-
|
In the current Semaphore setup the private keys get copied to the filesystem to execute the ansible playbook or to perform a git checkout. This private key gets deleted after the execution after this issue if implemented if I'm correct. This is an improvement, but an attacker can still copy the private key during the git clone or ansible execution. If this is the current implementation, it'd be nice if this behaviour is documented in the documentation so it's clear to everyone. Personally, I'd like to have the option to specify an SSH config that will be used for a git clone or ansible-playbook execution this would also allow to have the private key, not the filesystem use the https://www.man7.org/linux/man-pages/man5/ssh_config.5.html This would also help to get support for Hardware tokens. Another solution to not have the private key on the filesystem is to implement a PKCS11 provider in Semaphore (not sure how easy this can be implemented in Golang). |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Start from 2.9.45 Semaphore doesn't store private keys to file system but uses internal SSH agent: https://pkg.go.dev/golang.org/x/crypto/ssh/agent. Start from 2.9.64 Semaphore doesn't store any Ansible passwords to file system but uses Stdin to send them to ansible-playbook. |
Beta Was this translation helpful? Give feedback.
-
|
@fiftin This is great news! This already improves the security a lot :) Is it also possible to use an external ssh-agent? E.g. specify the ssh-agent socket or ssh config for a git clone or ansible playbook execution. This would help to integrate Semaphore with a hardware token or even with a HSM. So this feature would also help to get integrated in existing environments that already have ssh private key security implemented. Or help organizations that have this as a security requirement . If not yet possible perhaps we can open a feature request for this? |
Beta Was this translation helpful? Give feedback.
-
|
This doesn't work yet, please open an issue for that as a feature request. |
Beta Was this translation helpful? Give feedback.
-
|
Ok Thx for the answer. I already created an issue for this. But add [ feature request ] to the description and more details in the comment. It'd be nice to know if it can be on the roadmap. |
Beta Was this translation helpful? Give feedback.
Start from 2.9.45 Semaphore doesn't store private keys to file system but uses internal SSH agent: https://pkg.go.dev/golang.org/x/crypto/ssh/agent.
Start from 2.9.64 Semaphore doesn't store any Ansible passwords to file system but uses Stdin to send them to ansible-playbook.