knife-ssh-agent

Authenticate to a chef server using a SSH agent.

Compatibility

This only works with RSA keys, as it is the only kind supported by chef. Non RSA keys listed by the agent will be ignore.

The SSH agent must be compatbile with SHA-256 as the hash function for the RSASSA-PKCS1-v1_5 signature (see draft-rsa-dsa-sha2-256-03.txt).

  • OpenSSH is compatible since version 7.2
  • GNOME keyring is not compatible

Usage

The following configuration options must be set in your knife.rb

knife[:use_ssh_agent] = true
authentication_protocol_version '1.3'

Version 1.3 of the authentication protocol is required as it's the only one compatible with the signatures generated by the agent.

If your ssh-agent has multiple RSA identities, you can choose which one will be used to sign requets by adding this to your knife.rb

knife[:ssh_agent_identity] = '~/.ssh/chef-rsa-key' # .pub is optional

Otherwise, the first RSA identity listed by the agent will be used.