keybase / bot-sshca Goto Github PK

I've followed the procedure to use keybase for ssh auth. https://keybase-ssh-ca-bot.readthedocs.io/en/latest/getting_started.html

It works great! Except that often my colleagues have issues with their AckRequests ending up in the wrong channel.

Our organisation has these channels, the impacted users are members of all

• weatherforce.dev for developers (unrelated to ssh auth), users are writers, certbot is not a member
• weatherforce.ssh.dev for access to dev machines, users are readers, certbot is writer
• weatherforce.ssh.prep for access to preprod machines, users are readers, certbot is writer

In certain cases, the AckRequests end up in weatherforce.dev, not weatherforce.ssh.dev, so the certbot does not see them. If I kick the impacted user out of weatherforce.dev and they retry to provision, the AckRequests go to the correct channel. So it seems that there's a bug in the regex / filtering that kssh uses to determine where to send the AckRequest.

Impacted users are in Linux, with these versions of keybase

keybase version 5.3.1-20200320154633+3e235215b3
keybase version 5.3.0-20200310205642+4f2689009b

One user is not impacted, he is using MacOS:

keybase version 5.3.0-20200310172631+4f2689009b

All users are using the current version of kssh, 1.1.0-5558800

I was following getting started steps and got stuck at step make generate

make generate
# Avoid prompting for sudo unless the permissions actually need to be chnaged by piping find to xargs
find example-keybaseca-volume/ -not -user $USER | xargs -I {} -- sudo chown -R $USER {}
docker build -t ca -f Dockerfile-ca ..
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=docker%2FDockerfile-ca&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&session=kr7zv2uv82d92d18vqtu95o6g&shmsize=0&t=ca&target=&ulimits=null&version=1: dial unix /var/run/docker.sock: connect: permission denied
Makefile:14: recipe for target 'build' failed
make: *** [build] Error 1

I'm running docker server on Azure (with already installed 1 docker image on this server).
Are any special permissions required?

with moving the kssh config file from KBFS to the KV store, we may not need the client config file for improving performance, so we should consider removing this complexity.

maybe i'm missing something, but with this no longer an issue, there's really not much value to having a client config file at all. all of that persistent state isn't nearly as valuable as the added complexity of having some configs sometimes in a file and getting them there and checking for them. the way this thing is used, most people are going to be hitting the same servers and the same bot every time, so if kssh only exposed kssh --bot yourcabot <rest of command> in the event you were in multiple teams with ca-bots, you just write your own alias once (e.g. kssh-prod) and never think about it again, and then kssh gets the added benefit of being basically stateless (excepting your non-kssh ssh configs).

not a task for this PR. but the move from kbfs->kvstore seems like it offers some additional opportunities.

Originally posted by @xgess in #97

It looks like ssh is already a requirement for parts of keybaseca and was wondering why the key generation is split where Windows uses crypto/ssh for it's RSA keys and Unix uses ed25519 via ssh-keygen.

Requirement here:

I'm failing to connect to bot-sshca enabled server. See below:

Local terminal:

$ kssh [email protected]
Failed to get a signed key from the CA: timed out while waiting for a response from the CA

Keybase SSH Provision chat in my team:

ME: AckRequest--my_keybase_username

BOT: Ack--my_keybase_username

ME: AckRequest--my_keybase_username

BOT: Ack--my_keybase_username

ME: Signature_Request:{"ssh_public_key":"ssh-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/h+xxxxxxxxx [email protected]\n","uuid":"xxxxxxxxx-xxxxx-xxxx-xxxxxx-xxxxxxxxxxx"}

BOT: Signature_Response:{"signed_key":"[email protected] SOME_LONG_KEY [email protected]\n","uuid":"xxxxxxxxx-xxxxx-xxxx-xxxxxx-xxxxxxxxxxx"}

On Keybase chat it looks as SSH key was properly provided. So I tried again.

Local terminal:

$ kssh [email protected]
[email protected]: Permission denied (publickey).
SSH exited with err: exit status 255

Does anybody have idea what could be a problem?

Hi there!

I run the bot on a AMD64 Ubuntu machine which does not have sudo and have a none-su user as the service user starting the docker container.
After run_keybase: Success! message I get the following error:

KBFS failed to FUSE mount at /home/keybase/.config/keybase/kbfs: fusermount: exit status 1

After this, I do get the Started CA bot... message though, so I'm guessing it should work as intended either way (although it wouldn't be able to share any files through kb...?).
My bot does not respond to ack requests though, but I'm guessing this is another issue (my TEAM env variable does not seem to be filled).

PS C:\Users\Derek\Downloads> .\kssh-windows.exe [email protected]
Failed to generate a new SSH key: open C:\Users\Derek.ssh\keybase-signed-key--: The system cannot find the path specified.

It would be great if the bot could make an "announcement" when it starts and joins a channel.
It would also be nice if this was a configurable value (does not have to be in a env variable, a string in a file or similar would be just fine!

Example:

Johannes-Bot joins channel team.example.com

Howdy! I'm the team.example.com SSH CA bot and I'm now active, yay!

Is there a list of best practices for the configuration of a chat room?

For example:

• Mute all notifications (duh)
• Minimum role to post?
• Message auto deletion?
• Should the bot user be a reader or a writer?
• Should I (personally) follow the bot user?

Thanks!

This is not possibile currently via the GUI, not able to create more than one period in the name, and the last name doesn't even fit in the field. Am I to assume this is done via CLI? If so, please provide the command used; or update to a workable solution?

Then create {TEAM}.ssh.staging, {TEAM}.ssh.production, {TEAM}.ssh.root_everywhere as new Keybase subteams
and add the bot to those subteams. Add users to those subteams based off of the permissions you wish to grant
different users

I have installed bot-sshca by following Getting started steps.

When I fun from my pc, I get error:

$ kssh user@some_ip_address
Did not find any config files in KBFS (is `keybaseca service` running?)

How can I check if keybaseca service is running? I didn't find anything about this service in documentation.

Thanks!

This is a feature request.

Background:
My production servers uses Kubernetes and I do not like to use environment variables for secure information (such as my keybase key!).
Most applications that I use in kubernetes I try to use Secrets mounted as a file into the containers and then load them from a file path.
(Best case would be to be able to encrypt and decrypt in some way, but that is a later issue).

Implementation details:
To make this work for the Keybase sshca bot, it would require two new environment variables:

• KEYBASE_PAPERKEY_PATH
• KEYBASE_USERNAME_PATH

Before loading the current KEYBASE_PAPERKEY and KEYBASE_USERNAME variables, a check is made to see if the *_PATH variable/s are set. If so, the system tries to load those from disk.
In case they are loaded successfully, they are used instead of the none *_PATH variables.
If an error occurs or they are not set, the none *_PATH variables are used as of now and the same error handling that is implemented at the moment is used.

Breaking changes:
This should not introduce any breaking changes.

I have started adding this in my fork which I will submit as a draft PR in a bit, but before I get the tests up and running, I will not submit a "real" pull request.

It would be really nice to have an autobuild process that publishes a docker image of the Dockerfile-ca file to dockerhub. This would make deploying a lot easier and faster

It would be great to be able to ping the bot in the channel it is available in to check if it runs or not.
This could be just as small a thing as writing ping <name-of-bot> with a pong response.

I have (following the instructions at https://keybase-ssh-ca-bot.readthedocs.io/en/latest/getting\_started.html) configured the Keybase SSH CA bot (using Docker), and have configured a second 'target server' with the CA etc.

When I try to connect to the 'target server' using kssh, I get the message
Failed to get a signed key from the CA: failed to get config: Failed to load config(s): received error response from keybase api: DB error (error 2623)

I can see in my .ssh folder there are the files keybase-signed-key-- and keybase-signed-key--.pub, but if I try to use keybase-signed-key-- or keybase-signed-key--.pub to SSH to the server directly I get Permission denied (publickey).

I am able to ping @mybotname in the relevant channel for SSH access, and get back a pong @mybotname as I would expect.

Looking at other issues (e.g. #64) it looks like others see some kind of "Keybase SSH Provision chat in my team" - I see nothing like that in the channel at all. However, if I manually post a Signature_Request:{"ssh_public_key":"xxxxxxxx", ,"uuid":"xxxxxxxxx-xxxxx-xxxx-xxxxxx-xxxxxxxxxxx"}, I get back a Signature_Response:{"signed_key":xxxx" in the channel, so it looks like the bot itself is actually working.
(Note, for the UUID I literally used xxxxxxxxx-xxxxx-xxxx-xxxxxx-xxxxxxxxxxx in case that matters.

So it kind of looks like kssh is failing to post the relevant messages via Keybase? I've tried this on two machines with two keybase users and two different OSs and had the same error.

Extra details (copied from a post I made on Reddit)

I also described this in a reddit post: https://www.reddit.com/r/Keybase/comments/gubooe/keybase_ssh_ca_anyone_got_it_working_received/

I've been trying to get the Keybase teams-based SSH CA working (described https://keybase.io/blog/keybase-ssh-ca) with no success.
I've done all the set-up steps, but when I actually try to use kssh to get to the destination machine (the one set up with the CA, not the one with the bot) I always get the error:
Failed to get a signed key from the CA: failed to get config: Failed to load config(s): received error response from keybase api: DB error (error 2623)

I followed the instructions here: https://keybase-ssh-ca-bot.readthedocs.io/en/latest/getting_started.html
So, I have:

1. A machine running the bot (Set up using the paper key, and using docker, as described) with a specific bot user (I'll call it @MYBOT)
2. A destination machine I want to manage SSH permissions on (with the ca.pub file and /etc/ssh/auth_principals/ files containing the team names, and the TrustedUserCAKeys and AuthorizedPrincipalsFile in the sshd_config as per instructions

Note that I added the bot as a normal user in the channel, not by installing it as a bot. I've tried having it installed as a bot, and also as full user and neither worked.
For reference, the instructions don't specify whether it should be installed as a bot or added as a user (or I don't find it clear, anyway):

Then create {TEAM}.ssh.staging, {TEAM}.ssh.production, {TEAM}.ssh.root_everywhere as new Keybase subteams and add the bot to those subteams. Add users to those subteams based off of the permissions you wish to grant different users

Note that I pulled down the repo using HTTPS rather than SSH as I didn't have SSH keys set up on the server - using the url git clone https://github.com/keybase/bot-sshca.git

I have added the bot to the relevant channels, and verified that I can ping it - i.e. if I ping @mybot then I get pong @myuser. There is nothing in the logs on docker that would make me think it isn't behaving correctly.

2020/06/01 01:24:57 - Subscription: Read -> ok [time=21m1.759092887s]
2020/06/01 01:24:58 + Subscription: Read
2020/06/01 01:24:58 - Subscription: Read -> ok [time=4.447664ms]
2020/06/01 01:24:58 + Subscription: Read

I've tried this using both a Linux client and a Mac client trying to use kssh (although in both cases with the same user). Does anyone have any suggestions as to what to try next? (I haven't opened a github issue or pinged dworken as suggested at the end of the troubleshooting guide - though I'd try the community before bugging them there).

Currentlly Dockerfile-ca and Dockerfile-kssh are nearly the same file since both involve installing and setting up Keybase inside of Docker. In the future once we have an official Keybase docker image, migrate this repository to reference it.

Hello,

When I run this command make generate it throws me an error:

Step 6/26 : RUN go get -d github.com/keybase/client/go/keybase
 ---> Running in 07fd9073caf5
package github.com/stellar/go/build: cannot find package "github.com/stellar/go/build" in any of:
	/usr/lib/go/src/github.com/stellar/go/build (from $GOROOT)
	/go/src/github.com/stellar/go/build (from $GOPATH)
package github.com/stellar/go/clients/horizon: cannot find package "github.com/stellar/go/clients/horizon" in any of:
	/usr/lib/go/src/github.com/stellar/go/clients/horizon (from $GOROOT)
	/go/src/github.com/stellar/go/clients/horizon (from $GOPATH)
The command '/bin/sh -c go get -d github.com/keybase/client/go/keybase' returned a non-zero code: 1
make: *** [Makefile:18: build] Error 1

The installation is not possible anymore, please help

I have installed bot-sshca by following Getting started steps.

When I update env.sh with additional teams, do I need to run again make?
If yes, do I need to stop previous/existing docker?
What is exact procedure?

Thanks!

On Raspberry Pi 3B V1.2, starting the keybase service consistently fails with the following log output:

Failed to write the client config: failed to start Keybase chat: unable to run Keybase command

I traced the last part down to this line:
https://github.com/keybase/go-keybase-chat-bot/blob/81b8e08b23b9f3e1a602cbfabb457c308604578f/kbchat/kbchat.go#L232

Which was recently added through keybase/go-keybase-chat-bot#64 (16 days before this report). The used build is from today.

What to do? /cc @joshblum

The doc shows that keybaseca is running from a docker image and I see a file for building said image but no instructions to do so. Also, in this example, is keybase itself running in docker? If not, how is it running so I can do keybase signup from the instructions? Should this machine NOT be part of another identity?

As of right now, when running the integrationTests.sh file, the reset_docker function is called. This is not great on a local development machine where docker is used!
(I just lost all my containers, networks and volumes that I had running locally, that includes a bunch of locally seeded databases!).

I'm guessing that all that is intended to be deleted is the stuff that is created within the tests? In that case, as it uses docker compose already, it might be best to just run docker-compose down to remove all the containers, networks and volumes created by docker-compose up. Making the thing a tad bit more isolated to just the test case.

While I understand the point of having AckRequests and Acks in chat channels, in certain cases it might be nice to have them auto explode. For example, if I need to track which users signed in, the bot's response with the certificate is enough. Once the bot has given this cert, I really don't care about the Ack messages.

It would be nice for these Ack messages to auto explode. The default could, for example, be 5minutes, and of course be configurable

Currently the chatbot uses small teams to provision access. It could instead be configured to use big teams and use different channels for different purposes. For example:

• team.ssh#provision could be used for provisioning new keys
• team.ssh#log could be used to log details about provisioned keys
• team.ssh#stats could be used to query the bot for stats about provisioned keys

Following the instructions, this step fails:

✸ make generate
# Avoid prompting for sudo unless the permissions actually need to be chnaged by piping find to xargs
find example-keybaseca-volume/ -not -user $USER | xargs -I {} -- sudo chown -R $USER {}
docker build -t ca -f Dockerfile-ca ..
Sending build context to Docker daemon 7.078 MB
Step 1/25 : FROM alpine:3.11 AS builder
Error parsing reference: "alpine:3.11 AS builder" is not a valid repository/tag: invalid reference format
make: *** [Makefile:14: build] Error 1

All generated SSH keys seems to get the same name (keybase-signed-key--) making them not-unique. Maybe they should contain the name of the team or just use some type of hash of the team name instead?

replace run_command calls that call keybase ... with the pykeybasebot (https://github.com/keybase/pykeybasebot)

On arm64/aarch64, precisely on a Rpi3 B, just after sending a message to the team from the cli, the ca server segfaults with:

Started CA bot...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x68a60]

goroutine 38 [running]:
github.com/keybase/go-keybase-chat-bot/kbchat.(*API).Listen.func1(0x4000124280)
	/go/pkg/mod/github.com/keybase/[email protected]/kbchat/kbchat.go:626 +0x2f8
created by github.com/keybase/go-keybase-chat-bot/kbchat.(*API).Listen.func2
	/go/pkg/mod/github.com/keybase/[email protected]/kbchat/kbchat.go:679 +0x28c

Message:
keybase chat send team.ssh.stage "This message kills the auth bot"

Used image: registry.gitlab.com/jitesoft/dockerfiles/keybase-sshca/alpine:latest

It is not consistent, after 5 test 4 in 5 messages killed the bot.

• after setting up the chat bot,
• and validating that manually signing a public key (as recommended in the troubleshooting section of the docs) works,
• kssh fails with:

Failed to load config file(s): failed to load config file(s): failed to list files in /keybase/team/: 2020-04-16T18:14:33.009083-05:00 ▶ [ERRO keybase main.go:87] 001 context deadline exceeded (exit status 2)

When I check the files of the respective team on my mobile phone, I find a file named kssh-client.config. There it is.

Following all instructions from the docs for initial setup, i see the following when running make generate at the end, before it provides the instructions for the machines to connect to. make serve starts it and it runs through the same crash loop endlessly. Running whoami in the container it says it's root, and other searches I've done indicate this is an issue, but as far as I can tell from the scripts, it should be correctly dropping down to the keybase user. End result is the bot won't start up and connect.

2020-08-05T19:34:45.513277Z ▶ [DEBU keybase socket.go:68] 070 + GetSocket
2020-08-05T19:34:45.513286Z ▶ [DEBU keybase context.go:220] 071 - GetSocket -> ok
2020-08-05T19:34:45.513302Z ▶ [DEBU keybase socket.go:78] 072 | empty socket wrapper; need a new one
2020-08-05T19:34:45.513311Z ▶ [DEBU keybase socket_nix.go:103] 073 + SocketInfo#dialSocket(unix:/home/keybase/.config/keybase/keybased.sock)
2020-08-05T19:34:45.513319Z ▶ [DEBU keybase socket_nix.go:132] 074 | net.Dial(unix:/home/keybase/.config/keybase/keybased.sock)
2020-08-05T19:34:45.513348Z ▶ [DEBU keybase socket_nix.go:133] 075 - SocketInfo#dialSocket(unix:/home/keybase/.config/keybase/keybased.sock) -> ERROR: dial unix /home/keybase/.config/keybase/keybased.sock: connect: connection refused
2020-08-05T19:34:45.513362Z ▶ [DEBU keybase socket.go:93] 076 | DialSocket -> ERROR: dial unix /home/keybase/.config/keybase/keybased.sock: connect: connection refused
2020-08-05T19:34:45.513371Z ▶ [WARN kbfs connection.go:612] 077 (CONN KeybaseDaemonRPC 16b78b02) Connection: error dialing transport: dial unix /home/keybase/.config/keybase/keybased.sock: connect: connection refused
2020-08-05T19:34:45.513380Z ▶ [WARN kbfs keybase_daemon_rpc.go:360] 078 KeybaseDaemonRPC: connection error: "dial unix /home/keybase/.config/keybase/keybased.sock: connect: connection refused"; retrying in 2s```

When I updated env.sh with new teams (related to #62), I have stopped existing docker and run make.

I got error regarding existing certificates which cannot be overwritten:

~/bot-sshca/docker$ make generate
# Avoid prompting for sudo unless the permissions actually need to be chnaged by piping find to xargs
find example-keybaseca-volume/ -not -user $USER | xargs -I {} -- sudo chown -R $USER {}
docker build -t ca -f Dockerfile-ca ..
Sending build context to Docker daemon  7.004MB
Step 1/22 : FROM ubuntu:18.04
 ---> a2a15febcdf3
Step 2/22 : RUN apt-get -qq update
 ---> Using cache
 ---> d6c9643a903e
Step 3/22 : RUN apt-get -qq  install curl software-properties-common -y
 ---> Using cache
 ---> 7a9f05603c2f
Step 4/22 : RUN useradd -ms /bin/bash keybase
 ---> Using cache
 ---> d61ee2aec756
Step 5/22 : USER keybase
 ---> Using cache
 ---> 0dfba7c571dc
Step 6/22 : WORKDIR /home/keybase
 ---> Using cache
 ---> 831ae9b619c6
Step 7/22 : RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb
 ---> Using cache
 ---> 37f26e495482
Step 8/22 : USER root
 ---> Using cache
 ---> c49bfef7343f
Step 9/22 : RUN dpkg -i keybase_amd64.deb || true
 ---> Using cache
 ---> 390a05239f65
Step 10/22 : RUN apt-get install -fy
 ---> Using cache
 ---> 42b230b48cc7
Step 11/22 : USER keybase
 ---> Using cache
 ---> 7e74bdea9f69
Step 12/22 : USER root
 ---> Using cache
 ---> cf4a8485f68b
Step 13/22 : RUN add-apt-repository ppa:gophers/archive -y
 ---> Using cache
 ---> 95143e045bda
Step 14/22 : RUN apt-get update
 ---> Using cache
 ---> ff549f8c8845
Step 15/22 : RUN apt-get install golang-1.11-go git sudo -y
 ---> Using cache
 ---> dfac09566a5b
Step 16/22 : USER keybase
 ---> Using cache
 ---> 92d4df7518fe
Step 17/22 : COPY --chown=keybase go.mod .
 ---> Using cache
 ---> c69108e0631a
Step 18/22 : COPY --chown=keybase go.sum .
 ---> Using cache
 ---> 58d2c38dc92f
Step 19/22 : RUN /usr/lib/go-1.11/bin/go mod download
 ---> Using cache
 ---> 2fbda725d170
Step 20/22 : COPY --chown=keybase ./ /home/keybase/
 ---> 153590fb1f1b
Step 21/22 : RUN /usr/lib/go-1.11/bin/go build -o bin/keybaseca src/cmd/keybaseca/keybaseca.go
 ---> Running in 0c484fc069f7
Removing intermediate container 0c484fc069f7
 ---> df8e6bd38f71
Step 22/22 : USER root
 ---> Running in d352f37a2ce5
Removing intermediate container d352f37a2ce5
 ---> 7e74fc7d90bc
Successfully built 7e74fc7d90bc
Successfully tagged ca:latest
docker run -e FORCE_WRITE=false -v /home/schlos/bot-sshca/docker/example-keybaseca-volume:/mnt:rw ca:latest docker/entrypoint-generate.sh
2019/09/09 20:13:21 Failed to generate a new key: Refusing to overwrite existing key (try with --overwrite-existing-key or FORCE_WRITE=true if you're sure): /mnt/keybase-ca-key
Makefile:18: recipe for target 'generate' failed
make: *** [generate] Error 1

I have tried to run make serve --overwrite-existing-key as instructed (as I can safely overwrite old keys) but it's not supported for make.

In the subteam, I'm seeing these items come in quick succession:

AckRequest--

But kssh-windows gives the above error. Any options for troubleshooting?

I've been chasing this for a couple of hours, and although I have it working, I'm unsure why it needs all this to work.

Summary

make generate fails with errors from keybase oneshot that there is no KEYBASE_USERNAME or TEAMS variables set.

Error parsing command line arguments: Need a --username option or a KEYBASE_USERNAME environment variable
2020/02/01 16:08:15 Failed to validate config: must specify at least one team via the TEAMS environment variable
Makefile:18: recipe for target 'generate' failed

First Workaround

Problem

• Running the docker run command with the env.list shows that the env vars are present in the shell.
• Setting entrypoint-generate.sh to print the value of $TEAMS and $KEYBASE_USERNAME also works
• The sudo command doesn't export these, and since we aren't using -E with sudo (and can't because of -i), those vars appear to drop off.

Solution

• add additional export lines for the missing variables

export "TEAMS=$TEAMS"
export "KEYBASE_USERNAME=$KEYBASE_USERNAME"
export "KEYBASE_PAPERKEY=$KEYBASE_PAPERKEY"

Second Workaround

The previous workaround solved the problems of the vars not being available, but it generated a new error:

▶ ERROR No device found no device found for paper key
2020/02/01 17:09:08 Failed to validate config: failed to validate KEYBASE_USERNAME and KEYBASE_PAPERKEY: exit status 2

Problem

The previous workaround didn't solve the issue, and I noticed that when echoing the vars from entrypoint-generate.sh they included the double quotes:

TEAMS='"lurchy.ssh.root_everywhere,lurchy.ssh.standard"'

Solution

• Don't quote the variables in env.list - they will be wrapped in single quotes when loaded into the container.

