google / chrome-ssh-agent Goto Github PK
View Code? Open in Web Editor NEWSSH Agent for use with Google Chrome's Secure Shell extension
License: Apache License 2.0
SSH Agent for use with Google Chrome's Secure Shell extension
License: Apache License 2.0
This is not really an issue, but maybe a feature request or just a request for documentation. I was curious if it's possible to do ssh agent forwarding with this?
If so, how?
If not, is that something that could be added?
Thank you!
Updating to Go 1.21 due to the following dependency chain:
Thus, we have to wait until a version of aspect_rules_js that defaults to rules_nodejs >= 6.0.0.
For now, we can manually override to use NodeJS 18. This issue tracks reverting to the default.
We invoke js.FuncOf()
to construct callbacks that are invoked as event listeners. In cases where they are one-time events, we invoke Release()
when the callback is complete. However, in cases where the callback may be invoked many times, we don't call Release()
and we need to find a different way to clean them up appropriately.
Kinda missing the point of the "private" in "private key" if the key is synchronised to all of my Chrome-using devices.
A popular method to work with chrome extensions from Opera is to first add chrome-extensions from
https://addons.opera.com/en/extensions/details/install-chrome-extensions/
after that one can add chrome-ssh-agent. I've done this but the add-on does not show the "Open Secure Shell" button :
It would be great to support the confirm mechanism that exists in the SSH agent protocol.
Currently when loading a key through ssh-add
with the -c
option, the key will actually be used silently without any prompt.
I looked through the golang crypto source code, and it looks like the agent server parses the constraint and sets a ConfirmBeforeUse
flag on the key, but the keyring.add
method simply ignores it.
From a UI persepective, I'd want the options page to set the constraint when adding a key and / or when loading it.
For the prompt, the extension could show a notification (with require interaction set), to ask to either confirm or deny.
From a review left on the Chrome Webstore: "would be great to be able to activate by default the ssh-agent option in the chrome shell."
Looks like the sftp feature only supports ASCII.
If you try to sftp get a .tar or .zip file it gets corrupted.
Manager.Unload()
currently accepts a reference to a loaded key (public key, key type). This is somewhat clunky to handle internally, and results in a few edge cases. It would be cleaner to just accept the ID directly.
IIRC, the original intent was to enable unloading keys that the extension didn't load in the first place. However, we don't currently allow that on the UI, and the extension generally isn't positioned to consistently manage keys loaded outside the extension (e.g., directly from a client) anyways. For example, see #25.
The ChromeOS / ChromiumOS builtin Terminal app gained SSH capability many releases ago, built on the same libraries as the Secure Shell extension.
Per Terminal app maintainer, it does not have a manifest ID, however it should be possible to allowlist using:
"externally_connectable": {
"matches": [
"chrome-untrusted://terminal/html/terminal_ssh.html*"
]
}
I'll send a pull request for this shortly.
When the secure shell extension runs as WASM code instead of PNACL code, which it seems to do occasionally, the ssh agent code does not work to provide authentication for the ssh connection. This results in being prompted for a password, when the public key is not offered to the remote ssh server.
I use the secure shell extension regularly, as well as the ssh-agent extension to provide authentication. Whenever the secure shell tries to run its WASM version, the ssh agent code is not running. I am requesting the use of this extension by adding the following to the ssh relay server option box:
--ssh-agent=eechpbnaifiimgajnomdipfaamobdfha
Implement a mutex around BigStorage operations to prevent cleaning up chunks that may be referenced.
This is now technically possible since Delete()
is no longer an atomic operation; it deletes keys, then cleans up dangling chunks.
However, dangling chunks may be newly-referenced if Set()
is invoked at the same time as Delete()
.
This is unlikely given that this is only done in the Options UI, but we should more systematically prevent it.
We can consider the Web Locks API.
When the Options page loads, the list of keys is initially blank, and there is no indication that it is fetching them in the background.
If this is on the slower side, it can be somewhat worrying for the user, as they may think that their keys have been removed/forgotten.
I provide my host machine private key and load it, add the "SSH Relay Server Options" field.
But when i login to the server, it still ask for my password.
Builds under Bazel 7 failed when executed under Github's action runners.
