feat(key): Trigger SSH agent reconnection after YubiKey release#218
Open
hnw wants to merge 1 commit intostr4d:mainfrom
Open
feat(key): Trigger SSH agent reconnection after YubiKey release#218hnw wants to merge 1 commit intostr4d:mainfrom
hnw wants to merge 1 commit intostr4d:mainfrom
Conversation
Added a mechanism to send an SSH Agent Protocol request (Opcode 11) immediately after releasing the YubiKey handle. This triggers agents like yubikey-agent to reclaim the device on-demand, preventing PIN cache loss caused by OS power management during the "idle" period.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Currently,
age-plugin-yubikeysendsSIGHUPto the SSH agent to release the YubiKey PIV applet. However, many agents do not automatically reconnect, causing the YubiKey to remain idle. This idle state leads to a loss of the PIN cache due to OS power-saving features.This PR introduces a "poke" mechanism that sends an
SSH_AGENTC_REQUEST_IDENTITIESmessage to theSSH_AUTH_SOCKimmediately after the plugin disconnects from the YubiKey.Key Changes:
poke_ssh_agent()using standardUnixStreamto minimize dependencies.Disconnect (Release) -> Poke (Reclaim)to avoid sharing violations.This improvement provides a seamless UX, especially for tools like
sops, by preserving the PIN authentication state between operations.