Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passphrase encrypted rsa or ed25519 default keys complicates the usability #12

Open
johnalotoski opened this issue Dec 16, 2021 · 2 comments
Open

Passphrase encrypted rsa or ed25519 default keys complicates the usability #12

johnalotoski opened this issue Dec 16, 2021 · 2 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@johnalotoski
Copy link

On a system where a user has a default passphrase protected rsa and/or ed25519 key, agenix throws errors, even if the identity is explicitly declared as an alternate key,:

# Specify a cwd non-passphrase protected ed25519 key:

❯ agenix -vvv -i ./id_ed25519 test-encrypted/test.age
DEBUG checking '/home/$USER' for .agenix.toml config
DEBUG found config at '/home/$USER/.agenix.toml'
TRACE validate_config? false
TRACE rekey? false
TRACE path.is_none()? false
TRACE got valid ssh identity 'ssh-ed25519 <snip> testkey'
DEBUG using ["./id_ed25519", "/home/$USER/.ssh/id_rsa"] as identity file(s)
Error: 
   0: Failed to decrypt file 'test-encrypted/test.age'
   1: Failed to get usable identity or identities
   2: /home/$USER/.ssh/id_rsa: EncryptedPem

Location:
   src/cli.rs:703

Now, let's remove the offending passphrase protected key which it is choking on to make it work:

❯ mv ~/.ssh/id_rsa ~/.ssh/id_rsa-tmp-rename
❯ agenix -vvv -i ./id_ed25519 test-encrypted/test.age
DEBUG checking '/home/$USER' for .agenix.toml config
DEBUG found config at '/home/$USER/.agenix.toml'
TRACE validate_config? false
TRACE rekey? false
TRACE path.is_none()? false
TRACE got valid ssh identity 'ssh-ed25519 <snip> testkey'
DEBUG using ["./id_ed25519"] as identity file(s)
TRACE rekey? false
TRACE encrypt_in_place? false
DEBUG editor: 'vim'
DEBUG args: 'None'
WARN  contents unchanged, not saving

The upstream age reference shows that if the default user rsa and ed25519 keys it checks are passphrase protected, it will prompt if needed, or silently ignore any passphrase errors.

Here it is blocking instead. It seems it would be better to adopt the upstream behavior so users aren't forced to move their default keys if password protected?
@cole-h cole-h added enhancement New feature or request help wanted Extra attention is needed labels Dec 24, 2021
@cole-h
Copy link
Owner

cole-h commented Dec 24, 2021

I don't currently have time to investigate this issue, but your approach definitely sounds reasonable. I'd gladly accept a PR fixing this! (And sorry for the delay in getting back to you.)

@johnalotoski
Copy link
Author

Thanks. I'm swamped also, unfortunately, so I probably won't be able to contribute a PR any time soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cole-h @johnalotoski