Controllable SSH agent passthrough/augmentation
Support for some degree of SSH agent passthrough to Chronitons. This should not expose the key used to authenticate the user to the Chronode, but should allow users to e.g. use SSH key authentication with remote services like Github for code pushes.
The connection from the client through the Chronode and into a Chroniton is conceptually modeled as the Chronode behaving like a jump host. However, this jump host is very restrictive about the second leg of the SSH connection.
Under common circumstances, it is useful to be able to both pass in additional SSH-based identifiers for use within a Chroniton, and provide the means to augment those identifiers within the Chroniton itself.
There are ultimately 4 types of SSH keys of concern:
- User authentication keys to Chronostruct
- Keys provided by the client agent not associated with any Chronostruct user
- Keys that may be generated on behalf of the user and stored as part of their Chronostruct identity (but whose private piece are fixed within Chronostruct and not exportable). These could be standard SSH keys, or certificates with bounded lifetimes.
- Keys generated within the Chroniton that may be useful across multiple sessions inside that Chroniton
Keys of type 1 should never be passed through to a Chroniton, but keys of type 2 and 3 should be permitted for opt-in passthrough by the user. Keys of type 4 are already supported, but requires re-attaching to any user-created instance of ssh-agent
for new sessions.
Development of this issue has two parts:
- chronitond alterations to run a local SSH agent, and injection of that agent socket into the environment of new sessions
- chronoded alterations to expose keys of types 2 and 3
The first part is a Phase 1 feature, so that this agent infrastructure is an assumed baseline across all templates, and should be implemented so that part 2 can be plugged in such that it is backwards compatible with existing timestream moments. Part 2 would require more extensive UI additions than is appropriate for this phase.