So, I mainly use Keepass for this exact feature, but I’ve always kind of hoped to use BItwarden. Because it seems this has been sitting idle, I’ve debated looking at how this should be developed specifically.
The main problem I can see is a way to have settings: how to pick which keys are loaded, if they need approval, etc. There’s also the question on whether the agent should be allowed to stay persistent and ‘wake up’ the client if need be: I’ve been mainly viewing this from the perspective of the desktop client, by the way.
What I’ve decided on is using a folder for ssh agents, and then (although I don’t LIKE it) using a specifically named secure note to include options. These could include things like global (default) options for whether bitwarden prompts for each key usage, or things like whether it should run an ssh agent or simply add keys like the agent mode in KeeAgent. I’d like to have these options set globally, but I don’t think that Bitwarden has generic options that can be used.
Specific SSH keys could also have options, like whether or not to prompt for usage. Maybe you want a normal workday key to just work while the database is unlocked, but not your super-important one? That kind of thing. I’m also still debating on whether the key should be stored in a custom field or in the notes section: Maybe require openssh format, and ignore any prepended text? It might also be a better idea to have a key import wizard that imports them in whatever format you throw at it, then stores the parts it needs in custom fields, or maybe automatically creates the entry in the right folder.
Developer wise, it should be possible for the desktop clients to either run an agent (There’s a few examples of people doing this in javascript) or add the keys to an existing agent: Although adding the keys would be way more hassle, as they’d need to use the hardware token option in order to keep security up. It seems like the ssh-agent protocol made it so adding the keys requires passing the private key material along, which I don’t really like. It could be an option for command line users, however. Ideally, I’d like to keep private key material in bitwarden so that if the client crashes the ssh agent isn’t floating around with key material that won’t time out.
If it wasn’t for the fact that, as far as I can tell, no ssh clients on mobile support ssh-agent I’d even suggest importing this features there: But alas, that doesn’t seem like the case. It’d be more likely that a mobile specific ssh-agent protocol is developed and support would need to be added to clients, and that isn’t very likely.
You could even add enterprise specific options for this, where bitwarden could act as an SSH signing authority and users are automatically assigned keys signed for specific uses depending on groups they are in: Audit logging could easily maintain a log of when keys are requested, used, or denied which actually adds features. It could even semi-automatically cycle keys: Make sure an admin logs in every $configurable_timespan and approves the cycle for all users. It’d be totally transparent to users, but revocation still has issues as openssh still doesn’t support using a CRL or OCSP server for ssh certificates.
Oh, and I almost forgot: A good sysadmin could use the audit logging from bitwarden to collate logins, so if you see someone logged in using a keypair but it wasn’t logged in bitwarden you know the key was leaked! Standard per-machine keys can’t do that.
And just because I want to edit again, this is basically saying enterprise customers can have a built-in BLESS instance in the password system they already use.