Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/asottile/hiera-eyaml-sshagent

A hiera-eyaml plugin which uses the ssh agent connected to `SSH_AUTH_SOCK` to encrypt / decrypt values.
https://github.com/asottile/hiera-eyaml-sshagent

Last synced: 11 days ago
JSON representation

A hiera-eyaml plugin which uses the ssh agent connected to `SSH_AUTH_SOCK` to encrypt / decrypt values.

Host: GitHub
URL: https://github.com/asottile/hiera-eyaml-sshagent
Owner: asottile
License: mit
Created: 2019-02-11T05:29:38.000Z (almost 6 years ago)
Default Branch: main
Last Pushed: 2024-10-22T00:26:22.000Z (22 days ago)
Last Synced: 2024-10-26T11:52:10.263Z (18 days ago)
Language: Ruby
Size: 104 KB
Stars: 4
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        [![pre-commit.ci status](https://results.pre-commit.ci/badge/github/asottile/hiera-eyaml-sshagent/main.svg)](https://results.pre-commit.ci/latest/github/asottile/hiera-eyaml-sshagent/main)

hiera-eyaml-sshagent

====================

A [hiera-eyaml] plugin which uses the ssh agent connected to `SSH_AUTH_SOCK`

to encrypt / decrypt values.

### installation

```bash

gem install hiera-eyaml-sshagent

```

### configuring

The plugin takes a single option `sshagent_keyid`:

```yaml

version: 5

hierarchy:

    -   name: "Common secret data"

        lookup_key: eyaml_lookup_key

        path: common.eyaml

        options:

          sshagent_keyid: /home/asottile/.ssh/id_rsa

    -   name: "Common data"

        path: common.yaml

```

The `keyid` should match what is printed from `ssh-add -l`

### how it works

It is based on code / ideas from the following:

- [blog post demoing ssh agent api in python][blog-post]

- [initial demo implementation in python][ssh-agent-python]

- [cryptography stackexchange: Is it safe to derive a password from a signature provided by ssh-agent?][se-is-it-safe]

- [security stackexchange: Is it possible to use SSH agent for generic data encryption?][se-ssh-agent]

- [sshcrypt]

#### retrieve symmetric key

This procedure takes a keyid, a 64 byte challenge, and a 16 byte salt.

1. list ssh identities by querying `SSH_AUTH_SOCK`

2. find the identity matching `keyid`

3. sign the `challenge` using that identity

4. use the response blob as a "password" with pbkdf2_hmac (using the salt)

5. the result is a 32 byte key which will be used with fernet

#### `encrypt(keyid, blob)`

1. generate a 64 byte "challenge" and 16 byte salt

2. retrieve symmetric key

3. encrypt with the symmetric key

4. store a blob of `{challenge, salt, payload}`

#### `decrypt(keyid, blob)`

1. load the stored blob `{challenge, salt, payload}`

2. retrieve symmetric key

3. decrypt with symmetric key

### why?

I use a [masterless puppet setup][personal-puppet] to manage my machines.

My current bootstrapping process is:

1. place ssh key on machine

2. clone the repo

3. `./run-puppet`

As such, I wanted a `hiera-eyaml` backend which didn't involve typing in more

passwords or copying around more keys (since I'm already using my ssh key).

[hiera-eyaml]: https://github.com/voxpupuli/hiera-eyaml

[blog-post]: http://ptspts.blogspot.com/2010/06/how-to-use-ssh-agent-programmatically.html

[ssh-agent-python]: https://github.com/asottile/ssh-agent-python

[se-is-it-safe]: https://crypto.stackexchange.com/q/19631/65568

[se-ssh-agent]: https://security.stackexchange.com/q/55757/197558

[sshcrypt]: https://github.com/leighmcculloch/sshcrypt

[personal-puppet]: https://github.com/asottile/personal-puppet