Support SSH keys on desktop 2024.12 #5187
Conversation
|
Nice, so Vaultwarden is only incompatible right now with recent web versions but all other clients fully work? |
Once merged and released yes. |
|
Note: this might cause problems for key rotation. If the web client does not support parsing and serializing key ciphers, then key rotation might either fail or even end up with undecryptable items (if skipped), so rotation should be blocked. I'm not sure about what vaultwarden does for validation here, but upstream has rotation validators, that block rotation entirely for cases like this: https://github.com/bitwarden/server/blob/dfbc400520f4c474b28e1279a86b2fae1da052a9/src/Api/Vault/Validators/CipherRotationValidator.cs#L10 |
It probably will and i think it will cause issues. |
|
We could check if there are any |
There was a problem hiding this comment.
As mentioned in the comments already. Before we add this feature, we should add the same kind of checks for the key-rotation to prevent missing keys in the rotation, and make them unavailable anymore, and thus make all SSH Key's unusable.
It might be nice to add a more descriptive warning in case someone is using a newer client then 2024.6.2 to run the key-rotation if there are SSH Ciphers. But a more general error would also be a good start for verifying all ciphers are inculded.
And i think we should do the same for all other rotated items like emergency request, folders etc...
|
Nice, good call about the key rotation validation. I've improved the validation to match what Bitwarden is doing. We now check that we have all the ciphers, folders, sends, etc before doing the rotation |
There was a problem hiding this comment.
While i was not able to get a working Desktop v2024.12.0 version this looks to work great.
I tested it with a v2024.11.1 version which was build via Actions. But it was unable to either generate a key or import one from the clipboard.
Besides that, it did saved the ssh-cipher as an item and key-rotation failed with that item in the database as it should to prevent corruption. Without that cipher key-rotation worked fine.
@BlackDex any errors? / what happened when you generated them? Also which build specifically (windows/mac/linux[what package])? If this is still a bug in upstream, I'd like to be able to reproduce it. During development I've only tested against official server so far, but I don't think the server can make generation/import fail. The most similar bug encountered so far is: bitwarden/clients#11985
Needs to be a local build at the moment, you can change the version in the package.json file for desktop and it should work. |
|
Yeah, I've tested the client against this implementation and at least generation and saving worked fine. I didn't try to use them, but that is indendendent of the server. If you're having problems building the desktop clients with the updated version, you can also comment out or reduce the version check on the server: vaultwarden/src/api/core/ciphers.rs Line 121 in 2393c3f And then you can use any recent builds from here: |
|
@quexten. I used the AppImage build for Linux. It did this both via the generate and import. @dani-garcia, i downgraden the version check to v2024.11.0 or greater, so that worked at least. Not certain which specific build i used, but it was one from that list, just a bit older then the latest there right now. I also enabled the ssh-agent checkbox in the settings, restarted, but it didn't helped. I'm using Arch Linux with Gnome 46.x. |
|
@quexten I'm just getting key invalid on Windows. Can you import this key? It's auto generating a key fine though |
|
@quexten the problem seems to be with password protected keys. Also, using a build from here: https://github.com/bitwarden/clients/actions/runs/11860813999 seems to have solved the generate issue i had before. I see the following log output (The I tried the following (freshly) generated keys: With Password ( |
|
The key I posted is an unencrypted RSA key. I also tried an ed22519 key both encrypted and unencrypted and always getting key invalid. Importing a key that Bitwarden itself generated works however so there might be a bug in rust ssh-key as the keys are perfectly valid. @BlackDex feel free to use this version https://github.com/larena1/bw-clients/actions/runs/11863465157 |
|
This has nothing to do with Rust. Those keys were generated with OpenSSH tools And since the importing happens in the Desktop client it doesn't even save that, so the server isn't even called, and Vaultwarden just stores this as a blob of data, no parsing is done. Your version has the exact same problem, but that is to be expected since it only seems to change the version number, which wasn't an issue for me since i changed the version check in Vaultwarden it self. |
|
@BlackDex I was only referring to my problem and not yours. Sorry for the confusion. I did not yet try to save a key as I'm stuck with not being able to import any of mine currently |
|
My comments still apply. It has nothing to do with Rust and keys generated using official OpenSSH tools also fail. I also find it a bit strange the Desktop client doesn't provide an option to generate a password protected ssh-key btw. |
|
I'll debug these next week, thank you for the keys.
However, the unencrypted RSA key from @larena1 should work, but it also does not for me. @larena1 what tool were the keys generated with? (The ones used in the unit tests of the importer are generated with |
|
There is code to handle encrypted openssh keys but maybe that's not fully working or not properly showing a password prompt yet. Keys were generated using puttygen on Windows. |
|
Ah, the rust part in the client. I didn't looked there :). That is also a bit confusing but clear now. |
Added support for the new SSH item key type in desktop 2024.12+
To test it, you need a desktop build from
bitwarden/clients:main, and to enable the feature flags on server.