diff --git a/README.md b/README.md index 066bc91..85940e9 100644 --- a/README.md +++ b/README.md @@ -13,16 +13,18 @@ Fetches SSH keys stored in Bitwarden vault and adds them to `ssh-agent`. ./bw_add_sshkeys.py ``` 2. Enter your Bitwarden credentials, if a Bitwarden vault session is not already set. -3. (optional) Enter your SSH keys' passphrases. +3. (optional) Enter your SSH keys' passphrases if they're not stored in your Bitwarden. ## Storing the keys in BitWarden 1. Create a folder called `ssh-agent` (can be overridden on the command line). 2. Add an new secure note to that folder. 3. Upload the private key as an attachment. 4. Add the custom field `private` (can be overridden on the command line), containing the file name of the private key attachment. -5. Repeat steps 2-4 for each subsequent key +5. (optional) If your key is encrypted with passphrase and you want it to decrypt automatically, save passphrase into custom field `passphrase` (field name can be overriden on the command line) +6. Repeat steps 2-5 for each subsequent key ## Command line overrides * `--debug`/`-d` - Show debug output * `--foldername`/`-f` - Folder name to use to search for SSH keys _(default: ssh-agent)_ * `--customfield`/`-c` - Custom field name where private key filename is stored _(default: private)_ +* `--passphrasefield`/`-p` - Custom field name where passphrase for the key is stored _(default: passphrase)_ \ No newline at end of file diff --git a/bw_add_sshkeys.py b/bw_add_sshkeys.py index 6acc636..8f6eac0 100755 --- a/bw_add_sshkeys.py +++ b/bw_add_sshkeys.py @@ -135,7 +135,7 @@ def folder_items(session: str, folder_id: str) -> List[Dict[str, Any]]: return data -def add_ssh_keys(session: str, items: List[Dict[str, Any]], keyname: str) -> None: +def add_ssh_keys(session: str, items: List[Dict[str, Any]], keyname: str, pwkeyname: str) -> None: """ Function to attempt to get keys from a vault item """ @@ -144,7 +144,7 @@ def add_ssh_keys(session: str, items: List[Dict[str, Any]], keyname: str) -> Non private_key_file = [ k['value'] for k in item['fields'] - if k['name'] == keyname and k['type'] == 0 + if k['name'] == keyname ][0] except IndexError: logging.warning('No "%s" field found for item %s', keyname, item['name']) @@ -156,6 +156,21 @@ def add_ssh_keys(session: str, items: List[Dict[str, Any]], keyname: str) -> Non continue logging.debug('Private key file declared') + private_key_pw = None + try: + private_key_pw = [ + k['value'] + for k in item['fields'] + if k['name'] == pwkeyname + ][0] + logging.debug('Passphrase declared') + except IndexError: + logging.warning('No "%s" field found for item %s', pwkeyname, item['name']) + except KeyError as error: + logging.debug( + 'No key "%s" found in item %s - skipping', error.args[0], item['name'] + ) + try: private_key_id = [ k['id'] @@ -172,12 +187,12 @@ def add_ssh_keys(session: str, items: List[Dict[str, Any]], keyname: str) -> Non logging.debug('Private key ID found') try: - ssh_add(session, item['id'], private_key_id) + ssh_add(session, item['id'], private_key_id, private_key_pw) except subprocess.SubprocessError: logging.warning('Could not add key to the SSH agent') -def ssh_add(session: str, item_id: str, key_id: str) -> None: +def ssh_add(session: str, item_id: str, key_id: str, key_pw: str) -> None: """ Function to get the key contents from the Bitwarden vault """ @@ -202,17 +217,21 @@ def ssh_add(session: str, item_id: str, key_id: str) -> None: ) ssh_key = proc_attachment.stdout + if key_pw: + envdict = dict(os.environ, SSH_ASKPASS=os.path.realpath(__file__), SSH_KEY_PASSPHRASE=key_pw) + else: + envdict = dict(os.environ, SSH_ASKPASS_REQUIRE="never") + logging.debug("Running ssh-add") - # CAVEAT: `ssh-add` provides no useful output, even with maximum verbosity subprocess.run( ['ssh-add', '-'], input=ssh_key, # Works even if ssh-askpass is not installed - env=dict(os.environ, SSH_ASKPASS_REQUIRE="never"), + env=envdict, universal_newlines=True, check=True, - ) + ) if __name__ == '__main__': @@ -240,6 +259,12 @@ if __name__ == '__main__': default='private', help='custom field name where private key filename is stored', ) + parser.add_argument( + '-p', + '--passphrasefield', + default='passphrase', + help='custom field name where key passphrase is stored' + ) return parser.parse_args() @@ -269,10 +294,13 @@ if __name__ == '__main__': items = folder_items(session, folder_id) logging.info('Attempting to add keys to ssh-agent') - add_ssh_keys(session, items, args.customfield) + add_ssh_keys(session, items, args.customfield, args.passphrasefield) except subprocess.CalledProcessError as error: if error.stderr: logging.error('`%s` error: %s', error.cmd[0], error.stderr) logging.debug('Error running %s', error.cmd) - main() + if os.environ.get('SSH_ASKPASS'): + print(os.environ.get('SSH_KEY_PASSPHRASE')) + else: + main()