Post Ac0cmIvLnrLS994eIq by bea@infosec.exchange
 (DIR) More posts by bea@infosec.exchange
 (DIR) Post #Ac0bDr4ojThpynVlpI by mjg59@nondeterministic.computer
       2023-11-20T20:17:29Z
       
       0 likes, 0 repeats
       
       Dear interwub, is there any way I can reasonably have git use a different ssh agent for a given git repo other than having a wrapper around ssh-keygen that sets SSH_AUTH_SOCK and having per-repo config to set gpg.ssh.program? My hardware keys are in another agent.
       
 (DIR) Post #Ac0bZXwUYPDp0Sxc5A by bea@infosec.exchange
       2023-11-20T20:21:00Z
       
       0 likes, 0 repeats
       
       @mjg59 I have a remote that is set to `jithub.com` and a .ssh/config that sets that Host to github.com when it sees it. If you haven’t tried that yet? (I realsie not a full solution, but maybe a step)
       
 (DIR) Post #Ac0byVeGDiQv8CKua8 by mjg59@nondeterministic.computer
       2023-11-20T20:26:16Z
       
       0 likes, 0 repeats
       
       @nicolas17 yes
       
 (DIR) Post #Ac0cCSnjbQymM4QBwO by bea@infosec.exchange
       2023-11-20T20:21:31Z
       
       0 likes, 0 repeats
       
       @mjg59 whether you consider that “reasonable" or not…
       
 (DIR) Post #Ac0cCTlI20cNKmHklk by mjg59@nondeterministic.computer
       2023-11-20T20:27:28Z
       
       0 likes, 0 repeats
       
       @bea does that help for ssh-keygen? There's no hostname involved at that point so I don't think it does the lookup
       
 (DIR) Post #Ac0cRg1qhlaFivHHMW by mjg59@nondeterministic.computer
       2023-11-20T20:27:43Z
       
       0 likes, 0 repeats
       
       @nicolas17 the latter
       
 (DIR) Post #Ac0cmIvLnrLS994eIq by bea@infosec.exchange
       2023-11-20T20:30:47Z
       
       0 likes, 0 repeats
       
       @mjg59 you can set per host configuration of things, which I know includes identities but I can’t remember if that includes enough for what you want
       
 (DIR) Post #Ac0cmMk9bQlVzZrlPE by bea@infosec.exchange
       2023-11-20T20:33:19Z
       
       0 likes, 0 repeats
       
       @mjg59 ```IdentityAgent             Specifies the UNIX-domain socket used to communicate with the authentication agent.             This option overrides the SSH_AUTH_SOCK environment variable``` maybe?
       
 (DIR) Post #Ac0d10b0EGxle8ZHCi by irenes@mastodon.social
       2023-11-20T20:37:47Z
       
       0 likes, 0 repeats
       
       @mjg59 mm. well, we've been avoiding solving this problem for ourselves.
       
 (DIR) Post #Ac0drcVSWWkgHZ3uRU by cJ@mastodon.zougloub.eu
       2023-11-20T20:47:03Z
       
       0 likes, 0 repeats
       
       @mjg59 My go-to (insecure) solution for ssh config flexibility is https://gitlab.com/exmakhina/ssh-wrappy, an NIH wrapper that can add environment variables or change ssh command-lines depending on... whatever.If you find a better solution please let me know...
       
 (DIR) Post #Ac0eKuMjCcns4MwZxQ by mjg59@nondeterministic.computer
       2023-11-20T20:50:20Z
       
       0 likes, 0 repeats
       
       @bea Right but there's no hostname involved here so how would it look that up?
       
 (DIR) Post #Ac0eVWldHThG49el84 by mjg59@nondeterministic.computer
       2023-11-20T20:51:13Z
       
       0 likes, 0 repeats
       
       @cJ If I only want this to trigger for a specific repo I still need some repo-specific config somewhere, though?
       
 (DIR) Post #Ac0eftDqeFjQbZnMEy by bea@infosec.exchange
       2023-11-20T20:54:57Z
       
       0 likes, 0 repeats
       
       @mjg59 yeah I don't fully understand your problem. This is how i just tried to solve, and I think ultimately failed, having an SSH key in a hardware token for work and a personal key for my own shit for github in the past. If you need multiple, rather than two, then making a separate ssh config fake name for each and fake repo origin is not going to scale. Sorry!
       
