Bug 4534 - Support authentication using public key held in ssh-agent
Summary: Support authentication using public key held in ssh-agent
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
: 8233 (view as bug list)
Depends on:
Blocks: 7896
  Show dependency treegraph
 
Reported: 2013-02-06 10:48 CET by Peter Åstrand
Modified: 2024-06-01 11:20 CEST (History)
3 users (show)

See Also:
Acceptance Criteria:

Attachments
Mockup 1 - the tlclient login window when public key auth is used (93.56 KB, image/png)
2024-06-01 11:11 CEST, Samuel Mannehed 		Details
Mockup 2 - the tlclient security options (99.23 KB, image/png)
2024-06-01 11:11 CEST, Samuel Mannehed 		Details
Mockup 3 - the tlclient options public key details window (101.15 KB, image/png)
2024-06-01 11:12 CEST, Samuel Mannehed 		Details
Mockup 4 - the tlclient public key file chooser (100.09 KB, image/png)
2024-06-01 11:13 CEST, Samuel Mannehed 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Peter Åstrand cendio 2013-02-06 10:48:18 CET 
This bug is similar to bug 4436. When using public key authentication, it would be nice if we could use keys held in a running ssh-agent. As far as I can tell, this does not work, since we are clearing SSH_AUTH_SOCK regardless of authentication type.
Comment 9 Aaron Sowry cendio 2023-09-07 11:04:47 CEST 
Another benefit of this would be the ability to use GPG sub-keys to authenticate with ThinLinc via gpg-agent. gpg-agent supports ssh-agent emulation, so in theory we should get this feature "on the house".

Extracting a GPG sub-key in SSH format is non-trivial these days, so those who use gpg-agent for SSH authentication will have a hard time using the same key with ThinLinc.
Comment 10 Pierre Ossman cendio 2023-09-26 15:42:44 CEST 
*** Bug 8233 has been marked as a duplicate of this bug. ***
Comment 11 Pierre Ossman cendio 2024-02-06 09:22:58 CET 
macOS apparently has the weird setup where the key is still stored on disk, but the passphrase for it is stored in the keychain:

https://apple.stackexchange.com/questions/48502/how-can-i-permanently-add-my-ssh-private-key-to-keychain-so-it-is-automatically

I am not sure if that's within scope here or not.
Comment 13 Samuel Mannehed cendio 2024-06-01 11:11:07 CEST 
Created attachment 1198 [details]
Mockup 1 - the tlclient login window when public key auth is used
Comment 14 Samuel Mannehed cendio 2024-06-01 11:11:58 CEST 
Created attachment 1199 [details]
Mockup 2 - the tlclient security options
Comment 15 Samuel Mannehed cendio 2024-06-01 11:12:37 CEST 
Created attachment 1200 [details]
Mockup 3 - the tlclient options public key details window
Comment 16 Samuel Mannehed cendio 2024-06-01 11:13:11 CEST 
Created attachment 1201 [details]
Mockup 4 - the tlclient public key file chooser
Comment 17 Samuel Mannehed cendio 2024-06-01 11:20:37 CEST 
The idea depicted in the attached tlclient mockup images is as follows:

Instead of the user being required to pick a single key file to use for public key auth, he or she should be able to configure a list of keys in the options. Furthermore, ssh-agent should also be available. Once connecting, tlclient will test each manually configured key as well as keys held in ssh-agent.

1. When public key auth is chosen, the login window no longer shows widgets for choosing a key (attachment 1198 [details]).
2. The security options page now shows a detail button next to the "Public key" authentication method (attachment 1199 [details]).
3. The public key details window allows the user to add or remove private key files to use, and to toggle the use of ssh-agent (attachment 1200 [details]).
4. After pressing "Add" for a new private key file, a file chooser is opened (attachment 1201 [details]).
Note You need to log in before you can comment on or make changes to this bug.