SSH Key Support

This is currently Work-in-progress! It might take a while until this is ready for a pull-request!

Feature/Fix name:

SSH Key support

Feature Description

SSH key import, storage, generation support.

Clients / Repos Affected:

  • Clients
  • (Mobile?)

Details

I saw this post in the feature request which I found quite interesting. Having SSH keys integrated into Bitwarden for logging into my machines or signing git commits would be very cool. I did some research on this, to see what’s required for implementing this feature.

I’d split this into two different feature requests, SSH Key credential support, and ssh-agent support. This pull requests focuses on the former. SSH-agent support is for a later pull request.

To get SSH keys implement into Bitwarden in a useful manner (not just text storage) a few things are required. SSH keys come in a variety of formats (PKCS#8, PKCS#1,…) and using various cryptographic techniques (RSA, Ed25519,…), encryption of private keys and so on. There are simply no libraries that handle this in the browser. RSA is supported by WebCrypto but ed25519 support is only a draft. Furthermore, there are no parsers for the different encodings, and implementing one in a safe way is not a trivial task.

The best option to address this is using a fully featured SSH library that’s already built in another language, and compiling it to WASM. I looked at openssh and sshlib at first, but they were hard to compile and would require some more work to get ported to emscripten (to use WebCrypto for randomness f.e).

I remembered that Golang actually has quite good WASM support these days out of the box, and has official ssh libraries included. So as a proof-of-concept I built a small (not yet finished) wrapper around the key generation / parsing, compiled it to WASM and wrote a JS/TypeScript wrapper. Using this, we can handle all common SSH key formats, decrypt encrypted private keys and generate SSH keys. For now, I just implemented RSA and Ed25519 but adding other key types should be trivial as support is built into golang.

As a proof-of-concept for Bitwarden, I have added ed25519 key generation to the generator:

The goal of this pull request is to add full support for storing and importing SSH keys (by copy paste or drag and drop), and to add support for creating SSH keys right in Bitwarden.

Branch:

Not sure on the timeline on this, depending on how much time I can spare it might be a couple of weeks before this is in a pull-request ready state. I’ll post updates on this as I develop it, feel free to chime in with feedback / suggestions :slight_smile:

14 Likes

My current plan:

  • Finish the WASM wrapper library
  • Add ssh storage support in Bitwarden
  • Add import of private keys gui (copy paste, file, with decryption support)
  • Add other required gui
  • Add full generator support

The argon2 pull request takes priority for now, but I’ll work on these as I have spare time.

2 Likes

This is incredible! Please continue.

Are any relevant GitHub pull requests or issues available which more accurately track the work? (Not that your summarization has been incomprehensive!)

I linked the branch I’m working on in the post. It is not yet ready for a pull-request, so all you can go by is the git commits on the branch as I do them, but I will also post updates here. Once the basic set of features is working, I’ll open a pull request and link it too.

Oh and here is the ssh wasm module, though that’s still in development:

It should work in the browser and node.

2 Likes

Thanks @Quexten I’ll have the team take a look at the proposal! :clap:

1 Like

Quick update: The wasm library has been majorly improved (error handling, support for ECDSA), and I added a lot of necessary infrastructure code in the clients. A basic version of the add item feature:

Next up is import of existing (encrypted) keys.

6 Likes

This would be a great feature. Thanks for working on this! 1Password and Lastpass offer similar functionality.
Keep up the good work!

2 Likes

Definitely something I would love to see implemented! Was very useful at work with 1pass

@bw-admin You added the pr-under-review tag, but this is not even a PR yet. Does that mean the tag is more of a “Pull request proposal under review”?

Anyways, as a brief update: I did not have that much time to continue work on it yet. The web vault part is now fairly complete, editing ssh keys / importing them works.

Still missing:

  • Server support for ssh keys
  • Mobile support
  • UI for clients other than web
  • UI for importing encrypted ssh keys
  • (Possibly adding either ssh-agent client or server support to the desktop rust implementation so ssh keys are available on the system directly from within Bitwarden)

Switched it back to pr-idea, thanks!

1 Like

Hey @Quexten the product team has now reviewed this one. Custom item types is on the roadmap and the team believe this will provide an inclusive solution for the time being so there aren’t any plans to merge this concept.

1 Like

Okay, fair enough. I will put this on hold then, thanks for the update, @bw-admin!

Could you clarify whether custom item times includes pre-defined (official) item types, or would it be exclusively user-defined templates? The original feature request asked for loading keys into the operating system’s ssh-agent (or providing a custom ssh-agent) directly from within Bitwarden Desktop, similar to how 1Password does it. This would require a standardized way to store ssh keys, which would make user-defined item types as storage for this rather tricky / unintuitive.

1 Like

Custom item types is user defined and will arrive before additional predefined item types. I’ll pass the info along to the team for consideration :+1:

2 Likes

Thank you! I might revisit the “ssh agent” part then when custom or pre-defined item types arrive.

1 Like

Sounds good, I’ll move this to the archive for now and we can restore when at that time :+1:

Seconding this feature. Would really like to use SSH keys directly from bitwarden-cli instead of relying on these external patches/tools.

Another excellent feature would be tying bitwarden-cli functionality into the iOS/Android clients, ie like Krypton used to work (before it was bought by Akamai), so I need to tap connect on my phone to authorize the SSH connection.

4 Likes