s.BitAgent

wip

A wrapper arround the Bitwarden CLI to provide a SSH Key Agent IPC interface.

Installation

npm i -g s-bit-agent
s-bit-agent -- bw config server https://<your-server>
s-bit-agent -- bw login
s-bit-agent -- bw lock <token from login>

Run s-bit-agent daemon in autostart.

s-bit-agent setup # shows which automatic autostart installation is possible
s-bit-agent daemon --help # See possible config options for the daemon
s-bit-agent setup --type SystemdAutostartService --args "--session-timeout 900" # for example

Add the socket to your .bashrc or .profile:

export SSH_AUTH_SOCK=~/.ssh/s-bit-agent.sock

Usage

s-bit-agent --help
s-bit-agent -- bw --help
s-bit-agent -- bwa --help
s-bit-agent status

Differences to bw and bwa

user@example:~$ s-bit-agent -- bw status
{..., "status": "locked"}

user@example:~$ s-bit-agent -- bwa status
Requesting session
Connected to server
Sent S_BIT_AGENT_REQUEST_SESSION
Received session
{..., "status": "unlocked"}

TODO

• Add basic IPC communication to talk accordingly to draft-miller-ssh-agent
• Add caching for the session
• add a key add command
• Add a key import command
• Add a status command
• Implement S_BIT_AGENT_REQUEST_SESSION into IPC
• Add a bw and bwa command
• Add a setup command to automatically install the daemon in the autostart
• Expand the S_BIT_AGENT_REQUEST_SESSION to also handle some other requests
• Add a public key local cache to speed up the key lookup, and reduce the password requests
• Handle detection of dead pipes and automatic removal of them
• Support for multiple IPC connections at once
• Look into the secure heap implementation possibilitys
• Add a lock command
• Add setting to disable approval requests, or at least to set a timeout
• Add a key list command
• Add a key delete command
• Add a key rename command
• Add a key export command
• Add tests
• [Maybe™] Test or add support for windows.
• [Maybe™] Develop a Tauri frontend/client, which internally uses the s-bit-agent to communicate with the server.
• [Maybe™] Add capability to unlock the agent through bitwarden remote approval
• [Maybe™] Add capability to unlock the agent through webauthn

Windows Support

Theoretically, the agent should work on windows, but it is not tested. If you want to help, please open an issue. If you encounter any problems, try to use wsl, that should work.

Also if you do not use wsl, you will need to manually register the agent in the autostart. Lastly as a tipp: you can modify the pipe name the daemon creates, by passing the SSH_AUTH_SOCK environment variable to the daemon.