-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SSH keys on desktop 2024.12 #5187
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have not tested it. But looks good. Just one remark.
Nice, so Vaultwarden is only incompatible right now with recent web versions but all other clients fully work? |
Once merged and released yes. |
Note: this might cause problems for key rotation. If the web client does not support parsing and serializing key ciphers, then key rotation might either fail or even end up with undecryptable items (if skipped), so rotation should be blocked. I'm not sure about what vaultwarden does for validation here, but upstream has rotation validators, that block rotation entirely for cases like this: https://github.com/bitwarden/server/blob/dfbc400520f4c474b28e1279a86b2fae1da052a9/src/Api/Vault/Validators/CipherRotationValidator.cs#L10 |
It probably will and i think it will cause issues. |
We could check if there are any |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned in the comments already. Before we add this feature, we should add the same kind of checks for the key-rotation to prevent missing keys in the rotation, and make them unavailable anymore, and thus make all SSH Key's unusable.
It might be nice to add a more descriptive warning in case someone is using a newer client then 2024.6.2 to run the key-rotation if there are SSH Ciphers. But a more general error would also be a good start for verifying all ciphers are inculded.
And i think we should do the same for all other rotated items like emergency request, folders etc...
Nice, good call about the key rotation validation. I've improved the validation to match what Bitwarden is doing. We now check that we have all the ciphers, folders, sends, etc before doing the rotation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While i was not able to get a working Desktop v2024.12.0 version this looks to work great.
I tested it with a v2024.11.1 version which was build via Actions. But it was unable to either generate a key or import one from the clipboard.
Besides that, it did saved the ssh-cipher as an item and key-rotation failed with that item in the database as it should to prevent corruption. Without that cipher key-rotation worked fine.
@BlackDex any errors? / what happened when you generated them? Also which build specifically (windows/mac/linux[what package])? If this is still a bug in upstream, I'd like to be able to reproduce it. During development I've only tested against official server so far, but I don't think the server can make generation/import fail. The most similar bug encountered so far is: bitwarden/clients#11985
Needs to be a local build at the moment, you can change the version in the package.json file for desktop and it should work. |
Yeah, I've tested the client against this implementation and at least generation and saving worked fine. I didn't try to use them, but that is indendendent of the server. If you're having problems building the desktop clients with the updated version, you can also comment out or reduce the version check on the server: vaultwarden/src/api/core/ciphers.rs Line 121 in 2393c3f
And then you can use any recent builds from here: |
@quexten. I used the AppImage build for Linux. It did this both via the generate and import. @dani-garcia, i downgraden the version check to v2024.11.0 or greater, so that worked at least. Not certain which specific build i used, but it was one from that list, just a bit older then the latest there right now. I also enabled the ssh-agent checkbox in the settings, restarted, but it didn't helped. I'm using Arch Linux with Gnome 46.x. |
@quexten I'm just getting key invalid on Windows. Can you import this key? It's auto generating a key fine though
|
@quexten the problem seems to be with password protected keys. Also, using a build from here: https://github.com/bitwarden/clients/actions/runs/11860813999 seems to have solved the generate issue i had before. I see the following log output (The
I tried the following (freshly) generated keys:
With Password (
|
The key I posted is an unencrypted RSA key. I also tried an ed22519 key both encrypted and unencrypted and always getting key invalid. Importing a key that Bitwarden itself generated works however so there might be a bug in rust ssh-key as the keys are perfectly valid. @BlackDex feel free to use this version https://github.com/larena1/bw-clients/actions/runs/11863465157 |
This has nothing to do with Rust. Those keys were generated with OpenSSH tools And since the importing happens in the Desktop client it doesn't even save that, so the server isn't even called, and Vaultwarden just stores this as a blob of data, no parsing is done. Your version has the exact same problem, but that is to be expected since it only seems to change the version number, which wasn't an issue for me since i changed the version check in Vaultwarden it self. |
@BlackDex I was only referring to my problem and not yours. Sorry for the confusion. I did not yet try to save a key as I'm stuck with not being able to import any of mine currently |
My comments still apply. It has nothing to do with Rust and keys generated using official OpenSSH tools also fail. I also find it a bit strange the Desktop client doesn't provide an option to generate a password protected ssh-key btw. |
I'll debug these next week, thank you for the keys.
However, the unencrypted RSA key from @larena1 should work, but it also does not for me. @larena1 what tool were the keys generated with? (The ones used in the unit tests of the importer are generated with |
There is code to handle encrypted openssh keys but maybe that's not fully working or not properly showing a password prompt yet. Keys were generated using puttygen on Windows. |
Ah, the rust part in the client. I didn't looked there :). That is also a bit confusing but clear now. |
@larena1 Putty encodes openssh-formatted private keys that are encoded differently to openssh. I don't know whether this is a putty bug or an |
@quexten I decrypted the key using ssh-keygen and was able to import it then. Can you also add pageant support for PuTTY on Windows additionally to OpenSSH agent? PuTTY unfortunately only supports the former. |
Yeah, there is an internal ticket for pageant support. Unfortunately pageant is seemingly pretty nasty to implement in rust: https://github.com/Eugeny/russh/blob/main/pageant/src/pageant_impl.rs . Not sure what's required exactly there yet. |
https://github.com/ndbeals/winssh-pageant There is also an implementation of the receiving side in Go. Sounds like it might take a bit longer then until the feature is available? |
I have enabled the EXPERIMENTAL_FLAGS, but I dont see the ssh type. What did I wrong? |
Where are you checking this? |
I checked if the options appear in the admon panel and installed the newest desktop client from flathub (stable) |
The desktop version is still v2024.11.x as far as i can see. It's not yet v2024.12.x which is needed for SSH support. |
You need 2024.12.0 which is not released on flathub yet. Alternatively you can use the latest build from That said, I'm not entirely sure if ssh agent works on flatpak yet, (same goes for snap). |
Hello! I also tried out the SSH keys feature with my Vaultwarden. However I wasn't able to get SSH agent to work. Here's what I did:
If I understood it correctly I should now be able to see keys saved in Bitwarden using |
Yeah, there is a bug (fixed in main but did not make it to 2024.12.0). You can probably get it to work by running |
OK cool, will wait for the fix upstream then. Thanks for clarifying! |
Added support for the new SSH item key type in desktop 2024.12+
To test it, you need a desktop build from
bitwarden/clients:main
, and to enable the feature flags on server.