bwssh 0.1.1__tar.gz

bwssh-0.1.1/PKG-INFO

@@ -0,0 +1,196 @@
+Metadata-Version: 2.3
+Name: bwssh
+Version: 0.1.1
+Summary: Bitwarden-backed SSH agent for Linux
+Requires-Dist: click>=8.3.1
+Requires-Dist: cryptography>=46.0.4
+Requires-Dist: dbus-fast>=4.0.0
+Requires-Dist: textual>=7.5.0
+Requires-Dist: pygobject>=3.42.0,<3.50 ; extra == 'gui'
+Requires-Python: >=3.12
+Provides-Extra: gui
+Description-Content-Type: text/markdown
+
+# bwssh
+
+Bitwarden-backed SSH agent for Linux. Store your SSH keys in Bitwarden and use
+them seamlessly with any SSH client.
+
+## Features
+
+-   **Bitwarden integration**: SSH keys stored securely in your Bitwarden vault
+-   **Standard SSH agent**: Works with `ssh`, `git`, and any SSH client
+-   **Systemd integration**: Runs as a user service, starts on login
+-   **Forwarding protection**: Blocks remote servers from using your keys
+-   **Optional polkit prompts**: Desktop authorization popups (disabled by default)
+
+## Requirements
+
+-   Linux with systemd user services
+-   Python 3.12+
+-   Bitwarden CLI (`bw`) installed and logged in
+
+## Installation
+
+```bash
+uv sync
+```
+
+## Bitwarden CLI
+
+Install the Bitwarden CLI (`bw`) and log in before using bwssh. See
+https://bitwarden.com/help/cli/ for installation instructions.
+
+```bash
+bw --version
+bw login
+```
+
+## Quick start
+
+```bash
+uv run bwssh install --user-systemd
+uv run bwssh start
+uv run bwssh unlock
+```
+
+```bash
+export SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/bwssh/agent.sock
+ssh -T git@github.com
+```
+
+## Configuration
+
+Config file: `~/.config/bwssh/config.toml`
+
+### Quick Setup (Recommended)
+
+The easiest way to configure bwssh is to use the init command:
+
+```bash
+# First, unlock Bitwarden
+export BW_SESSION=$(bw unlock --raw)
+
+# Then run init to auto-discover SSH keys
+bwssh config init
+```
+
+This will find all SSH keys in your Bitwarden vault and create a config file.
+
+### Manual Setup
+
+If you prefer to configure manually, first find your SSH key IDs:
+
+```bash
+bw list items | jq -r '.[] | select(.sshKey != null) | "\(.id) \(.name)"'
+```
+
+Then create `~/.config/bwssh/config.toml`:
+
+```toml
+[bitwarden]
+bw_path = "/full/path/to/bw"  # Use 'which bw' to find this
+item_ids = [
+    "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",  # your-key-name
+]
+```
+
+### Full Config Example
+
+```toml
+[daemon]
+log_level = "INFO"
+
+[bitwarden]
+bw_path = "/usr/bin/bw"
+item_ids = [
+    "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+]
+
+[auth]
+# Polkit authorization prompts (default: disabled)
+require_polkit = false
+
+# Block forwarded agent requests (recommended)
+deny_forwarded_by_default = true
+
+[ssh]
+allow_ed25519 = true
+allow_ecdsa = true
+allow_rsa = true
+```
+
+### Environment Variables
+
+-   `BWSSH_RUNTIME_DIR`: Override socket directory
+-   `BWSSH_LOG_LEVEL`: Override log level
+-   `BW_SESSION`: Bitwarden session key (auto-detected by `bwssh unlock`)
+
+## Security
+
+### Default Mode
+
+By default, bwssh allows all local signing requests without prompts. Security comes from:
+
+-   **Auto-lock on sleep**: Keys are cleared when your laptop sleeps (enabled by default)
+-   **Forwarded agent blocking**: Remote servers can't use your keys
+-   **Manual lock**: Run `bwssh lock` when stepping away
+
+### Polkit Prompts (Optional)
+
+For extra security, enable polkit to show desktop prompts for each signing request:
+
+```toml
+[auth]
+require_polkit = true
+```
+
+This requires installing the polkit policy:
+
+```bash
+bwssh install --polkit | sudo tee /usr/share/polkit-1/actions/io.github.reidond.bwssh.policy > /dev/null
+```
+
+See `docs/` for detailed polkit setup instructions.
+
+## CLI Commands
+
+```bash
+# Daemon control
+bwssh start              # Start the agent daemon
+bwssh stop               # Stop the agent daemon
+bwssh status             # Show daemon status
+
+# Key management
+bwssh unlock             # Unlock vault and load keys
+bwssh lock               # Lock agent and clear keys
+bwssh sync               # Reload keys from Bitwarden
+bwssh keys               # List loaded SSH keys
+
+# Configuration
+bwssh config init        # Auto-discover SSH keys and create config
+bwssh config show        # Show current configuration
+
+# Installation
+bwssh install --user-systemd   # Install systemd user service
+bwssh install --polkit         # Print polkit policy file
+```
+
+## Documentation
+
+Full documentation lives in `docs/` and can be served locally:
+
+```bash
+cd docs
+bun install
+bun run dev
+```
+
+## Development
+
+```bash
+uv run ruff check .
+uv run ruff format .
+uv run mypy src tests
+uv run pytest
+```

bwssh-0.1.1/README.md

@@ -0,0 +1,183 @@
+# bwssh
+
+Bitwarden-backed SSH agent for Linux. Store your SSH keys in Bitwarden and use
+them seamlessly with any SSH client.
+
+## Features
+
+-   **Bitwarden integration**: SSH keys stored securely in your Bitwarden vault
+-   **Standard SSH agent**: Works with `ssh`, `git`, and any SSH client
+-   **Systemd integration**: Runs as a user service, starts on login
+-   **Forwarding protection**: Blocks remote servers from using your keys
+-   **Optional polkit prompts**: Desktop authorization popups (disabled by default)
+
+## Requirements
+
+-   Linux with systemd user services
+-   Python 3.12+
+-   Bitwarden CLI (`bw`) installed and logged in
+
+## Installation
+
+```bash
+uv sync
+```
+
+## Bitwarden CLI
+
+Install the Bitwarden CLI (`bw`) and log in before using bwssh. See
+https://bitwarden.com/help/cli/ for installation instructions.
+
+```bash
+bw --version
+bw login
+```
+
+## Quick start
+
+```bash
+uv run bwssh install --user-systemd
+uv run bwssh start
+uv run bwssh unlock
+```
+
+```bash
+export SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/bwssh/agent.sock
+ssh -T git@github.com
+```
+
+## Configuration
+
+Config file: `~/.config/bwssh/config.toml`
+
+### Quick Setup (Recommended)
+
+The easiest way to configure bwssh is to use the init command:
+
+```bash
+# First, unlock Bitwarden
+export BW_SESSION=$(bw unlock --raw)
+
+# Then run init to auto-discover SSH keys
+bwssh config init
+```
+
+This will find all SSH keys in your Bitwarden vault and create a config file.
+
+### Manual Setup
+
+If you prefer to configure manually, first find your SSH key IDs:
+
+```bash
+bw list items | jq -r '.[] | select(.sshKey != null) | "\(.id) \(.name)"'
+```
+
+Then create `~/.config/bwssh/config.toml`:
+
+```toml
+[bitwarden]
+bw_path = "/full/path/to/bw"  # Use 'which bw' to find this
+item_ids = [
+    "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",  # your-key-name
+]
+```
+
+### Full Config Example
+
+```toml
+[daemon]
+log_level = "INFO"
+
+[bitwarden]
+bw_path = "/usr/bin/bw"
+item_ids = [
+    "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+]
+
+[auth]
+# Polkit authorization prompts (default: disabled)
+require_polkit = false
+
+# Block forwarded agent requests (recommended)
+deny_forwarded_by_default = true
+
+[ssh]
+allow_ed25519 = true
+allow_ecdsa = true
+allow_rsa = true
+```
+
+### Environment Variables
+
+-   `BWSSH_RUNTIME_DIR`: Override socket directory
+-   `BWSSH_LOG_LEVEL`: Override log level
+-   `BW_SESSION`: Bitwarden session key (auto-detected by `bwssh unlock`)
+
+## Security
+
+### Default Mode
+
+By default, bwssh allows all local signing requests without prompts. Security comes from:
+
+-   **Auto-lock on sleep**: Keys are cleared when your laptop sleeps (enabled by default)
+-   **Forwarded agent blocking**: Remote servers can't use your keys
+-   **Manual lock**: Run `bwssh lock` when stepping away
+
+### Polkit Prompts (Optional)
+
+For extra security, enable polkit to show desktop prompts for each signing request:
+
+```toml
+[auth]
+require_polkit = true
+```
+
+This requires installing the polkit policy:
+
+```bash
+bwssh install --polkit | sudo tee /usr/share/polkit-1/actions/io.github.reidond.bwssh.policy > /dev/null
+```
+
+See `docs/` for detailed polkit setup instructions.
+
+## CLI Commands
+
+```bash
+# Daemon control
+bwssh start              # Start the agent daemon
+bwssh stop               # Stop the agent daemon
+bwssh status             # Show daemon status
+
+# Key management
+bwssh unlock             # Unlock vault and load keys
+bwssh lock               # Lock agent and clear keys
+bwssh sync               # Reload keys from Bitwarden
+bwssh keys               # List loaded SSH keys
+
+# Configuration
+bwssh config init        # Auto-discover SSH keys and create config
+bwssh config show        # Show current configuration
+
+# Installation
+bwssh install --user-systemd   # Install systemd user service
+bwssh install --polkit         # Print polkit policy file
+```
+
+## Documentation
+
+Full documentation lives in `docs/` and can be served locally:
+
+```bash
+cd docs
+bun install
+bun run dev
+```
+
+## Development
+
+```bash
+uv run ruff check .
+uv run ruff format .
+uv run mypy src tests
+uv run pytest
+```

bwssh-0.1.1/pyproject.toml

@@ -0,0 +1,102 @@
+#:schema false
+
+[project]
+name = "bwssh"
+version = "0.1.1"
+description = "Bitwarden-backed SSH agent for Linux"
+readme = "README.md"
+requires-python = ">=3.12"
+dependencies = [
+  "click>=8.3.1",
+  "cryptography>=46.0.4",
+  "dbus-fast>=4.0.0",
+  "textual>=7.5.0",
+]
+
+[project.optional-dependencies]
+gui = ["PyGObject>=3.42.0,<3.50"]
+
+[project.scripts]
+bwssh = "bwssh.cli:main"
+bwssh-agentd = "bwssh.daemon:main_entry"
+
+[dependency-groups]
+dev = [
+  "ruff>=0.9",
+  "pytest>=8.0",
+  "pytest-cov>=6.0",
+  "mypy>=1.14",
+  "pytest-asyncio>=1.3.0",
+]
+
+[build-system]
+requires = ["uv_build>=0.9.28,<0.10.0"]
+build-backend = "uv_build"
+
+[tool.ruff]
+target-version = "py312"
+line-length = 88
+src = ["src", "tests"]
+
+[tool.ruff.lint]
+select = [
+  "E",   # pycodestyle errors
+  "W",   # pycodestyle warnings
+  "F",   # pyflakes
+  "I",   # isort
+  "B",   # flake8-bugbear
+  "C4",  # flake8-comprehensions
+  "UP",  # pyupgrade
+  "ARG", # flake8-unused-arguments
+  "SIM", # flake8-simplify
+  "TCH", # flake8-type-checking
+  "PTH", # flake8-use-pathlib
+  "ERA", # eradicate (commented out code)
+  "PL",  # pylint
+  "RUF", # ruff-specific rules
+]
+ignore = [
+  "PLR0913", # too many arguments
+  "PLR2004", # magic value comparison
+]
+
+[tool.ruff.lint.isort]
+known-first-party = ["bwssh"]
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+skip-magic-trailing-comma = false
+line-ending = "auto"
+
+[tool.mypy]
+python_version = "3.12"
+strict = true
+warn_return_any = true
+warn_unused_ignores = true
+disallow_untyped_defs = true
+disallow_incomplete_defs = true
+
+[[tool.mypy.overrides]]
+module = "textual.*"
+ignore_missing_imports = true
+
+[[tool.mypy.overrides]]
+module = "gi.*"
+ignore_missing_imports = true
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+pythonpath = ["src"]
+addopts = ["-ra", "-q", "--strict-markers"]
+
+[tool.coverage.run]
+source = ["src/bwssh"]
+branch = true
+
+[tool.coverage.report]
+exclude_lines = [
+  "pragma: no cover",
+  "if TYPE_CHECKING:",
+  "if __name__ == .__main__.:",
+]

bwssh-0.1.1/src/bwssh/__init__.py

@@ -0,0 +1,7 @@
+"""bwssh - Add your description here."""
+
+import logging
+
+__version__ = "0.1.0"
+
+logger = logging.getLogger(__name__)

bwssh-0.1.1/src/bwssh/agent_proto.py

@@ -0,0 +1,66 @@
+"""SSH agent protocol message framing over asyncio streams.
+
+Wire format (per IETF draft-miller-ssh-agent-17 §3):
+  [uint32 length][byte msg_type][payload...]
+
+Length field = 1 (type byte) + len(payload).  All multi-byte integers are big-endian.
+
+SSH string format:
+  [uint32 length][data...]
+"""
+
+from __future__ import annotations
+
+import logging
+import struct
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    import asyncio
+
+logger = logging.getLogger(__name__)
+
+_UINT32 = struct.Struct(">I")
+
+
+def pack_uint32(n: int) -> bytes:
+    return _UINT32.pack(n)
+
+
+def unpack_uint32(data: bytes, offset: int) -> tuple[int, int]:
+    (value,) = _UINT32.unpack_from(data, offset)
+    return value, offset + 4
+
+
+def pack_string(data: bytes) -> bytes:
+    return _UINT32.pack(len(data)) + data
+
+
+def unpack_string(data: bytes, offset: int) -> tuple[bytes, int]:
+    length, offset = unpack_uint32(data, offset)
+    end = offset + length
+    if end > len(data):
+        raise ValueError(
+            f"SSH string at offset {offset - 4}: need {length} bytes, "
+            f"have {len(data) - offset}"
+        )
+    return data[offset:end], end
+
+
+async def read_message(reader: asyncio.StreamReader) -> tuple[int, bytes]:
+    raw_length = await reader.readexactly(4)
+    (length,) = _UINT32.unpack(raw_length)
+
+    raw_body = await reader.readexactly(length)
+    msg_type = raw_body[0]
+    payload = raw_body[1:]
+    return msg_type, payload
+
+
+async def write_message(
+    writer: asyncio.StreamWriter, msg_type: int, payload: bytes
+) -> None:
+    length = 1 + len(payload)
+    header = _UINT32.pack(length) + bytes([msg_type])
+    writer.write(header + payload)
+    await writer.drain()