Lookup plugin that uses SSH agent for decrypting data

99 views
Skip to first unread message

anatoly techtonik

unread,
Apr 8, 2014, 2:29:57 AM4/8/14
to ansible...@googlegroups.com
Hi,

Is it technically possible to encrypt some sensitive data using available SSH public key, so that only the owner of private key could read them with the help of SSH agent?

Why?
1. No need to remember one more password.
2. No need to send the password to a person who needs to read the file.
3. No need to run one more agent.

Dag Wieers

unread,
Apr 8, 2014, 4:33:14 AM4/8/14
to ansible...@googlegroups.com
That is an interesting idea :) It would mean as a team you would need to
add a specific (team) key to your agent (and ensure this key is
suficiently protected) in order to execute the playbook.

So some way to test if the key is loaded before starting the playbook (or
as part of the playbook) would be useful.

--
-- dag wieers, d...@wieers.com, http://dag.wieers.com/
-- dagit linux solutions, con...@dagit.net, http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]

anatoly techtonik

unread,
Apr 8, 2014, 3:19:14 PM4/8/14
to ansible...@googlegroups.com
On Tuesday, April 8, 2014 11:33:14 AM UTC+3, Dag Wieers wrote:
On Mon, 7 Apr 2014, anatoly techtonik wrote:

> Is it technically possible to encrypt some sensitive data using available
> SSH public key, so that only the owner of private key could read them with
> the help of SSH agent?
>
> Why?
> 1. No need to remember one more password.
> 2. No need to send the password to a person who needs to read the file.
> 3. No need to run one more agent.

That is an interesting idea :) It would mean as a team you would need to
add a specific (team) key to your agent (and ensure this key is
suficiently protected) in order to execute the playbook.

So some way to test if the key is loaded before starting the playbook (or
as part of the playbook) would be useful.

The initial idea was to have the same data encrypted by multiple keys, so
that any from the team can open it, and you don't need to give everybody
some team key or team password - just add all public keys to the chain.

Of course this is possible only when the basic problem of reusing SSH
agent for decryption can be solved.

Maciej Delmanowski

unread,
Apr 8, 2014, 3:21:47 PM4/8/14
to ansible...@googlegroups.com
You can encrypt data using GPG keys for multiple recipients - each recipient can access the data using his/her GPG key. GPG keys can also be used to authorize SSH access via Monkeysphere Project. - http://web.monkeysphere.info/.


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dc2ac9d7-c7dd-476c-a95e-7e8485f78b42%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Michael DeHaan

unread,
Apr 9, 2014, 9:58:44 AM4/9/14
to ansible...@googlegroups.com
It's been suggested that vault be taught to use GPG keys in addition to passwords, which is something I'm open to.

No pull requests have been submitted just yet - unless I'm misremembering.

Not against the option, by any means.

(Using SSH keys feels a little weird?)



anatoly techtonik

unread,
Apr 15, 2014, 9:02:10 AM4/15/14
to ansible...@googlegroups.com
On Tuesday, April 8, 2014 10:21:47 PM UTC+3, Maciej Delmanowski wrote:
You can encrypt data using GPG keys for multiple recipients - each recipient can access the data using his/her GPG key. GPG keys can also be used to authorize SSH access via Monkeysphere Project. - http://web.monkeysphere.info/.

Good pointer. It seems like there is no way to reuse SSH agent to decrypt the vault.
I need to read more about how GPG handles this, and I am somewhat concerned about
security of Monkeysphere. 

Maciej Delmanowski

unread,
Apr 15, 2014, 9:04:38 AM4/15/14
to ansible...@googlegroups.com
You can keep your GPG keys in a private keyserver (sks for example), and distribute them to your servers that way.


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

Till Maas

unread,
Apr 15, 2014, 12:17:53 PM4/15/14
to ansible...@googlegroups.com
On Mon, Apr 07, 2014 at 11:29:57PM -0700, anatoly techtonik wrote:

> Is it technically possible to encrypt some sensitive data using available
> SSH public key, so that only the owner of private key could read them with
> the help of SSH agent?

It is super easy to do this with GPG, but afaik impossible to use this
for e.g. the sudo password:

http://paste.fedoraproject.org/94407/78404139

It might not be be error free due to ansible's bad encoding behaviour
and I stopped using it once I found out I cannot use it for sudo
passwords.

Regards
Till

Michael DeHaan

unread,
Apr 15, 2014, 5:41:33 PM4/15/14
to ansible...@googlegroups.com
If modifying vault to include GPG, the sudo password could be set with ansible_sudo_pass and then encoded with vault.




--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages