Hi, while troubleshooting some unrelated problems I noticed this client is generated signed key certs for any identity that we use in the in the ssh command.
The culprit seems to be this:
https://github.com/lyft/python-blessclient/blob/master/blessclient/client.py#L171
called here:
https://github.com/lyft/python-blessclient/blob/master/blessclient/client.py#L448
Given an ssh config as recommended:
Match exec "env | grep -q BLESS_COMPLETE || /Users/stype/blessclient/blessclient.run --gui --host '%h'"
IdentityFile ~/.ssh/blessid
If we are to call any other ssh command as:
ssh -i ~/.ssh/mykey user@host
and we didn't have a filter on domain_regex: blessclient will still generate and sign the mykey key.
While I believe this could be in some case desired functionality(when doing ssh wrapping instead of ssh config), I think it might be better to just let it toggle via an env var or the existing BLESS_IDENTITYFILE as in most cases than not if you specify a particular identity on the command line, you want to use exactly that to auth and signing is unnecessary.
If this is accepted I can create a PR to cleanup/implement this.
Hi, while troubleshooting some unrelated problems I noticed this client is generated signed key certs for any identity that we use in the in the ssh command.
The culprit seems to be this:
https://github.com/lyft/python-blessclient/blob/master/blessclient/client.py#L171
called here:
https://github.com/lyft/python-blessclient/blob/master/blessclient/client.py#L448
Given an ssh config as recommended:
If we are to call any other ssh command as:
ssh -i ~/.ssh/mykey user@hostand we didn't have a filter on
domain_regex:blessclient will still generate and sign themykeykey.While I believe this could be in some case desired functionality(when doing
sshwrapping instead of ssh config), I think it might be better to just let it toggle via an env var or the existingBLESS_IDENTITYFILEas in most cases than not if you specify a particular identity on the command line, you want to use exactly that to auth and signing is unnecessary.If this is accepted I can create a PR to cleanup/implement this.