Skip to content

feat: SSHKeyContentResponse, SecretStr, authorized_keys options, and tests #302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
krokicki merged 10 commits into from
Jan 28, 2026
Merged

feat: SSHKeyContentResponse, SecretStr, authorized_keys options, and tests #302

krokicki merged 10 commits into from
Jan 28, 2026
+2,216 −103

Conversation

@mkitti
Copy link
Contributor

@mkitti mkitti commented Jan 22, 2026
edited
Loading

  • Add custom SSHKeyContentResponse that wipes memory after sending content
  • SSHKeyContentResponse also sends the response line by line to minimize caching downstream
  • Use pydantic.SecretStr to guard ssh private key password
  • Add restrict and pty keyword to authorized_keys options. Consider whether Seqera needs a pty or not.
  • Add fileglancer to authorized_keys comment
  • Only manage keys which have fileglancer in the comment. New keys have this comment.
  • Add a "temporary" key option which the permanent key is not saved to the server and shown once to the user. Only the public key is added to authorized_keys. This is useful if the user already has an unmanaged "permanent" key but still needs to generate a key via this interface.
  • The only "permanent" key is the default id_ed25519 option. This only managed if it has a "fileglancer" comment.
  • Added the ability to regenerate id_ed25519.pub if only id_ed25519 exists.
  • Add tests for SSH key handling
image

Questions:

  1. The naming of "permanent" versus "temporary" keys may be confusing. It might be miscontrued to mean that the "temporary" key only works for a limited time whereas it is merely just not saved. Is there better terminology?
  2. Do we actually need to generate the private key on the server side?
  3. How can we best balance convenience with the current zero-trust security framework of HHMI central IT?

mkitti and others added 10 commits January 21, 2026 22:40
@mkitti
Implement SSHKeyContentResponse that wipes its memory.
917e114
@mkitti
Remove unused SSHKeyContent
dd218a5
@mkitti
Use SecretStr to guard password. Add test_sshkeys.py.
ba7cf85
@mkitti
Add restrict keyword and add fileglancer as a ssh key comment
d041ca5
@mkitti
Using streaming, avoid whole key copy in memory downstream
0a6c8ba
@mkitti
List keys with fileglancer in the comment
8754dda
@mkitti
Clarify that we only list Fileglancer managed keys
e18e55d
@mkitti @claude
Add temporary key generation and improve SSH key management
5e46040 
- Add ability to generate temporary SSH keys that are added to
  authorized_keys but private key is only shown once for copying
- Add regenerate public key from private key functionality
- Track id_ed25519 status (exists, unmanaged, missing pubkey)
- Hide private key display in temp key dialog, only allow copy
- Sort keys with id_ed25519 displayed first
- Use clean 'fileglancer' comment when regenerating public keys

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@mkitti
Use restrictive umask when creating keys
72e668e
@mkitti @claude
Add tests for temp key generation, regenerate pubkey, and umask
def544c 
Test coverage for functionality added in recent commits:
- generate_temp_key_and_authorize with passphrase support
- regenerate_public_key from private key
- check_id_ed25519_status for managed/unmanaged detection
- list_ssh_keys sorting (id_ed25519 first)
- Umask restoration after key generation
- TempKeyResponse header inclusion and temp file cleanup
- _parse_authorized_keys_fileglancer filtering

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@mkitti mkitti requested a review from krokicki January 26, 2026 19:48
krokicki
krokicki approved these changes Jan 27, 2026
View reviewed changes
Copy link
Member

@krokicki krokicki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, @mkitti! I confirmed that the generated key works in Seqera Platform. We can continue to tweak the UX after merging this.

@mkitti
Copy link
Contributor Author

mkitti commented Jan 28, 2026

Note that this pull request is into the ssh-key-manager branch, rather than main. The sequence would be to first merge this, and then return to #290 .

@krokicki krokicki merged commit 0518b35 into JaneliaSciComp:ssh-key-manager Jan 28, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krokicki krokicki krokicki approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mkitti @krokicki