akamai / akr Goto Github PK
View Code? Open in Web Editor NEWAkamai Krypton CLI and SSH Agent (v2)
License: Other
Akamai Krypton CLI and SSH Agent (v2)
License: Other
Hello π,
Trying to migrate from kr to akr but getting an error.
Using an M1 mac with an iphone, not sure if this can be the reason to the error.
> akr setup
Error: File IO error: 'No such file or directory (os error 2)'
If I forget about do the setup manually by adding the needed part in .ssh/config
by hand and start akr start
,
pair works but if I try to generate a key I get:
Today seems like if I start the daemon and generate a key it is working nice, but setup is still broken.
> akr start
> akr generate --name ssh
Is it possible to add the functionality to import existing ssh and in the future GPG keys?
Is there a way to generate different key types? If not, is it possible to add this option?
Thanks
Is it possible for the current Android/iOS app to be paired with more than one computer running akr? If not, this should be a feature.
I used the old kr tool as another way to sync my key between desktops/laptops.
β― systemctl --user status akr
Γ akr.service - akr
Loaded: loaded (/home/qdl/.config/systemd/user/akr.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Mon 2022-12-05 22:44:33 CET; 20s ago
Duration: 211us
Process: 66362 ExecStart=/usr/bin/akr start (code=exited, status=216/GROUP)
Main PID: 66362 (code=exited, status=216/GROUP)
CPU: 0
Dez 05 22:44:33 arco3 systemd[710]: akr.service: Scheduled restart job, restart counter is at 5.
Dez 05 22:44:33 arco3 systemd[710]: Stopped akr.
Dez 05 22:44:33 arco3 systemd[710]: akr.service: Start request repeated too quickly.
Dez 05 22:44:33 arco3 systemd[710]: akr.service: Failed with result 'exit-code'.
Dez 05 22:44:33 arco3 systemd[710]: Failed to start akr.
As stated on Stackexchange removing the line containing User=username
from the service file fixes this.
The issue is similar to #25 . It does not work on remote environment like google cloud shell and github codespaces:
https://shell.cloud.google.com/?show=terminal
https://github.com/codespaces
akr check
You're all set!
akr --version
akr - Akamai Krypton 1.1.2
ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/id_rsa
debug3: no such identity: /home/user/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_dsa
debug3: no such identity: /home/user/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug3: no such identity: /home/user/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ecdsa_sk
debug3: no such identity: /home/user/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ed25519
debug3: no such identity: /home/user/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ed25519_sk
debug3: no such identity: /home/user/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_xmss
debug3: no such identity: /home/user/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
I see that Debian/RHEL are supported but not Ubuntu.
I'm trying to get started akr, and when I try to execute $ ssh ssh.demo.krypt.co -p 5000
, it notifies me with some warning messages. I have configured kr(not akr) before and my ~/.ssh/config looks like this. I'm assuming I should remove all of the settings that kr has created before I execute akr.
# Added by Krypton
Host *
IdentityAgent ~/.kr/krd-agent.sock
ProxyCommand /usr/local/bin/krssh %h %p
IdentityFile ~/.ssh/id_krypton
IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_ecdsa
IdentityFile ~/.ssh/id_dsa
# Begin Akamai MFA SSH Config
Host *
IdentityAgent /Users/hyamaguc/.akr/akr-ssh-agent.sock
# End Akamai MFA SSH Config
$ ssh ssh.demo.krypt.co -p 5000
Krypton βΆ Requesting SSH authentication from phone
Krypton βΆ Workstation not yet paired. Please run "kr pair" and scan the QRCode with the Krypton mobile app.
sign_and_send_pubkey: signing failed: agent refused operation
no such identity: /Users/hyamaguc/.ssh/id_ed25519: No such file or directory
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
It looks like you are not using an Akamai MFA FIDO2 SSH key. Make sure kr is installed on this workstation and paired with Akamai MFA.
Check out https://mfa.akamai.com/help for more information.
