This agent extension would be a great place to add support for "Keychains" to Secure Shell.

The user could import (and bind for hardware backing) a certificate in Chrome's store (chrome://settings/certificates) and the extension would access those using the chrome.platformKeys API.

I guess the X.509 certificate would have to contain dummy information as only the public and private key are useful. The extension could help with generating the certificate for import by converting the OpenSSH keypair.

An additional way to support hardware backed keys would be through Smart Cards, similar to how OpenSSH's agent can use a PKCS11 module.
I'm guessing this agent extension would need to implement a middleware for the Smart Card Connector extension.

This is not really an issue, but maybe a feature request or just a request for documentation. I was curious if it's possible to do ssh agent forwarding with this?

If so, how?

If not, is that something that could be added?

Thank you!

When gopherjs is vendored, 'make vet' fails with the following error:

vetting code
go/agentport/io.go:32:2: cannot find package "github.com/gopherjs/gopherjs/js" in any of:
/home/ralimi/gocode/src/github.com/google/chrome-ssh-agent/vendor/github.com/gopherjs/gopherjs/js (vendor tree)
/usr/lib/go-1.10/src/github.com/gopherjs/gopherjs/js (from $GOROOT)
/home/ralimi/gocode/src/github.com/gopherjs/gopherjs/js (from $GOPATH)
Makefile:55: recipe for target 'vet' failed
make: *** [vet] Error 1

For now, 'make vet' is no longer executed by default.

An example run: https://github.com/google/chrome-ssh-agent/runs/7818213408

The error we get is "timeout waiting for Xvfb", and this happens for the end-to-end tests. It happens during initialization of Selenium (https://github.com/tebeka/selenium/blob/e9100b7f5ac11727841302026707e3961ba14712/service.go#L377).

See https://github.com/bazelbuild/rules_go/blob/master/go/nogo.rst#running-vet

Kinda missing the point of the "private" in "private key" if the key is synchronised to all of my Chrome-using devices.

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• vendor/github.com/gopherjs/gopherjs/node-syscall/build/Release/obj.target/syscall.node
• vendor/github.com/gopherjs/gopherjs/node-syscall/build/Release/obj.target/syscall/syscall.o
• vendor/github.com/gopherjs/gopherjs/node-syscall/build/Release/syscall.node

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

@vapier commented that its worth considering merging this into the Secure Shell extension itself. Leaving this open to track the issue and see what that might entail.

Right now, gopherjs is the only non-test dependency that is not vendored. Vendoring gopherjs is dependent on gopherjs/gopherjs#415 being resolved.

I tried this on Windows 10 and OSX 10.13. Click on the button, load the key and that's all it does.
There is no link in the window as shown to start a session

A popular method to work with chrome extensions from Opera is to first add chrome-extensions from
https://addons.opera.com/en/extensions/details/install-chrome-extensions/
after that one can add chrome-ssh-agent. I've done this but the add-on does not show the "Open Secure Shell" button :

hello friends,

many thanks to you for this great extension.
it's working great with ssh extension ssh.
I'd like to also use it in mosh sessions of the same ssh extension, but i don't see how to do that.
please help or instruct.

thank you in advance,
alex

Builds under Bazel 7 failed when executed under Github's action runners.

The underlying errors were:

ERROR: /home/runner/.cache/bazel/_bazel_runner/b5ea0b3c9d34e2d5dd9018c7508d45aa/external/_main~chromium_dependencies~chromedriver/BUILD.bazel:2:8: declared output 'external/_main~chromium_dependencies~chromedriver/chromedriver.bin' is a dangling symbolic link
ERROR: /home/runner/.cache/bazel/_bazel_runner/b5ea0b3c9d34e2d5dd9018c7508d45aa/external/_main~chromium_dependencies~chromedriver/BUILD.bazel:2:8: Executing genrule @@_main~chromium_dependencies~chromedriver//:chromedriver failed: not all outputs were created or valid

This issue tracks upgrading to Bazel 7 and not pinning to a specific version.

The migration to bzlmod in #162 left nogo unsupported. See bazelbuild/rules_go#3529 for context.

We have a static analysis tool that ensures there are no Go buildtags specified in _test.go files. Including such tags can silently prevent tests from running. See https://github.com/google/chrome-ssh-agent/tree/master/nogo/testbuildtags for the code.

This issue tracks finding a way to re-enable these static analysis checks.

In my setup, the SSH keys alone are not sufficient for authentication, if not accompanied with a SSH certficate. With OpenSSH, certificates are automatically loaded into the ssh-agent after calling ssh-add, that means there are two entries in the agent listing:

$ ssh-add -l
2048 SHA256:sARrpIfvcA+WXiGe209WuUiqOB7zyA7zdxmHGjfqiYU [email protected] (RSA)
2048 SHA256:sARrpIfvcA+WXiGe209WuUiqOB7zyA7zdxmHGjfqiYU [email protected] (RSA-CERT)

It would be nice if loading of SSH certificates was supported by this Chrome app as well.

Go files that are part of a go_library rule have a build tag that causes them to be ignored unless being built under WebAssembly. Unfortunately, if the build tag is present in tests, the test will silently be skipped.

To avoid this, consider writing a nogo check that _test.go files have no build tags.

I provide my host machine private key and load it, add the "SSH Relay Server Options" field.
But when i login to the server, it still ask for my password.

Implement a mutex around BigStorage operations to prevent cleaning up chunks that may be referenced.

This is now technically possible since Delete() is no longer an atomic operation; it deletes keys, then cleans up dangling chunks.
However, dangling chunks may be newly-referenced if Set() is invoked at the same time as Delete().

This is unlikely given that this is only done in the Options UI, but we should more systematically prevent it.

We can consider the Web Locks API.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• fix(deps): update github.com/chromedp/cdproto digest to ab91719
• chore(deps): update all non-major dependencies (@types/chrome, aspect_rules_js, chrome, github.com/bazelbuild/rules_go, robinraju/release-downloader, rules_go, typescript)
• chore(deps): update dependency chrome to v126
• fix(deps): update module github.com/youmark/pkcs8 to v1
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

From a review left on the Chrome Webstore: "Minor feature request: For each unencrypted key, have an option to load it automatically."

Updating to Go 1.21 due to the following dependency chain:

• golang/go@3875258 makes Go require NodeJS 18
• rules_nodejs 6.0.0 and higher uses NodeJS 18 (bazelbuild/rules_nodejs#3656), but aspect_rules_js doesn't use it yet

Thus, we have to wait until a version of aspect_rules_js that defaults to rules_nodejs >= 6.0.0.

For now, we can manually override to use NodeJS 18. This issue tracks reverting to the default.

Manager.Unload() currently accepts a reference to a loaded key (public key, key type). This is somewhat clunky to handle internally, and results in a few edge cases. It would be cleaner to just accept the ID directly.

IIRC, the original intent was to enable unloading keys that the extension didn't load in the first place. However, we don't currently allow that on the UI, and the extension generally isn't positioned to consistently manage keys loaded outside the extension (e.g., directly from a client) anyways. For example, see #25.

When the secure shell extension runs as WASM code instead of PNACL code, which it seems to do occasionally, the ssh agent code does not work to provide authentication for the ssh connection. This results in being prompted for a password, when the public key is not offered to the remote ssh server.

I use the secure shell extension regularly, as well as the ssh-agent extension to provide authentication. Whenever the secure shell tries to run its WASM version, the ssh agent code is not running. I am requesting the use of this extension by adding the following to the ssh relay server option box:
--ssh-agent=eechpbnaifiimgajnomdipfaamobdfha

Update to Go dependencies are available.

To update, run

scripts/update-go-deps.sh

Chrome is requiring all extensions to move to Manifest V3 in Chrome, which means using Service Workers instead of a persistent background page.
Service Workers have the Chrome will forcibly suspend them after some time (see https://bugs.chromium.org/p/chromium/issues/detail?id=1152255). This means the instance of the Agent is destroyed, losing all of its loaded keys.