The underlying errors were:
ERROR: /home/runner/.cache/bazel/_bazel_runner/b5ea0b3c9d34e2d5dd9018c7508d45aa/external/_main~chromium_dependencies~chromedriver/BUILD.bazel:2:8: declared output 'external/_main~chromium_dependencies~chromedriver/chromedriver.bin' is a dangling symbolic link
ERROR: /home/runner/.cache/bazel/_bazel_runner/b5ea0b3c9d34e2d5dd9018c7508d45aa/external/_main~chromium_dependencies~chromedriver/BUILD.bazel:2:8: Executing genrule @@_main~chromium_dependencies~chromedriver//:chromedriver failed: not all outputs were created or valid
This issue tracks upgrading to Bazel 7 and not pinning to a specific version.
When gopherjs is vendored, 'make vet' fails with the following error:
vetting code
go/agentport/io.go:32:2: cannot find package "github.com/gopherjs/gopherjs/js" in any of:
/home/ralimi/gocode/src/github.com/google/chrome-ssh-agent/vendor/github.com/gopherjs/gopherjs/js (vendor tree)
/usr/lib/go-1.10/src/github.com/gopherjs/gopherjs/js (from $GOROOT)
/home/ralimi/gocode/src/github.com/gopherjs/gopherjs/js (from $GOPATH)
Makefile:55: recipe for target 'vet' failed
make: *** [vet] Error 1
For now, 'make vet' is no longer executed by default.
Renovate added bzlmod support in renovatebot/renovate#13658.
This is currently blocked on the following items:
An example run: https://github.com/google/chrome-ssh-agent/runs/7818213408
The error we get is "timeout waiting for Xvfb", and this happens for the end-to-end tests. It happens during initialization of Selenium (https://github.com/tebeka/selenium/blob/e9100b7f5ac11727841302026707e3961ba14712/service.go#L377).
This issue was automatically created by Allstar.
Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code
Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.
Remediation Steps
To remediate, remove the generated executable artifacts from the repository.
Artifacts Found
Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.
Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
My ed25519 ssh key doesn't seem to load. I think this started with the Aug 12 2022 release- this key has worked fine for a long time but now fails.
Steps:
Expected:
Actual:
I tried entering the wrong passphrase and got a different error ("failed to load key: failed to decrypt key: failed to parse private key: x509: decryption password incorrect") so I'm pretty sure my passphrase is correct.
This is on a ChromeOS device.
Starting this afternoon, I'm seeing this error message:
failed to load key: failed to decrypt key: key marshalling failed: x509: unknown key type while marshaling PKCS#8: *ed25519.PrivateKey*
I think there's a new version out, right? Something seems broken.
Edit: to clarify, I see this message when I try to load an existing key (which was loaded and worked this morning!).
Thanks.
hello friends,
many thanks to you for this great extension.
it's working great with ssh extension ssh.
I'd like to also use it in mosh sessions of the same ssh extension, but i don't see how to do that.
please help or instruct.
thank you in advance,
alex
In my setup, the SSH keys alone are not sufficient for authentication, if not accompanied with a SSH certficate. With OpenSSH, certificates are automatically loaded into the ssh-agent after calling ssh-add
, that means there are two entries in the agent listing:
$ ssh-add -l
2048 SHA256:sARrpIfvcA+WXiGe209WuUiqOB7zyA7zdxmHGjfqiYU [email protected] (RSA)
2048 SHA256:sARrpIfvcA+WXiGe209WuUiqOB7zyA7zdxmHGjfqiYU [email protected] (RSA-CERT)
It would be nice if loading of SSH certificates was supported by this Chrome app as well.
From a review left on the Chrome Webstore: "Minor feature request: For each unencrypted key, have an option to load it automatically."
I'm able to add the key through the UI, but when trying to 'load' it, it keeps asking for a password, even when key is unencrypted.
If I use ssh-add
on a remote session, the key is added to the agent, but is seems like the key is lost later / not synced.