Connection to ssh.demo.krypt.co closed.
akr
ssh -T [email protected]
Akamai MFA prompts each time an SSH request is made
As in its predecessor kr
, it would be really helpful if akr
and/or Akamai MFR provided multiple approval options:
chrono 0.5 should be released with a new time version which fixes https://github.com/akamai/akr/security/dependabot/20 but time has improved significantly and may be a suitable replacement for chrono at this point.
we should still use this on linux, but on macOS should do something like invoke AppleScript or some notification command.
Originally posted by @agrinman in #1 (comment)
kr was able to show information about the destination to which the user is attempting to connect, in addition to the hostname of the paired ssh agent. This allows the mobile app to perform additional validations such as checking that the known host key hasn't changed, as well as making the signing notification more informative for the user.
It would be nice to also add support for Ed25519 (plain ones, not SK variants) keys.
The main intended use-case is with more limited SSH servers (usually in the embedded space) such as Dropbear (which only in 2022 has added support for -SK
), tinysshd
, or many other smaller implementations.
Recently Akamai MFA is not working for a few days in my environment.
Is this happening only for me?
$ akr check
Error: Response was never received
$ ssh ssh.demo.krypt.co -p 5000
kex_exchange_identification: read: Connection reset by peer
Connection reset by 2a09:8280:1::3:f7 port 5000
$ akr --version
akr - Akamai Krypton 1.0
Akamai MFA v1.6.0.7
Hello,
I would like to know are there any plans to add PGP support? It was present in kr.
If you have plans to add it, then would it be possible to extend PGP functionality beyond just signing commits?
For example encrypting and signing regular files.
I believe there are a lot of great applications for PGP keys in such context.
Kind Regards!
I.e. it should be~/.config/akr
-- but instead of hardcoding this probably worth using either the existing directories library to do this (if it supports a "configs" path).
Greetings,
Is there any way to configure akr to only prompt for ssh key access the first time, or with a configurable timeout? This would better approximate the workflow of adding a passphrase-protected key to my ssh-agent at the beginning of my workday.
--cro
https://akamai.github.io/akr-pkg/debian/ returns 404 and I cannot install akr
to Debian docker image.
The related parts of my Dockerfile (Debian: bullseye):
RUN curl -SsL https://akamai.github.io/akr-pkg/debian/KEY.gpg | apt-key add - \
&& curl -SsL -o /etc/apt/sources.list.d/akr.list https://akamai.github.io/akr-pkg/debian/akr.list
RUN apt-get update \
&& apt-get install -y \
# akr \
Some commands and results:
$ cat /etc/apt/sources.list.d/*
deb https://akamai.github.io/akr-pkg/debian ./
$ apt-cache madison akr
N: Unable to locate package akr
Providing an AUR package would be nice, or a generic install script that can install the raw binary. Though the AUR option is preferable.
akr seems to generate a valid QR code, but it is not being picked up by the Akamai MFA app.
$ akr pair
...
Scan the above QR code to pair your device...
Error: Response was never received
$ akr --version
akr - Akamai Krypton 1.0
on x86_64 Arch Linux
Android app is Akamai MFA v1.10.0 (45)
Scanning the QR code with a third party scanner app I get a URL like https://mfa.akamai.com/#redacted
Better colors and UX improvements to output from akr
The previous kr
utility was able to wrap codesigning requests for 2FA on git commits which was very helpful. Is that a planned feature for akr
?
It would be nice to have a thorough explanation (without having to resort to looking at the code) how the akr
agent connects to the Android application.
The main reason is for the users to be able to asses the risks involved in using the akr
and Akamai MFA application, especially if Akamai would drop support for this application:
does both the workstation where the agent runs and the Android require internet connectivity? can it be used in local networks without internet connectivity? (I'm mainly thinking about remote work or disaster recovery scenarios, where to connect to your router and fix the internet, you actually need internet;) :)
does it require only some internal Akamai service to be up-and-running? or does it depend on other third party services? (looking in the ~/.akr
folder I see something that hints to Azure services;)
Would be great to have the option to add a non FIDO2-Key to the agent.
eg. ssh-add path/to/privkey
should add the key to the agent instead of returning success but not adding it with the message: add error: not a fido2 ssh keypair
in ssh_agent.rs
The client lets me generate multiple keys but I can't figure out a way to switch between them.
Would be extra useful if there was a way to configure key selection based on host.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.