-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH key generation #1761
Comments
The problem with that is that it's a highly security critical operation to generate keys and I wouldn't want to be responsible if our method is bad in any possible way. If we decide to go deeper into SSH integration this may become reasonable but right now I can't promise anything. |
We cant just use ssh-keygen on linux? |
@ToKaTpoHb That would only work on Linux or macOS and would require wrapping an external program in odd ways. Windows users would be left out and that's a big target audience. |
Yes but, untill we go deeper into SSH integration?.. |
Is it more security critical than generating any of my other passwords? As far as implementing it, there are probably libraries out there already to do the heavy lifting (openssl seems to be able to generate a key with just a few lines of code) but I’m not sure how much that would complicate dependencies. |
@njfox Yes, it is more involved because if there's anything wrong with the details of said generation your key could end up being weak and factorable. Using an external library is definitely the way to go if generation support is added but it would need to at least support RSA and Ed25519 keys. When it comes to OpenSSL it would be better to switch all crypto from gcrypt to OpenSSL but then there are licensing issues and it doesn't cover all of our crypto needs (Argon2) so it doesn't even lower the number of dependencies right now. If any of the libssh* libraries gain support for most of the operations we need to do then it would possibly make sense to use one of them. There hasn't been a good thorough review of all of them for their completeness for our use (key parsing, key decryption, agent functionality and key generation). They also need to expose enough of the internal details for us to show the same information in the UI that we currently do without decrypting the new OpenSSH format keys (though that could be changed for compatibility). |
Since KeeShare was added to KeePassXC, generating an RSA key already exists in the code base. We can expose this to generate SSH keys if it is deemed secure enough. |
Would be very useful. Otherwise I need to generate outside, import as attachment and shred the generated key with ssh-keygen. |
I have a commit in my personal 2.7.0 feature branch for key generation for RSA, ECDSA and Ed25519 keys. It will be PR'd once #6209 lands and a PR for #4334 is merged as well as it depends on a small refactor in that. The reason why I changed my mind about this is that replacing gcrypt with Botan in #6209 will give us simple interfaces to generate all supported key types which will offload all cryptographic operations to a single and suitable library which is used for everything else in KeePassXC as well. If someone wants to test the early work (please don't use the generated keys for anything yet) I have all of the changes in this branch: https://github.com/hifi/keepassxc/commits/feature/openssh-sk-botan |
@hifi is there any chance your PR for GUI SSH key generation will make the 2.8.0 release? I have been watching this (and the PR) for quite a while and I am very much looking forward to this because it would make using SSH for non technically inclined folks WAY easier. |
Add "Generate SSH key" button. This will resolve (partly) issues with key formats.
Expected Behavior
Add button "Generate key" between Private key label and Attachment option, which allows user to generate new key. It will generate attachment.
Possible Solution
As an alternative, you can add third option to "Private key" section, which launch little wizard with some fields like "Comment", "Format type", etc...
Context
In real world ill be using these keys to connect to servers (one for each server), so having option to generate right inside program is a plus for me.
The text was updated successfully, but these errors were encountered: