Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSH key generation #1761

Closed
Mirokko opened this issue Mar 20, 2018 · 11 comments · Fixed by #7215
Closed

SSH key generation #1761

Mirokko opened this issue Mar 20, 2018 · 11 comments · Fixed by #7215
Assignees

Comments

@Mirokko
Copy link

Mirokko commented Mar 20, 2018

Add "Generate SSH key" button. This will resolve (partly) issues with key formats.

Expected Behavior

Add button "Generate key" between Private key label and Attachment option, which allows user to generate new key. It will generate attachment.
image

Possible Solution

As an alternative, you can add third option to "Private key" section, which launch little wizard with some fields like "Comment", "Format type", etc...

Context

In real world ill be using these keys to connect to servers (one for each server), so having option to generate right inside program is a plus for me.

@hifi
Copy link
Member

hifi commented Mar 20, 2018

The problem with that is that it's a highly security critical operation to generate keys and I wouldn't want to be responsible if our method is bad in any possible way.

If we decide to go deeper into SSH integration this may become reasonable but right now I can't promise anything.

@Mirokko
Copy link
Author

Mirokko commented Mar 20, 2018

We cant just use ssh-keygen on linux?

@hifi
Copy link
Member

hifi commented Mar 20, 2018

@ToKaTpoHb That would only work on Linux or macOS and would require wrapping an external program in odd ways. Windows users would be left out and that's a big target audience.

@Mirokko
Copy link
Author

Mirokko commented Mar 20, 2018

Yes but, untill we go deeper into SSH integration?..

@njfox
Copy link
Contributor

njfox commented Apr 5, 2018

The problem with that is that it's a highly security critical operation to generate keys and I wouldn't want to be responsible if our method is bad in any possible way.

Is it more security critical than generating any of my other passwords? As far as implementing it, there are probably libraries out there already to do the heavy lifting (openssl seems to be able to generate a key with just a few lines of code) but I’m not sure how much that would complicate dependencies.

@hifi
Copy link
Member

hifi commented Apr 5, 2018

@njfox Yes, it is more involved because if there's anything wrong with the details of said generation your key could end up being weak and factorable.

Using an external library is definitely the way to go if generation support is added but it would need to at least support RSA and Ed25519 keys.

When it comes to OpenSSL it would be better to switch all crypto from gcrypt to OpenSSL but then there are licensing issues and it doesn't cover all of our crypto needs (Argon2) so it doesn't even lower the number of dependencies right now.

If any of the libssh* libraries gain support for most of the operations we need to do then it would possibly make sense to use one of them. There hasn't been a good thorough review of all of them for their completeness for our use (key parsing, key decryption, agent functionality and key generation). They also need to expose enough of the internal details for us to show the same information in the UI that we currently do without decrypting the new OpenSSH format keys (though that could be changed for compatibility).

@Mirokko
Copy link
Author

Mirokko commented Apr 5, 2018

@hifi we have libssh, so why we couldnt use it? Looks like it could generate a keypairs, supports rsa and ed25519...

You can compile it for windows too.

@hifi
Copy link
Member

hifi commented Mar 15, 2020

Since KeeShare was added to KeePassXC, generating an RSA key already exists in the code base. We can expose this to generate SSH keys if it is deemed secure enough.

@mmaridev
Copy link

mmaridev commented May 5, 2020

Would be very useful. Otherwise I need to generate outside, import as attachment and shred the generated key with ssh-keygen.

@hifi hifi added this to the v2.7.0 milestone Mar 7, 2021
@hifi hifi self-assigned this Mar 7, 2021
@hifi
Copy link
Member

hifi commented Mar 7, 2021

I have a commit in my personal 2.7.0 feature branch for key generation for RSA, ECDSA and Ed25519 keys. It will be PR'd once #6209 lands and a PR for #4334 is merged as well as it depends on a small refactor in that.

The reason why I changed my mind about this is that replacing gcrypt with Botan in #6209 will give us simple interfaces to generate all supported key types which will offload all cryptographic operations to a single and suitable library which is used for everything else in KeePassXC as well.

If someone wants to test the early work (please don't use the generated keys for anything yet) I have all of the changes in this branch: https://github.com/hifi/keepassxc/commits/feature/openssh-sk-botan

@hifi hifi removed this from the v2.7.0 milestone Dec 10, 2021
@Okeanos
Copy link
Contributor

Okeanos commented Dec 28, 2022

@hifi is there any chance your PR for GUI SSH key generation will make the 2.8.0 release? I have been watching this (and the PR) for quite a while and I am very much looking forward to this because it would make using SSH for non technically inclined folks WAY easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants