Anyone using Krypton to store their SSH private key on their phone for 2FA is currently unable to use k3sup with that private key, because somehow the SSH implementation in k3sup bypasses the way Krypton reroutes SSH calls.

Expected Behaviour

Usually when I use SSH with Krypton and the kr CLI utility it's seamless. It redirects any calls to the OpenSSH client over to krssh, where it requests approval from the Krypton app on my phone to use the private key. It accomplishes this by adding the following to the ~/.ssh/config file:

# Added by Krypton
Host *
	IdentityAgent ~/.kr/krd-agent.sock
	ProxyCommand /usr/local/bin/krssh %h %p
	IdentityFile ~/.ssh/id_krypton
	IdentityFile ~/.ssh/id_ed25519
	IdentityFile ~/.ssh/id_rsa
	IdentityFile ~/.ssh/id_ecdsa
	IdentityFile ~/.ssh/id_dsa%

What is supposed to happen is something similar to the following.

❯ ssh me.krypt.co
Krypton ▶ Requesting SSH authentication from phone
Krypton ▶ Phone approval required. Respond using the Krypton app
Krypton ▶ Success. Request Allowed ✔


                ''....''
          '.-:/++++++++++/:-.'
       '-/++++++++++++++++++++/-'
     ':+++++++++++++++++++++++++/:'
     :++++++++++/:----:/++++++++++:
     :+++++++/-'        '-/+++++++:     _                               _
     :++++++/   -/++++\-  '/++++++:    | | __   _ __   _   _    _ __   | |_       ___    ___
     :+++++/   /++++++++\  '/+++++:    | |/ /  | '__| | | | |  | '_ \  | __|     / __|  / _ \
     :+++++:  :++++++++++:  :+++++:    |   <   | |    | |_| |  | |_) | | |_   _ | (__  | (_) |
     :+++++/  \++++++++++/  /+++++:    |_|\_\  |_|     \__, |  | .__/   \__| (_) \___|  \___/
     :++++++-   \++++++/   -++++++:                    |___/   |_|
     :+++++++:   '----'   :+++++++:
     .+++++++++/-......-/+++++++++.
      ./++++++++++++++++++++++++/.
       ':/++++++++++++++++++++/:'
         '-:/++++++++++++++/:-'
             .-://++++//:-.
                  '..'


Hello $user!

You have successfully authenticated to the KryptCo test server!
Add your key to GitHub by typing 'kr github'. Type 'kr' to see all available commands.

Connection to me.krypt.co closed.

Though, in this case it would be an open SSH connection to the host and then k3sup would do whatever it needs to and close the connection.

Current Behaviour

Currently, however, this does not happen. Instead, k3sup returns the following error:

❯ k3sup install --ip $ip --local-path ~/.kube/config --print-config --user $user
Running: k3sup install
2021/03/25 01:36:45 $ip
Public IP: $ip
Error: unable to load the ssh key with path "/Users/$user/.ssh/id_rsa": unable to parse private key: ssh: no key found

### NOTE: I scrubbed the output, so the path to my SSH key isn't actually trying to use $user

I'm not entirely sure why, but for some reason when k3sup calls the SSH agent, it's not getting redirected via the SSH configuration setup by Krypton. This may be that it's directly calling ssh-agent instead of just invoking the ssh command from the OS (have not tried to confirm this, but it seems plausible).

Possible Solution

I'm not entirely sure at this point, but it seems possible that whatever Go module k3sup uses to call SSH is calling ssh-agent directly and not the OS' ssh command, which seems to bypass the ~/.ssh/config file.

Steps to Reproduce (for bugs)

1. Setup Krypton w/ Developer mode (https://krypt.co/)
2. Install the kr CLI util (instruction also on https://krypt.co/)
3. Pair device with kr
4. Run kr sshconfig to make sure Krypton is intercepting SSH calls
   • You'll want to make sure you don't have any private keys setup, by the way. Krypton is designed to function without needing any private keys on the local machine at all.
5. Attempt to run k3sup install on a remote host
6. You'll get the Error: unable to load the ssh key with path "/Users/p4rsec/.ssh/id_rsa": unable to parse private key: ssh: no key found

Context

I use Krypton to keep my SSH private key secured on my phone. This lets me have 2FA on my SSH key for things like Github, and also makes my SSH key portable since it's stored on my phone (I tend to switch around hosts somewhat randomly so being able to just pair the krutility to my Krypton app is quite a pleasant experience).

It's not an absolute deal breaker if this isn't something worth dedicating time to, but it's extremely strange that it's having trouble.

Your Environment

• What Kubernetes distribution are you using?

kubectl version

v1.20.4+k3s1

• What OS or type or VM are you using for your cluster? Where is it hosted? (for k3sup install/join):
  Ubuntu 20.04 LTS on a Hades Canyon NUC (Intel i7 8809-G, 16GB RAM)

• Operating System and version (e.g. Linux, Windows, MacOS):
  Host: Ubuntu 20.04 LTS
  Dev/control machine: macOS 11.2

uname -a

cat /etc/os-release

"Be part of the solution"

Subject to approval, are you willing to work on a Pull Request for this issue or feature request?

Yes