Poor SSH key handling: overly coupled to `id_rsa` private keys

[quicksketch]

Describe the bug

The Lagoon CLI tool seems to make several assumptions about SSH keys. In several places, the existing code searches for exactly the string ~/.ssh/id_rsa, giving that type of private key special status. GitHub specifically recommends ed25519 keys and only suggests RSA on "legacy systems".

In PR #44, it was suggested by @smlx:

Honestly I think it would be fair to offload all key handling to the agent and not attempt to manually load SSH keyfiles at all. Best practice is to use an agent anyway, and that way any new SSH key formats are automatically handled going forward.

But I don't think this suggestion was implemented.

It would be much better if Lagoon CLI would read (and try) all available keys from ssh-add -L, rather than reading individual SSH keys.

To Reproduce
Steps to reproduce the behavior:

1. Install lagoon CLI normally.
2. On an environment where ~/.lagoon.yml has not been modified to add an sshkey value, create a key at ~/.ssh/id_ed25519 with chmod 600. There should also not be a ~/.ssh/id_rsa file.
3. Attempt to execute a lagoon command such as lagoon whoami
4. The command will return Error: open /home/runner/.ssh/id_rsa: no such file or directory.

Expected behavior
The command should succeed using the available ~/.ssh/id_ed25519 key.

Desktop (please complete the following information):

• OS: Ubuntu 24.04

[quicksketch]

In a desperate bid to get this working, I simply renamed my id_ed25519 key to id_rsa, and surprisingly, that worked, even though it is not an RSA key within the file.

[shreddedbacon]

The CLI will prefer to use keys in an agent, as long as the agent is running. Have you confirmed if your ssh agent is running?

Edit: Also, which version are you using?
https://uselagoon.github.io/lagoon-cli/troubleshooting/#ssh-keys

[quicksketch]

The CLI will prefer to use keys in an agent, as long as the agent is running. Have you confirmed if your ssh agent is running?

That's good to hear. Reading through the login.go code, I didn't see how the agent was getting checked later.

I'll confirm. I tried specifically starting the agent and adding the key via ssh-add. Our current scripting in GitHub Actions would typically add the key to the agent but not create a private key file, as a defensive measure to keep the private key from being read by CI processes.

I'm using the latest release lagoon-cli-v0.31.5-linux-amd64.

[quicksketch]

@shreddedbacon Re-reading the documentation, this part has me questioning my assumptions:

specific key in agent#

If you know which public key you want to use when interacting Lagoon, you can use the following flag

--ssh-publickey /path/to/privatekey.pub

Does this mean that the an ssh-agent key will only get used if --ssh-publickey is specified? Or if that option is omitted, will it try all available keys?

[shreddedbacon]

The CLI will prefer to use keys in an agent, as long as the agent is running. Have you confirmed if your ssh agent is running?

That's good to hear. Reading through the login.go code, I didn't see how the agent was getting checked later.

It is called in retrieveTokenViaSsh here https://github.com/uselagoon/lagoon-cli/blob/v0.31.5/cmd/login.go#L161, which calles the publicKey function that handles checking the agent.

I'll confirm. I tried specifically starting the agent and adding the key via ssh-add. Our current scripting in GitHub Actions would typically add the key to the agent but not create a private key file, as a defensive measure to keep the private key from being read by CI processes.

I don't really know how github actions and ssh agent works here to know what sort of success you will have with trying to get an agent working. As long as there is an agent socket available (https://github.com/uselagoon/lagoon-cli/blob/v0.31.5/cmd/login.go#L43) the CLI will try and use any key that is loaded into it.

@shreddedbacon Re-reading the documentation, this part has me questioning my assumptions:

specific key in agent#

If you know which public key you want to use when interacting Lagoon, you can use the following flag

--ssh-publickey /path/to/privatekey.pub

Does this mean that the an ssh-agent key will only get used if --ssh-publickey is specified? Or if that option is omitted, will it try all available keys?

No, it will try and use any key that is loaded, and as long as the key it tries will authenticate with Lagoon, that is the key that will be used. This flag is only required if you have a lot of keys and you want to ensure that only the key you want to use is used. This is mostly for users that may have multiple accounts and use multiple contexts each with their own key (https://uselagoon.github.io/lagoon-cli/troubleshooting/#multiple-user-accounts-or-contexts)