We can list the loaded keys, but we only get back Key instances which (understandably) do not contain the private key material. This makes it impossible for us to save them to be added back when the Service Worker restarts.

For keys loaded via the extension's UI, this is fine since our code loads them to the agent. We store the private key unencrypted in memory in chrome.storage.session (which is fine since the private key was in the Agent anyways), which allows us to add it back when the Service Worker restarts.

However, then a connected ssh client adds a key to the agent, we don't see the private key, and hence have no way to restore it.

Renovate added bzlmod support in renovatebot/renovate#13658.

This is currently blocked on the following items:

• bazelbuild/rules_go#3529

Looks like the sftp feature only supports ASCII.

If you try to sftp get a .tar or .zip file it gets corrupted.

It would be great to support the confirm mechanism that exists in the SSH agent protocol.

Currently when loading a key through ssh-add with the -c option, the key will actually be used silently without any prompt.

I looked through the golang crypto source code, and it looks like the agent server parses the constraint and sets a ConfirmBeforeUse flag on the key, but the keyring.add method simply ignores it.

From a UI persepective, I'd want the options page to set the constraint when adding a key and / or when loading it.
For the prompt, the extension could show a notification (with require interaction set), to ask to either confirm or deny.

We invoke js.FuncOf() to construct callbacks that are invoked as event listeners. In cases where they are one-time events, we invoke Release() when the callback is complete. However, in cases where the callback may be invoked many times, we don't call Release() and we need to find a different way to clean them up appropriately.

The ChromeOS / ChromiumOS builtin Terminal app gained SSH capability many releases ago, built on the same libraries as the Secure Shell extension.

Per Terminal app maintainer, it does not have a manifest ID, however it should be possible to allowlist using:

  "externally_connectable": {
    "matches": [
      "chrome-untrusted://terminal/html/terminal_ssh.html*"
    ]
  }

I'll send a pull request for this shortly.

Starting this afternoon, I'm seeing this error message:

failed to load key: failed to decrypt key: key marshalling failed: x509: unknown key type while marshaling PKCS#8: *ed25519.PrivateKey*

I think there's a new version out, right? Something seems broken.

Edit: to clarify, I see this message when I try to load an existing key (which was loaded and worked this morning!).

Thanks.

This extension can't load keys protected with a passphrase as generated by ssh-keygen, which contain no block headers.

My ed25519 ssh key doesn't seem to load. I think this started with the Aug 12 2022 release- this key has worked fine for a long time but now fails.

Steps:

• Open extension and press "load" for an ed25519 key (public key starts with ssh-ed25519)
• Enter correct passphrase

Expected:

• Key loads. This has worked correctly for a long time.

Actual:

• Load fails with an error message "failed to load key: failed to decrypt key: key marshalling failed: x509: unknown key type while marshaling PKCS#8: *ed25519.PrivateKey"

I tried entering the wrong passphrase and got a different error ("failed to load key: failed to decrypt key: failed to parse private key: x509: decryption password incorrect") so I'm pretty sure my passphrase is correct.

This is on a ChromeOS device.

• Chrome Version 104.0.5112.83 (Official Build) (64-bit)
• Extension version 0.0.20

When the Options page loads, the list of keys is initially blank, and there is no indication that it is fetching them in the background.

If this is on the slower side, it can be somewhat worrying for the user, as they may think that their keys have been removed/forgotten.

From a review left on the Chrome Webstore: "would be great to be able to activate by default the ssh-agent option in the chrome shell."

I'm able to add the key through the UI, but when trying to 'load' it, it keeps asking for a password, even when key is unencrypted.

If I use ssh-add on a remote session, the key is added to the agent, but is seems like the key is lost later / not synced.

These keys can be generated using ssh-keygen -t ecdsa -b 521, as one would expect.