note that since this is a non-standard ssh-agent extension, gpg-agent does not support it, so this does not unlock the capability of using keys on YubiKeys through it. This is a very interesting experiment, but I think we'll focus on native support for YubiKeys (both PIV and maybe even FIDO2 in symmetric mode) and on a dedicated agent (probably https://github.com/FiloSottile/yubikey-agent) which lets us support native age keys. |
Beta Was this translation helpful? Give feedback.
-
I'm also interested in this feature. I keep my SSH keys in a keepassxc database, so I currently cannot use them with age. |
Beta Was this translation helpful? Give feedback.
-
@FiloSottile Now that Age is released in a stable version, are there any thoughts about making it possible to decrypt using ssh files on your yubikey? |
Beta Was this translation helpful? Give feedback.
-
Any updates or new thoughts regarding agent support? |
Beta Was this translation helpful? Give feedback.
-
I don't know anything about Go and too little about SSH/encryption, but this guy https://github.com/leighmcculloch/sshcrypt has a working solution that does this - which links to this repo :-D Maybe you can exchange some code? I'm using his version and it's pretty damn nice to not have to worry about db credentials and such hanging out in scripts in plaintext. |
Beta Was this translation helpful? Give feedback.
-
As 1password now provides an ssh-agent, I'd love to see support for ssh-agent in age. |
Beta Was this translation helpful? Give feedback.
-
I can only add my name to this one. I have 3 tokens of different vendors and all exposed via Putty CAC via OpenSC. I currently do ugly scripting to mount my encrypted partitions and files with the decryption of my passphrase via pkcs11-tool. I am craving to get something usable directly like this project!! |
Beta Was this translation helpful? Give feedback.
-
Also interested in this one ! Any updates ? |
Beta Was this translation helpful? Give feedback.
-
ssh-agent for age: https://github.com/IxDay/janus |
Beta Was this translation helpful? Give feedback.
-
I just ran into another situation where this would be useful - headless Linux boxes still don't have secure Git credential storage by default, I could wire something up with age but I'd like to be able to use my SSH keys in my agent to unlock it. |
Beta Was this translation helpful? Give feedback.
-
@42wim why do you need to extend the agent for this to work? If age works with standard keys, wouldn't it also work with standard SSH keys from an agent? |
Beta Was this translation helpful? Give feedback.
-
I have just published a proof-of-concept agent for age. This one is written in Bash with password managers like passage in mind: dbohdan/stone-agent. It comes from the realization you only need a shell and netcat or socat to listen and respond on a Unix domain socket like "real" agents. |
Beta Was this translation helpful? Give feedback.
-
I've made a POC for ssh agent support by creating a ssh-agent which uses the ssh-agent extension mechanism. (this way we can keep our keys secure on our devices)
Is this something you would want to support (I can make a PR) or is this out of scope?
Beta Was this translation helpful? Give feedback.
All reactions