Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cockpit-ws bastion/unprivilleged forced ssh-agent #21170

Closed
engelant opened this issue Oct 27, 2024 · 3 comments · Fixed by #21202
Closed

cockpit-ws bastion/unprivilleged forced ssh-agent #21170

engelant opened this issue Oct 27, 2024 · 3 comments · Fixed by #21202
Labels
enhancement webserver

Comments

@engelant
Copy link

cockpit/containers/ws/label-run

Line 45 in f985ad0

eval $(ssh-agent)

My issue being, that ssh-agent is started unconditionally.

Can anybody spot any harm in wrapping this in a start if unset condition like so:

if [ -z "$SSH_AUTH_SOCK" ]; then
    eval "$(ssh-agent)"
fi

This would enable me to provide my own SSH_AUTH_SOCK without breaking behavior.
@martinpitt
Copy link
Member

This seems fine to me -- cautiously. You really need to know what you are doing, i.e. do this together with configuring the container for using a private key. You are crossing a security boundary here, i. e. give the container access to your user session. We don't know of any way to exploit it, and the flatpak essentially does the same -- but that doesn't expose cockpit's web server to the network.

@engelant
Copy link
Author

By harm I really just ment for other users in terms of compatability.
Right now for testing i just used a Containerfile to sed out the line, and it works as intended.
Especially under linux I am against hiding potentially dangerous settings, but only if "we don't break userspace".

Therefor my main concern is wether this could break any potentiall existion application.
As it only affects the container label-run and an admin would have to explicitly have set SSH_AUTH_SOCK for an unprivileged environment for the behaviour to change.

@martinpitt
Copy link
Member

No, I can't imagine breaking any existing realistic setup. Setting $SSH_AUTH_SOCKET in the container never worked and was never documented.

@martinpitt martinpitt mentioned this issue Oct 29, 2024
Closed
@engelant engelant mentioned this issue Oct 31, 2024
Merged
martinpitt added a commit to engelant/cockpit that referenced this issue Dec 12, 2024
@martinpitt
containers/ws: Support using an external SSH agent
e4734cc 
In unprivileged mode, support connecting to an already running SSH agent
for sharing SSH private keys.

Thanks to Anton Engelhardt <engelhardt.anton@gmail.com> for the idea and
initial implementation sketch!

Fixes cockpit-project#21170
martinpitt added a commit to engelant/cockpit that referenced this issue Dec 12, 2024
@martinpitt
containers/ws: Support using an external SSH agent
9a84586 
In unprivileged mode, support connecting to an already running SSH agent
for sharing SSH private keys.

Thanks to Anton Engelhardt <engelhardt.anton@gmail.com> for the idea and
initial implementation sketch!

Fixes cockpit-project#21170
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement webserver
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

containers/ws: Support using an external SSH agent engelant/cockpit
2 participants
@martinpitt @engelant