SSH Key Support

Quexten · January 22, 2023, 11:31am

This is currently Work-in-progress! It might take a while until this is ready for a pull-request!

Feature/Fix name:

SSH Key support

Feature Description

SSH key import, storage, generation support.

Clients / Repos Affected:

Clients
(Mobile?)

Details

I saw this post in the feature request which I found quite interesting. Having SSH keys integrated into Bitwarden for logging into my machines or signing git commits would be very cool. I did some research on this, to see what’s required for implementing this feature.

I’d split this into two different feature requests, SSH Key credential support, and ssh-agent support. This pull requests focuses on the former. SSH-agent support is for a later pull request.

To get SSH keys implement into Bitwarden in a useful manner (not just text storage) a few things are required. SSH keys come in a variety of formats (PKCS#8, PKCS#1,…) and using various cryptographic techniques (RSA, Ed25519,…), encryption of private keys and so on. There are simply no libraries that handle this in the browser. RSA is supported by WebCrypto but ed25519 support is only a draft. Furthermore, there are no parsers for the different encodings, and implementing one in a safe way is not a trivial task.

The best option to address this is using a fully featured SSH library that’s already built in another language, and compiling it to WASM. I looked at openssh and sshlib at first, but they were hard to compile and would require some more work to get ported to emscripten (to use WebCrypto for randomness f.e).

I remembered that Golang actually has quite good WASM support these days out of the box, and has official ssh libraries included. So as a proof-of-concept I built a small (not yet finished) wrapper around the key generation / parsing, compiled it to WASM and wrote a JS/TypeScript wrapper. Using this, we can handle all common SSH key formats, decrypt encrypted private keys and generate SSH keys. For now, I just implemented RSA and Ed25519 but adding other key types should be trivial as support is built into golang.

As a proof-of-concept for Bitwarden, I have added ed25519 key generation to the generator:

The goal of this pull request is to add full support for storing and importing SSH keys (by copy paste or drag and drop), and to add support for creating SSH keys right in Bitwarden.

Branch:

Not sure on the timeline on this, depending on how much time I can spare it might be a couple of weeks before this is in a pull-request ready state. I’ll post updates on this as I develop it, feel free to chime in with feedback / suggestions

Quexten · January 22, 2023, 11:34am

My current plan:

Finish the WASM wrapper library
Add ssh storage support in Bitwarden
Add import of private keys gui (copy paste, file, with decryption support)
Add other required gui
Add full generator support

The argon2 pull request takes priority for now, but I’ll work on these as I have spare time.

rokejulianlockhart · January 22, 2023, 11:38am

This is incredible! Please continue.

Are any relevant GitHub pull requests or issues available which more accurately track the work? (Not that your summarization has been incomprehensive!)

Quexten · January 22, 2023, 11:43am

I linked the branch I’m working on in the post. It is not yet ready for a pull-request, so all you can go by is the git commits on the branch as I do them, but I will also post updates here. Once the basic set of features is working, I’ll open a pull request and link it too.

Oh and here is the ssh wasm module, though that’s still in development:

It should work in the browser and node.

bw-admin · January 22, 2023, 3:07pm

Thanks @Quexten I’ll have the team take a look at the proposal!

Quexten · January 24, 2023, 10:35pm

Quick update: The wasm library has been majorly improved (error handling, support for ECDSA), and I added a lot of necessary infrastructure code in the clients. A basic version of the add item feature:

Next up is import of existing (encrypted) keys.

Brend-Smits · February 3, 2023, 9:35am

This would be a great feature. Thanks for working on this! 1Password and Lastpass offer similar functionality.
Keep up the good work!

Ailuridae · February 5, 2023, 4:14am

Definitely something I would love to see implemented! Was very useful at work with 1pass

Quexten · February 6, 2023, 4:26am

@bw-admin You added the pr-under-review tag, but this is not even a PR yet. Does that mean the tag is more of a “Pull request proposal under review”?

Anyways, as a brief update: I did not have that much time to continue work on it yet. The web vault part is now fairly complete, editing ssh keys / importing them works.

Still missing:

Server support for ssh keys
Mobile support
UI for clients other than web
UI for importing encrypted ssh keys
(Possibly adding either ssh-agent client or server support to the desktop rust implementation so ssh keys are available on the system directly from within Bitwarden)

bw-admin · February 6, 2023, 11:42am

Switched it back to pr-idea, thanks!

bw-admin · February 6, 2023, 4:02pm

Hey @Quexten the product team has now reviewed this one. Custom item types is on the roadmap and the team believe this will provide an inclusive solution for the time being so there aren’t any plans to merge this concept.

Quexten · February 6, 2023, 4:15pm

Okay, fair enough. I will put this on hold then, thanks for the update, @bw-admin!

Could you clarify whether custom item times includes pre-defined (official) item types, or would it be exclusively user-defined templates? The original feature request asked for loading keys into the operating system’s ssh-agent (or providing a custom ssh-agent) directly from within Bitwarden Desktop, similar to how 1Password does it. This would require a standardized way to store ssh keys, which would make user-defined item types as storage for this rather tricky / unintuitive.

bw-admin · February 6, 2023, 4:32pm

Custom item types is user defined and will arrive before additional predefined item types. I’ll pass the info along to the team for consideration

Quexten · February 6, 2023, 4:34pm

Thank you! I might revisit the “ssh agent” part then when custom or pre-defined item types arrive.

bw-admin · February 6, 2023, 5:00pm

Sounds good, I’ll move this to the archive for now and we can restore when at that time

robcohen · August 23, 2023, 5:54pm

Seconding this feature. Would really like to use SSH keys directly from bitwarden-cli instead of relying on these external patches/tools.

Another excellent feature would be tying bitwarden-cli functionality into the iOS/Android clients, ie like Krypton used to work (before it was bought by Akamai), so I need to tap connect on my phone to authorize the SSH connection.

albi · November 5, 2023, 9:48am

Are there any news on how to use SSH keys with custom item types?

PackElend · January 4, 2024, 3:22pm

We are close to the first anniversary of this great proposal.
Any plans to continue on this?

Quexten · January 4, 2024, 3:45pm

This feature basically requires custom item types, and most likely re-writing the crypto part in rust is a good idea since that’s what the other clients (desktop) use for native modules. Unless/until there is an agreement with the Bitwarden team about the design of this feature, I cannot implement this as a community PR, because it most likely won’t get merged.

However, in the meantime, for my personal use I developed a custom Bitwarden client, with SSH key storage (using secure notes) and SSH-agent support, so that you can use SSH keys directly from your Bitwarden vault to log into servers or even sign git commits.

Beware though that this is mostly tested on Linux and the Mac/Windows builds are very much not feature complete.

rokejulianlockhart · January 4, 2024, 3:48pm

@Quexten, are any GH issues and/or Discourse posts tracking these FRs?