I'll submit a PR later today.

Possibly just a docs clarification - the 'secured' server...

1. does it require communication over a network to the supported servers or do those servers just trust forever the CA's cert?
2. do laptops or clients that are running require communication to the bot server to get their temp keys? if so, what port?

Looks like on RPI appliances the arbitrary timeout of 3 seconds is not always enough to get up all services correctly. Therefore the might fail.

I therefore suggest to inspect health and readiness of kbfsfuse and keybase service rather than relying on the timeout. And if they don't expose health parameters modify those libraries so that they do.

I thought, I'd try to make the user a bot: https://gist.github.com/maxtaco/4c36bfb3f7ec101c70c756db248a5564
(it doen't seem awkward to do so, does it?)

Then I get:

47d2a74c4802:~$ keybase oneshot
▶ ERROR No device found no device found for paper key

eh...

The documentation for this project is very poor. Few specific examples.

On the Keybase SSH announcement blog post it says See the Getting Started directions on Github for information about setting up and deploying the Keybase SSH CA bot, with Getting Started linking to https://github.com/keybase/bot-sshca#getting-started, which is no longer a valid URL. It looks like that URL needs to be updated to https://keybase-ssh-ca-bot.readthedocs.io/en/latest/getting_started.html instead.

On that Getting Started page it says Now download the kssh binary and start SSHing! See https://github.com/keybase/bot-sshca/releases to download the most recent version of kssh for your platform. But when downloading the macOS version it downloads a .dms file. Which seems really weird, and a file format that I have never seen before, nor does Google seem to have much solid information on (one link I found on Google said the solution is to rename to .dmg, which I do not believe is accurate in this case, but if it is, that is something Keybase should correct on their end). So I tried to make this file executable, chmod +x kssh-mac.dms, then ran it ./kssh-mac.dms, but I got a dialog that says “kssh-mac.dms” cannot be opened because the developer cannot be verified.

What am I missing here?

Hello,

I just found out about Keybase bot sshca even though it's like 3 years ago. I mush have been living under a rock! Tanks for the great work on it! I can't explain how excited it made that keybase has venturing into this area - I am really dissatisfied with the existing players who offer CAs.

I wanted to ask if anyone has thought about running the bot in serveless environment? I see it's written in go, and afaik aws lambda supports go. There are also existing projects which deploy like this

• https://github.com/glassechidna/lastkeypair
• https://github.com/certonid/certonid (https://mailtrap.io/blog/certonid/)

I think it makes it would really shine when ran in a serverless env, and would cut down on ops bandwidth required for teams to start using it.

In the bot log an error is logged when processing a message (from kssh).

Encountered error while processing message from xxxx (messageID:80): ssh-keygen error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/mnt/keybase-ca-key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/mnt/keybase-ca-key": bad permissions (exit status 255)

The directory /mnt doesn't contain the ca-key file, however. After some searching I found it in the ../bot-ssha/docker/example-keybaseca-volume directory.
CA_KEY_LOCATION is not set.

On Ubuntu 16.04LTS
Docker: 19.03.5 build 633a0ea838
VERSION= 1.1.0

Downloading the binary for kssh-windows 1.1.0 gets a file without extension. Renaming kssh-windows.exe we get the following error:

PS C:\Users\[redacted]\Downloads> .\kssh-windows.exe [user]@[host] error starting Keybase chat: fork/exec C:\Users\[redcated]\AppData\Local\Keybase\keybase.exe: not supported by windows

Seems that the call to get a list of teams or something fails after a while, then never recovers, unless the bot is restarted. Is there a possibility of a connection to keybase going stal or something getting recycled in the API or the botWrapper? Can't reproduce it at will.

Setting up ssh when you're behind a firewall or a NAT is pretty painful. However with hyperswarm that can be worked around: https://github.com/mafintosh/hyperssh. It doesn't depend on any centralized server and seems like it should be pretty secure.

I think this would be a really cool thing to integrate into kssh.