Implement ssh-agent Protocol

One thing I’m really missing is the integration of an ssh-agent like KeeAgent does for Keepass.
That way Putty and other SSH Clients can request keyfiles via Bitwarden and Bitwarden could display a dialog if it should be allowed or not.

Right now I’m really missing a way to securely store and sync ssh keys as copy and paste isn’t very useful for them.

I would also like to see ssh better supported.
SSH would be a Type (i.e. Domain).
The cli tool would take a command that would register via ssh-add.

2 Likes

KeePass has a plugin which provides a similar functionality as proposed here, see https://github.com/dlech/KeeAgent
It integrates very well, especially in Windows together with Windows shipped SSH but Putty as well.

KeepassXC also has an SSH Agent right out of the box. It works VERY well…

What’s wrong with using Pageant? It’s specifically designed to store an SSH key and present it upon login. You can make it auto start with Windows as well.

If you’re trying to sync them online, that’s bad practice. Even with a password on it. You should have a key for each device and you can label the device with it even. That way if you lose your laptop and have one on your tablet, you can connect in, delete the laptop one, and have peace of mind without scrambling to regenerate a new one and update it everywhere.
If you hope to get the device back you can comment out the key to disable it temporarily, or if using a GUI and it has a disable option, do that. If not, at least delete it. The password is only going to help delay the user from gaining access if they’re really dedicated.

Found this Project at github -> https://github.com/joaojacome/bitwarden-ssh-agent
It´s a python based SSH Agent for bitwarden. I did not test it, but will leave it as information here.

@Dubz
Is there a way to use Pageant with the SSH Key´s stored in bitwarden ?
Still use KeePassXC for that missing feature.

Is there a way to use Pageant with the SSH Key´s stored in bitwarden ?
Still use KeePassXC for that missing feature.

No. Pageant loads the private key from your computer, and prompts you for its password when you do. I always have my keys unique to the devices they’re on, and with a password on the key files.

OK! So that´s of course a solution, but not what i´m searching for.
Thank you for your answer.

So, I mainly use Keepass for this exact feature, but I’ve always kind of hoped to use BItwarden. Because it seems this has been sitting idle, I’ve debated looking at how this should be developed specifically.

The main problem I can see is a way to have settings: how to pick which keys are loaded, if they need approval, etc. There’s also the question on whether the agent should be allowed to stay persistent and ‘wake up’ the client if need be: I’ve been mainly viewing this from the perspective of the desktop client, by the way.

What I’ve decided on is using a folder for ssh agents, and then (although I don’t LIKE it) using a specifically named secure note to include options. These could include things like global (default) options for whether bitwarden prompts for each key usage, or things like whether it should run an ssh agent or simply add keys like the agent mode in KeeAgent. I’d like to have these options set globally, but I don’t think that Bitwarden has generic options that can be used.

Specific SSH keys could also have options, like whether or not to prompt for usage. Maybe you want a normal workday key to just work while the database is unlocked, but not your super-important one? That kind of thing. I’m also still debating on whether the key should be stored in a custom field or in the notes section: Maybe require openssh format, and ignore any prepended text? It might also be a better idea to have a key import wizard that imports them in whatever format you throw at it, then stores the parts it needs in custom fields, or maybe automatically creates the entry in the right folder.

Developer wise, it should be possible for the desktop clients to either run an agent (There’s a few examples of people doing this in javascript) or add the keys to an existing agent: Although adding the keys would be way more hassle, as they’d need to use the hardware token option in order to keep security up. It seems like the ssh-agent protocol made it so adding the keys requires passing the private key material along, which I don’t really like. It could be an option for command line users, however. Ideally, I’d like to keep private key material in bitwarden so that if the client crashes the ssh agent isn’t floating around with key material that won’t time out.

If it wasn’t for the fact that, as far as I can tell, no ssh clients on mobile support ssh-agent I’d even suggest importing this features there: But alas, that doesn’t seem like the case. It’d be more likely that a mobile specific ssh-agent protocol is developed and support would need to be added to clients, and that isn’t very likely.