 (DIR) Post #Ac0f4cvoM2mPJr9c6C by mjg59@nondeterministic.computer
       2023-11-20T21:01:03Z
       
       0 likes, 0 repeats
       
       @bea I want to have ssh configured to sign commits with a hardware-backed key inside a specific repo, which means ssh-keygen needs to talk to the agent that knows how to handle that. I'd prefer not to have it as the default agent in order to avoid confusion.
       
 (DIR) Post #Ac0fLReVXjffGE51Qu by bea@infosec.exchange
       2023-11-20T21:01:42Z
       
       0 likes, 0 repeats
       
       @mjg59 yup, I fully misunderstood your problem then, sorry!
       
 (DIR) Post #Ac0fUlIrqnnYoUOtwu by mjg59@nondeterministic.computer
       2023-11-20T21:02:25Z
       
       0 likes, 0 repeats
       
       @bea No worries!
       
 (DIR) Post #Ac0hNjTESz6J0h1Zw0 by cJ@mastodon.zougloub.eu
       2023-11-20T21:26:43Z
       
       0 likes, 0 repeats
       
       @mjg59 I have a friend who PATH-shadows the real ssh tools with it... of course a config is needed somewhere. But I realize I haven't enabled ssh-keygen in it. Sorry for the noise!
       
 (DIR) Post #Ac0kmcYzaFe0grHIg4 by tursiae@meow.social
       2023-11-20T22:04:50Z
       
       0 likes, 0 repeats
       
       @mjg59 Would setting up an alias in your ~/.ssh/config be something you'd be comfortable doing?Host server_with_hwtok  IdentityAgent ~/.ssh_auth_sock_hwtok  HostName foobar.example.comYou should be able to use server_with_hwtok as the remote hostname for the SSH transport, then..
       
 (DIR) Post #Ac0rUCQihwjY6bZW08 by Foxboron@chaos.social
       2023-11-20T23:19:53Z
       
       0 likes, 0 repeats
       
       @mjg59 Would patching git to learn about SSH_AUTH_SOCK be a good solution to this?Else you would need to replace `ssh-keygen -Y` with something more clever, and I don't think that is a bad idea either.Obviously it doesn't solve the issue right now though :)
       
 (DIR) Post #Ac0u43dV52tpAImAPg by baloo@sfba.social
       2023-11-20T23:48:48Z
       
       0 likes, 0 repeats
       
       @mjg59 not answering your question, but. Have you seen OpenSSH >= 8.9 agent extension?https://github.com/openssh/openssh-portable/blob/c52db0114826d73eff6cdbf205e9c1fa4f7ca6c6/PROTOCOL.agent#L6If you were to look how not to sign a request with a key on an unknown host. I think that works?
       
 (DIR) Post #Ac0yN40ELDB7cYj476 by Unixbigot@aus.social
       2023-11-21T00:37:37Z
       
       0 likes, 0 repeats
       
       @mjg59 I use `direnv` to automagically set up environments when entering my project directories, would that work for you by overriding SSH_AUTH_SOCK in a `.envrc` file?
       
 (DIR) Post #Ac0zA4JlxRw8mvEZM0 by sean@skj.social
       2023-11-21T00:46:25Z
       
       0 likes, 0 repeats
       
       @mjg59 Depending on how your directory structure is, you might could use “includeIf" in ~/.gitconfig to override any part of the default. I do this to override the GPG signingkey depending on which directory I'm in. [includeIf "gitdir:~/somedir/“] path =/path/to/other/gitconfig.file
       
 (DIR) Post #Ac13QOzDHSY3L8f4Ai by smlx@fosstodon.org
       2023-11-21T01:33:59Z
       
       0 likes, 0 repeats
       
       @mjg59 I worked around this problem by putting all my keys (file and hardware) in a single agent. Then you can set "git config user.signingKey" per repo and it all just works.
       
 (DIR) Post #Ac16hulgfZ7ih9NQuG by mjg59@nondeterministic.computer
       2023-11-21T02:10:58Z
       
       0 likes, 0 repeats
       
       @smlx I can't do that
       
 (DIR) Post #Ac173gUKRVNumFddHE by smlx@fosstodon.org
       2023-11-21T02:14:49Z
       
       0 likes, 0 repeats
       
       @mjg59 which kind of hardware do you have?
       
 (DIR) Post #Ac1GxjEOKYl55XyyW0 by mjg59@nondeterministic.computer
       2023-11-21T04:05:46Z
       
       0 likes, 0 repeats
       
       @smlx a TPM