Implement ssh-agent Protocol

Fuzen-py · May 16, 2022, 2:42am

Would really like to see this implemented, its one of the features stopping me from migrating from 1Password, as they have added the feature recently

SolidRhino · May 31, 2022, 11:56am

Please add this function. I two like to switch from 1 password to bitwarden.

DAN_AUGUSTINE1 · June 3, 2022, 5:13am

+1 would simply my daily workflow

albocc · September 2, 2022, 6:21am

Yes! Please add this feature! I first time saw it with 1Password and I thought, surely Bitwarden has this already, too, right? Turns out it doesn’t

Murz · September 2, 2022, 7:17am

This also can be implemented via libsecret integration, requested here Support for libsecret's dbus API because SSH Agent can get secrets from Gnome Keyring: GNOME/Keyring - ArchWiki

Mikael · September 13, 2022, 6:14am

I saw a comment here that was mentioning it was a bad idea to put keys into cloud with the passphrases, and I agree with that part. I might target to do it so, that it is still the ssh-agent that keeps the hold of the keys and it would ask for the passphrase from Bitwarden specifically. I can sort of see this as a fork of the bitwarden-ssh-agent really. For myself, I already import the keys in session start, and now I have to type in the passphrase, and I would love to use thumbprint instead of the phrase. So this feature would then in my mind become passphrases for signatures, where they key has the public signature available and it is requesting access to the private part.

I can see the appeal of storing keys and passphrases on the manager directly. To me it would equate to storing keys with empty passphrases pretty much from security standpoint. Then again, you’d perhaps store a copy of those keys somewhere like usb key or cloud in any case for the chance of the computer going bust at some point.

Cheers and salutations to a good discussion!

Paul.C · February 28, 2019, 11:11pm

The ‘other’ kind of authentication I find myself having to manage is ssh keys. In a perfect world, there would be some mechanism that I could trust to generate a long key, store the key pair on the origin machine only (and back them up to a secure vault) and distribute the public key to the servers I nominate.

Having some central control over this would certainly help preserve (what remains of) my sanity:

just by managing the files themselves, and their secure delivery to servers. Making this easier reduces the urge to slip into the bad habit of reusing key pairs. Automating the ‘best practices’ means they’re much more likely to be followed.
being able to invalidate keys at a stroke would do much to mitigate the lack of passphrases on keys (e.g. the situation where a laptop is stolen - open the Bitwarden app on your smartphone and mark that key pair as revoked).
the ability to externally impose an ‘expiration’ period on keys. Bonus points for automatic rotation of keys on a schedule, so it ‘just happens’ without manual intervention.

This is a pain-point for me, and I expect every developer/dev ops/infosec person out there.

Paul

itsdom · October 31, 2022, 7:50pm

Feature name

Bitwarden for Devs and Admins
Bitwarden should be able to generate and store SSH Keys and other types of keys.

Feature function

What will this feature do differently?
It would Focus more on Devs and IT Admins who need to manage more then passwords like SSH Keys for Servers or PGP keys for Encryption or Cert files for Domains etc.
What benefits will this feature bring?
For Example: I store my ssh keys on my computer directly but with this implementation I would be able to store them in Bitwarden and my ssh agent will grab the encrypted keys from Bitwarden. So I don’t need to always upload all my ssh keys on a PC or the cloud.
Currently Bitwarden is in my opinion the best Password Manager but may not be the best in functionality. I saw an interesting approach from 1Password who is only in UI/UX better.
Developer Tools | 1Password
There will be some great features explained which I wish to see in Bitwarden one day.

cksapp · November 1, 2022, 2:23am

Hi @itsdom

I believe there is a beta wait-list for this feature currently if you wish to sign up for any future notifications, but this appears to be high on the radar for the Bitwarden Team.

knpwrs · December 14, 2022, 4:28pm

1Password recently shipped this functionality and it’s pretty great: SSH agent | 1Password Developer Documentation

Would be great to see something similar in Bitwarden.

Quexten · January 22, 2023, 11:37am

Starting work on SSH Key generation/import/storage support:

Ssh agent support is out of scope of the pull request. Might do that afterwards, or someone else can if they want to.

Quexten · February 6, 2023, 4:37pm

Hi, quick update: I’m putting work on the ssh key-generation/import/storage support pull-request on hold for now as Bitwarden is working on custom item types already and thus currently does not intend to merge the PR.

Once custom (or better pre-defined) item types arrive I might look at ssh-agent support.

aleks · March 3, 2023, 9:24pm

Any updates here? Would be really nice to have this feature!

bw-admin · March 6, 2023, 4:40pm

Hey @aleks please refer to @Quexten’s message above.

elijahmm · March 8, 2023, 11:05pm

I’m a bit disappointed in this thread. This has been open for 5 years with mostly workarounds and when a community member starts developing the feature it gets squashed because a partially associated feature is on the roadmap.
There’s a lot more to this than just an ssh key item type - the powerful thing is the ability to generate ssh keypairs within bitwarden and then leverage them through a built-in ssh-agent. Essentially, the ability to have the key NEVER exist outside the vault.
I can see a design where bitwarden introduces custom types AND a client plugin system similar to keepass where the plugin creates the item type it requires and implements additional functionality. Unfortunately, this would require implementing an entire run-time plugin capability in addition to the custom item types and probably has a whole list of security and cross-platform compatibility concerns as well.

ihatemyisp · March 14, 2023, 1:08pm

@bw-admin, since @Quexten has put their work on hold because you asked them to, can we get an update from you on the Product Team’s progress?

mietzen · April 8, 2023, 3:40pm

Meanwhile I wrote some scripts to use Bitwarden CLI with TouchID on macOS to ssh into servers until there is a official solution.
Feel free to use, modify or enhance to your needs:

gist.github.com

https://gist.github.com/mietzen/c5ca9794cf70f6fa4402d613d6d5fb10#file-macos-bitwarden-cli-ssh-md

macos-bitwarden-cli-ssh.md

# How to use use Bitwarden CLI for SSH-Keys in macOS

**If you want to use TouchID have a look at: [How to use use Bitwarden CLI with macOS TouchID](https://gist.github.com/mietzen/f383d87c0973c1af877b39e09b50021e#file-macos-bitwarden-cli-with-touch-id-md)**

**Wirtten and tested on macOS Ventura**

## Add SSH-Keys to Bitwarden

Before you can use Bitwarden CLI for your SSH private keys you have to add them to your Bitwarden account.
Just create a normal login. The name, username and URI fields doesn't matter for my functions.

This file has been truncated. show original

This should also work on Linux (minus the TouchID part), but I haven’t tested it.

TheBestPessimist · May 22, 2023, 1:13pm

Duplicates:

TheBestPessimist · June 20, 2023, 4:16pm

~~duplicate: Creating SSH Key in Secrets~~

i was wrong, not a dupe

fabriziobagala · June 20, 2023, 4:30pm

Hi, my request is not duplicated because my request is only about the possibility to save SSH keys within Secret Manager secrets.