You could even add enterprise specific options for this, where bitwarden could act as an SSH signing authority and users are automatically assigned keys signed for specific uses depending on groups they are in: Audit logging could easily maintain a log of when keys are requested, used, or denied which actually adds features. It could even semi-automatically cycle keys: Make sure an admin logs in every $configurable_timespan and approves the cycle for all users. It’d be totally transparent to users, but revocation still has issues as openssh still doesn’t support using a CRL or OCSP server for ssh certificates.

Oh, and I almost forgot: A good sysadmin could use the audit logging from bitwarden to collate logins, so if you see someone logged in using a keypair but it wasn’t logged in bitwarden you know the key was leaked! Standard per-machine keys can’t do that.

And just because I want to edit again, this is basically saying enterprise customers can have a built-in BLESS instance in the password system they already use.

Adding again, but looks like the best option would be to run an ssh agent (and not add keys to an existing one). I was thinking maybe use PKCS11 to allow for approval from bitwarden, but the way SSH agents work means that in order to do it you need to drop a binary in a secure location and then get it to load, which isn’t great. If the agent was ran BY bitwarden it could happily do whatever needed, including (for enterprise) request and get a certificate for that specific use. Actually writing an SSH agent isn’t that bad either, so I think it could be a great option. Don’t know what it’d be like to write it in javascript however.

Thanks for the detail @ShaRose! We still have this as high on our backlog - hopefully we’ll have more information later this year.

No problem. I actually started a thread on this topic on the subreddit as well, and there have been a few good ideas to look at related to this.

In particular, I like the idea of having to approve a client install to enable ssh agent access, and loading ‘sets’ of keys into the agent (rather than automatically loading them on login).

This is probably almost worth its own feature request, but figure I’ll toss it in:

In addition to client key management, host keys (eg supplementing known_hosts) would be nice to supply to clients out-of-band wherever you’re expecting clients to authenticate. Admittedly most SSH users likely ignore the server-end of authentication. It’s slightly redundant with SSHFP DNS records. Also, it’d need to be done carefully to prevent becoming an attack vector against users’ ssh configurations.

Larger organizations tend to drop individual key management in favor of SSH certificates signed by internal CAs.

The ‘other’ kind of authentication I find myself having to manage is ssh keys. In a perfect world, there would be some mechanism that I could trust to generate a long key, store the key pair on the origin machine only (and back them up to a secure vault) and distribute the public key to the servers I nominate.

Having some central control over this would certainly help preserve (what remains of) my sanity:

  1. just by managing the files themselves, and their secure delivery to servers. Making this easier reduces the urge to slip into the bad habit of reusing key pairs. Automating the ‘best practices’ means they’re much more likely to be followed.

  2. being able to invalidate keys at a stroke would do much to mitigate the lack of passphrases on keys (e.g. the situation where a laptop is stolen - open the Bitwarden app on your smartphone and mark that key pair as revoked).

  3. the ability to externally impose an ‘expiration’ period on keys. Bonus points for automatic rotation of keys on a schedule, so it ‘just happens’ without manual intervention.

This is a pain-point for me, and I expect every developer/dev ops/infosec person out there.

  • Paul

I feel like this feature would scratch an itch for even enterprise business accounts and the like. I see people asking for this in enterprise-level software and having to stand up massive solutions to solve a problem that Bitwarden seems positioned to solve easily.

Down deep inside, my inner-troll is dying to tell my colleagues that I have an affordable solution that trumps their $100K annual spend. :joy:

1 Like

This would be great. I’ve been looking for a replacement to KeeAgent (KeePass addon that emulates PuTTY Pageant). Or even not having to use Pageant either. Having this SSH agent in the Bitwarden desktop client would be awesome.

If not, then at the very least a way to store the SSH keys

I 100% support this feature request.

It’s the biggest reason for anyone to switch from KeePass/KeeAgent to BitWarden.

3 Likes

This is a very important feature to me. I’m trying to get my company get bitwarden and this would be a big bonus.

I personally use KeePass/KeeAgent to manage my ssh keys currently.

I used it with keepass and keeagent and i really miss it here.

bump this up

hell yes, ssh keys are the way to go for maschine auth.
but does it makes sense to have our comparativly weak passwords encrypted in bitwarden and multi factor secured while having our ssh keys stored in plain sight on the harddrives.
best case we password secure them but this is annoying to enter password everytime i load pagent.

also i dont think this would be very hard to implement, could be part of bitwarden desktop
and existing code is opensource