akamai / akr Goto Github PK

Hello 👋,

Trying to migrate from kr to akr but getting an error.

Using an M1 mac with an iphone, not sure if this can be the reason to the error.

> akr setup
Error: File IO error: 'No such file or directory (os error 2)'

If I forget about do the setup manually by adding the needed part in .ssh/config by hand and start akr start,
pair works but if I try to generate a key I get:

Today seems like if I start the daemon and generate a key it is working nice, but setup is still broken.

> akr start
> akr generate --name ssh

Is it possible to add the functionality to import existing ssh and in the future GPG keys?

Is there a way to generate different key types? If not, is it possible to add this option?

Thanks

Is it possible for the current Android/iOS app to be paired with more than one computer running akr? If not, this should be a feature.

I used the old kr tool as another way to sync my key between desktops/laptops.

❯ systemctl --user status akr
× akr.service - akr
     Loaded: loaded (/home/qdl/.config/systemd/user/akr.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Mon 2022-12-05 22:44:33 CET; 20s ago
   Duration: 211us
    Process: 66362 ExecStart=/usr/bin/akr start (code=exited, status=216/GROUP)
   Main PID: 66362 (code=exited, status=216/GROUP)
        CPU: 0

Dez 05 22:44:33 arco3 systemd[710]: akr.service: Scheduled restart job, restart counter is at 5.
Dez 05 22:44:33 arco3 systemd[710]: Stopped akr.
Dez 05 22:44:33 arco3 systemd[710]: akr.service: Start request repeated too quickly.
Dez 05 22:44:33 arco3 systemd[710]: akr.service: Failed with result 'exit-code'.
Dez 05 22:44:33 arco3 systemd[710]: Failed to start akr.

As stated on Stackexchange removing the line containing User=username from the service file fixes this.

The issue is similar to #25 . It does not work on remote environment like google cloud shell and github codespaces:
https://shell.cloud.google.com/?show=terminal
https://github.com/codespaces

akr check
You're all set!

akr --version
akr - Akamai Krypton 1.1.2

ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f  31 Mar 2020

debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/id_rsa
debug3: no such identity: /home/user/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_dsa
debug3: no such identity: /home/user/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug3: no such identity: /home/user/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ecdsa_sk
debug3: no such identity: /home/user/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ed25519
debug3: no such identity: /home/user/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ed25519_sk
debug3: no such identity: /home/user/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_xmss
debug3: no such identity: /home/user/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).

I see that Debian/RHEL are supported but not Ubuntu.

I'm trying to get started akr, and when I try to execute $ ssh ssh.demo.krypt.co -p 5000, it notifies me with some warning messages. I have configured kr(not akr) before and my ~/.ssh/config looks like this. I'm assuming I should remove all of the settings that kr has created before I execute akr.

# Added by Krypton
Host *
	IdentityAgent ~/.kr/krd-agent.sock
	ProxyCommand /usr/local/bin/krssh %h %p
	IdentityFile ~/.ssh/id_krypton
	IdentityFile ~/.ssh/id_ed25519
	IdentityFile ~/.ssh/id_rsa
	IdentityFile ~/.ssh/id_ecdsa
	IdentityFile ~/.ssh/id_dsa

# Begin Akamai MFA SSH Config
Host *
	IdentityAgent /Users/hyamaguc/.akr/akr-ssh-agent.sock
# End Akamai MFA SSH Config

$ ssh ssh.demo.krypt.co -p 5000
Krypton ▶ Requesting SSH authentication from phone
Krypton ▶ Workstation not yet paired. Please run "kr pair" and scan the QRCode with the Krypton mobile app.
sign_and_send_pubkey: signing failed: agent refused operation
no such identity: /Users/hyamaguc/.ssh/id_ed25519: No such file or directory



░█████╗░██╗░░██╗░█████╗░███╗░░░███╗░█████╗░██╗  ███╗░░░███╗███████╗░█████╗░
██╔══██╗██║░██╔╝██╔══██╗████╗░████║██╔══██╗██║  ████╗░████║██╔════╝██╔══██╗
███████║█████═╝░███████║██╔████╔██║███████║██║  ██╔████╔██║█████╗░░███████║
██╔══██║██╔═██╗░██╔══██║██║╚██╔╝██║██╔══██║██║  ██║╚██╔╝██║██╔══╝░░██╔══██║
██║░░██║██║░╚██╗██║░░██║██║░╚═╝░██║██║░░██║██║  ██║░╚═╝░██║██║░░░░░██║░░██║
╚═╝░░╚═╝╚═╝░░╚═╝╚═╝░░╚═╝╚═╝░░░░░╚═╝╚═╝░░╚═╝╚═╝  ╚═╝░░░░░╚═╝╚═╝░░░░░╚═╝░░╚═╝

██╗░░██╗██████╗░██╗░░░██╗██████╗░████████╗░█████╗░███╗░░██╗
██║░██╔╝██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔══██╗████╗░██║
█████═╝░██████╔╝░╚████╔╝░██████╔╝░░░██║░░░██║░░██║██╔██╗██║
██╔═██╗░██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░██║░░██║██║╚████║
██║░╚██╗██║░░██║░░░██║░░░██║░░░░░░░░██║░░░╚█████╔╝██║░╚███║
╚═╝░░╚═╝╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░░╚════╝░╚═╝░░╚══╝



It looks like you are not using an Akamai MFA FIDO2 SSH key. Make sure kr is installed on this workstation and paired with Akamai MFA.
Check out https://mfa.akamai.com/help for more information.

