tsh option: only populate ssh agent and not save identity files

[ollyg]

Feature Request

A command line option for tsh which would suppress storage of the identity files (certificates) and only populate the SSH Agent. An error is thrown if this is requested and the Agent is not available, or the --out option is also provided. For example:

tsh login --proxy=proxy.example.com --agent-only

Motivation

In order to avoid the security risk of certificates being farmed from a user's home directory and used to access a Cluster. Identity files would only remain in memory within the Agent on the local machine.

Who's it for?

Anyone - OSS User, Pro, Enterprise

Other Information

• I tried setting --out=/dev/null but it stopped the Agent from being populated as well. Perhaps Agent step requires the identity files on disk already?
• I wonder if this is going to stop tsh status from working?
• I will try to find the time to patch and PR but no promises.
• We are an Enterprise customer already - issue here as discussed with @webvictim on Slack support.

[russjones]

Change the UX of tsh to reduce the number of flags to improve to flow here.

[russjones]

@xacrimon Can you implement RFD #18 to resolve this issue?

[xacrimon]

on it

[webvictim]

@travelton raised an excellent point: we should also expose an RBAC setting to enforce that certificates can only be stored in an SSH agent and must not be written to disk.

[xacrimon]

Should we do this in a different PR and open a new issue for it?

[webvictim]

@xacrimon Yes, let's not delay the current implementation.

[xacrimon]

Solved by #5825