When I test on HA on a local machine I map repos via volumes in docker compose and let my host OS manage my Github keys (ssh-agent/keychain). But what do you do for repos brought into HAOS?
The Advanced SSH & Web Terminal has an option to use ssh agent forwarding, but I’ve normally limited using agent forwarding to connecting to local machines only. I’m not terribly concerned that someone with root at Github figures out how to access my Github repos – so is using agent forwarding the way to use Github on an HAOS instance?
There is often a trade off between security and convenience.
The SSH agent, decrypts key material and retains it in memory (that is it’s primary function).
Hence if you have all of your keys encrypted on disk, you can view having them decrypted in memory as a weakness. How much of a weakness is going to be subjective, since if someone has penetrated the machine running the agent sufficiently to exploit the key material you probably have more significant security challenges.
Further if you use SSH agent forwarding you are effectively extending your trust to any machine that you currently have an active SSH session to - because that machine can initiate new connections using the key material stored in the agent (again the primary function of agent forwarding).
For the generic use case(s) that SSH agents are designed to handle probably not - since the SSH code base has had significant attention from both hackers and security researchers, so its unlikely anything hand crafted will come close to the security review done on SSH.
However you can probably limit blast radius - sites that can be accessed via SSH typically allow multiple authorized keys and you could create a new key specific for the sites that a particular machine/agent should be able to access, hence if that key is breached/extracted that is the extent of other machines that can be attacked.
Yes, I have a separate key I only use with github. Not really sure that buys me much, though.
I suppose that although HA host can access all of my keys it’s still a local machine that I trust. And when I use my forwarded ssh agent (and even connect to HA with a separate key) HA can still see all of my keys and connect to ANY machine that (in this case) my laptop can access.
But, using git for example from HAOS won’t forward my agent to Github so that’s not a concern.
I don’t trust my HA machine at all - it’s isolated in its own VLAN with no ability to open a network connection to any internal machine.
I don’t host any keys on my HA machine other machines connect to it when needed - I use MQTT to signal other machines when an event happens on HA that I want to trigger another machine from.
I run dockerized so the config filesystem, is mounted on to the host.
I have git installed on the host and I used to use git to versioning changes, but TBH I have got to a point where I the changes I make are not really that significant anymore, so I don’t worry to much about versioning every change.
Occasionally I will pull the config directory to my laptop (via scp) which has whole hard drive offsite backups (I should probably put that pull into a cron).
As noted I don’t need to, but if I did there are multiple choices, but the one I would probably run with would be:
I would create a brand new SSH key to be used simply to backup HA.
I would leave it unencrypted on the hard drive of the HA machine, because:
I would use the key as a “single repo key” - it can only be used to access a single repo.
I would disable force push - so there is no way it can be used to wipe out history.
Then just run a cron on the HA machine to push to the remote once a day for backup purposes.