Connection to ssh.demo.krypt.co closed.

Configuration

• Version — 1.0 (CLI) / 1.4.2 (iOS)
• OS — iOS 15.2.1

Steps

1. Pair Akamai MFA and akr
2. Perform an authenticated SSH operation — ex., ssh -T [email protected]
3. Approve request in Akamai MFA by tapping Allow
4. Perform another authenticated SSH operation to the same host

Current Behavior

Akamai MFA prompts each time an SSH request is made

Desired Behavior

As in its predecessor kr, it would be really helpful if akr and/or Akamai MFR provided multiple approval options:

• Allow once
• Allow this host for 3 hours
• Allow all for 3 hours

Severity

• Enhancement

chrono 0.5 should be released with a new time version which fixes https://github.com/akamai/akr/security/dependabot/20 but time has improved significantly and may be a suitable replacement for chrono at this point.

we should still use this on linux, but on macOS should do something like invoke AppleScript or some notification command.

Originally posted by @agrinman in #1 (comment)

kr was able to show information about the destination to which the user is attempting to connect, in addition to the hostname of the paired ssh agent. This allows the mobile app to perform additional validations such as checking that the known host key hasn't changed, as well as making the signing notification more informative for the user.

It would be nice to also add support for Ed25519 (plain ones, not SK variants) keys.

The main intended use-case is with more limited SSH servers (usually in the embedded space) such as Dropbear (which only in 2022 has added support for -SK), tinysshd, or many other smaller implementations.

Recently Akamai MFA is not working for a few days in my environment.
Is this happening only for me?

phenomenon

$ akr check
Error: Response was never received
$ ssh ssh.demo.krypt.co -p 5000
kex_exchange_identification: read: Connection reset by peer
Connection reset by 2a09:8280:1::3:f7 port 5000

environment

macOS

$ akr --version
akr - Akamai Krypton 1.0

iOS

Akamai MFA v1.6.0.7

https://github.com/akamai/akr/settings/pages

https://github.com/akamai/akr/actions/workflows/pages/pages-build-deployment

Hello,

I would like to know are there any plans to add PGP support? It was present in kr.
If you have plans to add it, then would it be possible to extend PGP functionality beyond just signing commits?
For example encrypting and signing regular files.
I believe there are a lot of great applications for PGP keys in such context.

Kind Regards!

I.e. it should be~/.config/akr -- but instead of hardcoding this probably worth using either the existing directories library to do this (if it supports a "configs" path).

Greetings,

Is there any way to configure akr to only prompt for ssh key access the first time, or with a configurable timeout? This would better approximate the workflow of adding a passphrase-protected key to my ssh-agent at the beginning of my workday.

--cro

https://akamai.github.io/akr-pkg/debian/ returns 404 and I cannot install akr to Debian docker image.

The related parts of my Dockerfile (Debian: bullseye):

RUN curl -SsL https://akamai.github.io/akr-pkg/debian/KEY.gpg | apt-key add - \
    && curl -SsL -o /etc/apt/sources.list.d/akr.list https://akamai.github.io/akr-pkg/debian/akr.list
RUN apt-get update \
    && apt-get install -y \
    # akr \

Some commands and results:

$ cat /etc/apt/sources.list.d/*
deb https://akamai.github.io/akr-pkg/debian ./
$ apt-cache madison akr
N: Unable to locate package akr

Providing an AUR package would be nice, or a generic install script that can install the raw binary. Though the AUR option is preferable.

akr seems to generate a valid QR code, but it is not being picked up by the Akamai MFA app.

$ akr pair
...
Scan the above QR code to pair your device...
Error: Response was never received

$ akr --version
akr - Akamai Krypton 1.0

on x86_64 Arch Linux

Android app is Akamai MFA v1.10.0 (45)

Scanning the QR code with a third party scanner app I get a URL like https://mfa.akamai.com/#redacted

Better colors and UX improvements to output from akr

The previous kr utility was able to wrap codesigning requests for 2FA on git commits which was very helpful. Is that a planned feature for akr?

It would be nice to have a thorough explanation (without having to resort to looking at the code) how the akr agent connects to the Android application.

The main reason is for the users to be able to asses the risks involved in using the akr and Akamai MFA application, especially if Akamai would drop support for this application:

• does both the workstation where the agent runs and the Android require internet connectivity? can it be used in local networks without internet connectivity? (I'm mainly thinking about remote work or disaster recovery scenarios, where to connect to your router and fix the internet, you actually need internet;) :)

• does it require only some internal Akamai service to be up-and-running? or does it depend on other third party services? (looking in the ~/.akr folder I see something that hints to Azure services;)

Would be great to have the option to add a non FIDO2-Key to the agent.
eg. ssh-add path/to/privkey should add the key to the agent instead of returning success but not adding it with the message: add error: not a fido2 ssh keypair in ssh_agent.rs

The client lets me generate multiple keys but I can't figure out a way to switch between them.

Would be extra useful if there was a way to configure key selection based on host.