These keys can be generated using ssh-keygen -t ecdsa -b 521
, as one would expect.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
@types/chrome
, aspect_rules_js
, aspect_rules_ts
, bazel_skylib
, chrome
, github.com/bazelbuild/rules_go
, github.com/chromedp/cdproto
, github.com/youmark/pkcs8
, robinraju/release-downloader
, rules_go
, typescript
)MODULE.bazel
rules_go 0.46.0
gazelle 0.36.0
rules_nodejs 6.1.0
aspect_rules_js 1.40.1
aspect_rules_ts 2.2.0
aspect_rules_esbuild 0.19.0
bazel_skylib 1.5.0
rules_pkg 0.10.1
rules_proto 6.0.0-rc1
.bazelversion
bazel 7.1.1
.devcontainer/devcontainer.json
ghcr.io/devcontainers/features/go 1
ghcr.io/devcontainers/features/node 1
ghcr.io/audacioustux/devcontainers/bazel 1
.github/workflows/codeql-analysis.yml
actions/checkout v4
actions/setup-go v5
github/codeql-action v3
github/codeql-action v3
.github/workflows/release-beta.yml
actions/checkout v4
bazelbuild/setup-bazelisk v3
softprops/action-gh-release v2
mnao305/chrome-extension-upload v5.0.0
.github/workflows/release.yml
actions/checkout v4
robinraju/release-downloader v1.9
mnao305/chrome-extension-upload v5.0.0
.github/workflows/test.yml
actions/checkout v4
bazelbuild/setup-bazelisk v3
actions/cache v4
go.mod
go 1.22.2
github.com/google/go-cmp v0.6.0
github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a@1326539a0a0a
golang.org/x/crypto v0.22.0
github.com/bazelbuild/rules_go v0.46.0
github.com/chromedp/cdproto v0.0.0-20240328024531-fe04f09ede24@fe04f09ede24
github.com/chromedp/chromedp v0.9.5
github.com/norunners/vert v0.0.0-20221203075838-106a353d42dd@106a353d42dd
golang.org/x/tools v0.20.0
package.json
@ungap/url-search-params ^0.2.2
jsdom ^24.0.0
mem-storage-area ^1.0.3
web-locks ^0.0.8
@types/chrome ^0.0.265
typescript ^5.4.4
MODULE.bazel
golang 1.22.2
chrome 125.0.6403.0
Right now, gopherjs is the only non-test dependency that is not vendored. Vendoring gopherjs is dependent on gopherjs/gopherjs#415 being resolved.
Go files that are part of a go_library
rule have a build tag that causes them to be ignored unless being built under WebAssembly. Unfortunately, if the build tag is present in tests, the test will silently be skipped.
To avoid this, consider writing a nogo
check that _test.go files have no build tags.
Chrome is requiring all extensions to move to Manifest V3 in Chrome, which means using Service Workers instead of a persistent background page.
Service Workers have the Chrome will forcibly suspend them after some time (see https://bugs.chromium.org/p/chromium/issues/detail?id=1152255). This means the instance of the Agent is destroyed, losing all of its loaded keys.
We can list the loaded keys, but we only get back Key instances which (understandably) do not contain the private key material. This makes it impossible for us to save them to be added back when the Service Worker restarts.
For keys loaded via the extension's UI, this is fine since our code loads them to the agent. We store the private key unencrypted in memory in chrome.storage.session
(which is fine since the private key was in the Agent
anyways), which allows us to add it back when the Service Worker restarts.
However, then a connected ssh client adds a key to the agent, we don't see the private key, and hence have no way to restore it.
Update to Go dependencies are available.
To update, run
scripts/update-go-deps.sh
This agent extension would be a great place to add support for "Keychains" to Secure Shell.
The user could import (and bind for hardware backing) a certificate in Chrome's store (chrome://settings/certificates) and the extension would access those using the chrome.platformKeys
API.
I guess the X.509 certificate would have to contain dummy information as only the public and private key are useful. The extension could help with generating the certificate for import by converting the OpenSSH keypair.
An additional way to support hardware backed keys would be through Smart Cards, similar to how OpenSSH's agent can use a PKCS11 module.
I'm guessing this agent extension would need to implement a middleware for the Smart Card Connector extension.
This extension can't load keys protected with a passphrase as generated by ssh-keygen
, which contain no block headers.
The migration to bzlmod in #162 left nogo unsupported. See bazelbuild/rules_go#3529 for context.
We have a static analysis tool that ensures there are no Go buildtags specified in _test.go files. Including such tags can silently prevent tests from running. See https://github.com/google/chrome-ssh-agent/tree/master/nogo/testbuildtags for the code.
This issue tracks finding a way to re-enable these static analysis checks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.