Conversation
Implement proxying of auth requests back through SSH agent forwarding, enabling users to SSH to a remote host and run `epithet agent fish` to get certificates from an internal CA while auth plugins (FIDO2, browser) run on the local machine. Uses SSH agent protocol extensions (message type 27) with a registry pattern for extensibility: - [email protected] — probe if socket is an epithet agent - [email protected] — request auth token from upstream Key components: - ProxyAgent: generic ExtendedAgent wrapper with extension handler registry - ProxyListener: per-connection upstream dialing for agent protocol proxying - Upstream client: ProbeUpstream() and RequestAuth() functions - Broker: WithUpstream option and Authenticate() helper (try upstream, fall back to local) - CLI: `epithet agent <shell>` wrapper mode mirroring ssh-agent's pattern Multi-hop chaining works naturally — each layer proxies to its upstream. No changes to CA or policy server required.
- Add Ready() channel to ProxyListener with guaranteed close on all return paths, preventing caller hangs on listener startup failure - Use per-process temp dirs in wrapper mode to avoid collisions between multiple wrapped shells against the same CA - Only fall back to local auth on UpstreamUnavailableError; propagate genuine upstream auth failures (user cancelled, plugin error) - Use errors.Is for ErrExtensionUnsupported sentinel comparison - Fix test data races with atomic.Bool/Int32 for shared counters - Document token forwarding trust model in extensions.go - Drain brokerErr channel after shell exit in wrapper mode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement proxying of auth requests back through SSH agent forwarding, enabling users to SSH to a remote host and run
epithet agent fishto get certificates from an internal CA while auth plugins (FIDO2, browser) run on the local machine.Uses SSH agent protocol extensions (message type 27) with a registry pattern for extensibility:
Key components:
epithet agent <shell>wrapper mode mirroring ssh-agent's patternMulti-hop chaining works naturally — each layer proxies to its upstream. No changes to CA or policy server required.