Create a feature in HASSIO to easily enable or disable ssh-agent initialization at startup. In other words, avoid requiring users to perform more in-depth development. Default would be disabled state, which is the current HASSIO configuration.
I am a home automation enthusiast and a moderate developer. While I could perform this type of coding to achieve my desired ssh-agent result, I imagine that many don’t want to or don’t know how to.
An ssh-agent is a very helpful feature to enable keychains so that passphrases for KEYs don’t have to be entered with user input for every interaction.
When developing automations or scripts that interact with systems requiring KEYs, the current options are:
- Create and use KEYs without a passphrase.
- Since ssh-agent is not enabled within hassio by default configuration, This is a less secure option but required unless you want to use option 2.
- Create and use KEYs with a passphrase.
- This requires ssh-agent to be running if your scripts and automations don’t want to have user interaction. NOTE: User interaction is a non-started for many of these instances. So, one must start up ssh-agent on your own and then create and use KEYs with a passphrase. The following thread in this forum shows a few examples of how to perform this: Auto start ssh-agent for Git on startup
Additionally, there is a very good description on this subject:
Perhaps this type of feature was considered before, but I couldn’t find documentation in my quick search. If considered before, what was the rationale for the decision?
I am not a security expert, but I am extremely thorough and cautious. This feature should be thought through by the community to make sure that all the security issues are considered. If this feature is adopted or not, it would be very helpful to document why for others to understand.
This feature should be evaluated to determine if the ssh-agent could be used universally within HASSIO or if Add-Ons won’t have easy access, in which case the value of this feature may be limited. More thought and investigation required.
This feature could improve security in 2 ways:
- Permit use of passphrase on KEYs
- Provide a more uniform way for users to enable ssh-agent and avoid incorrect ssh-agent and ssh-add usage that might result in unintended security holes.