ssh-agent-action's Introduction

ssh-agent

GitHub action to load a key into in memory using a temp disk (tmpfs).

It can be used as an attempt to keep the private ssh key from being written to disk.

Usage

⚠️ Beware this action only works with passphrase-less key.

    - name: Load ssh key in agent
      id: agent
      uses: LeastAuthority/ssh-agent-action@v1
      with:
        private_key: ${{ secrets.SSH_KEY }}

Alternatively, assuming that the private_key is already available as a file in an existing tmpfs (e.g. using mount-tmpfs), the input can be the path to that file.

    - name: Load ssh key in agent
      id: agent
      uses: LeastAuthority/ssh-agent-action@v1
      with:
        private_key: /path/to/private_key

The action set a variable in the environment which can be used to find the socket to interact with the agent. By default, the name of the variable is SSH_AUTH_SOCK and the path to the socket is ${{ github.workspace }}/S.agent.ssh. Those can be changed respectively with the auth_sock_name and auth_sock_path inputs.

Without changing anything, most ssh client should now be able to use the key.

    - name: Test ssh connection
      run: |
        ssh -a -x -o StrictHostKeyChecking=no [email protected]  whoami

The ssh-agent can be re-used inside a docker container.

    - name: Test ssh connectivity inside docker
      run: |
        docker run \
        -e SSH_AUTH_SOCK=${SSH_AUTH_SOCK} \
        -v ${SSH_AUTH_SOCK}:${SSH_AUTH_SOCK} \
        codingkoopa/openssh ssh -a -x -o StrictHostKeyChecking=no [email protected] whoami

ssh-agent-action's People

Contributors

Watchers

ssh-agent-action's Issues

Use absolute path to sock by default

When using docker container, it is a bit easier when the path to the socket is absolute rather than relative the the workspace.

Changing the default value to prefix it with the workspace should not hurt.

Add a license file

Least Authority being a open-source oriented organization, the code hosted in the repository, even small, should be covered by an explicit LICENSE file to avoid falling into the "All right reserved" software by default.

From Least Authority website:

Open source tools are at the core of our products and services.

Import existing action

This action has already been implemented elsewhere, and this repository will make it re-usable w/o changing the existing interface.

Support use with private_key input being a path to an existing file

Description

If the private key has already been written in a file, forcing its extraction as a string to be set in a variable and copied over again in a tmpfs seems pointless.

Motivation

In some cases, the key is obtained using other actions/steps which already mitigate the risk of the key being written on disk.
Otherwise, if already on disk, it's too late to mitigate those risks by using a tmpfs anyway.

Acceptance criteria

Calling the action with a path to an existing private_key rather than a secret string should skip the tmpfs steps and directly load the key in the agent.

Additional information

This issue has been created in a specific case where the key is exchanged via the MagicWormhole and already made available in a tmpfs (private repo: LeastAuthority/mw-projects#104).

Recommend Projects

leastauthority / ssh-agent-action Goto Github PK

ssh-agent-action's Introduction

ssh-agent

Usage

ssh-agent-action's People

Contributors

Watchers

ssh-agent-action's Issues

Use absolute path to sock by default

Add a license file

Import existing action

Support use with private_key input being a path to an existing file

Description

Motivation

Acceptance criteria

Additional information

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent