alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff4f544fa58500a8ddc2d6bfcd424ac8b829d61a
alknet/tasks/auth/key-loading.md
glm-5.1 5c820a41e9 tasks: decompose Phase 0a ADR foundation and mark prior tasks completed 
Add 10 new tasks under tasks/architecture/ for Phase 0a (ADR writing):
- 9 ADR tasks (026-034) with dependency-ordered structure
- 1 review checkpoint task before Phase 0b spec writing

ADR dependency graph (3 generations):
  Gen 1 (parallel): 026, 029, 030, 031, 032, 034
  Gen 2 (depends on 029): 027, 028
  Gen 3 (depends on 027+028): 033
  Gen 4: review checkpoint

Also mark all 34 prior implementation tasks as completed — they
were finished but still showing as pending in the taskgraph.
2026-06-07 08:55:33 +00:00

2.3 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
auth/key-loading Implement SSH key material loading (file paths and in-memory data) completed
auth/error-types
setup/project-init
narrow low component implementation

Description

Implement key material loading that accepts both file paths and in-memory data per the programmatic-first API (ADR-011). Key inputs (--identity, --authorized-keys, --cert-authority, --key) accept either:

  • File path: load from filesystem
  • In-memory data: raw key bytes provided programmatically

All keys must be in OpenSSH key format (not PEM/PKCS#1/PKCS#8). This module handles:

  • Loading private keys (OpenSSH format: -----BEGIN OPENSSH PRIVATE KEY-----)
  • Loading public keys (OpenSSH format: ssh-ed25519 AAAA... user@host)
  • Loading authorized_keys files (standard OpenSSH format)
  • Parsing cert-authority entries in authorized_keys

Acceptance Criteria

  • crates/alknet-core/src/auth/keys.rs exports key loading functions
  • KeySource enum: File(PathBuf) and Memory(Vec<u8>) for unified key input handling
  • load_private_key(source: KeySource) -> Result<russh::key::KeyPair> — loads OpenSSH private key from file or memory
  • load_public_keys(source: KeySource) -> Result<Vec<russh::key::PublicKey>> — loads one or more public keys from authorized_keys format
  • Parses standard authorized_keys format including options (e.g., cert-authority,permit-port-forwarding ssh-ed25519 AAAA...)
  • CertAuthorityEntry struct: public_key: PublicKey, options: Vec<String> parsed from authorized_keys cert-authority lines
  • Returns ConfigError::KeyFileNotFound for missing file paths
  • Returns ConfigError::InvalidFlag with clear message for PEM-encoded (non-OpenSSH) keys
  • Unit tests: load Ed25519 key from file, load from memory, parse authorized_keys with multiple entries, reject PEM format

References

  • docs/architecture/client.md — Key Material Format section
  • docs/architecture/server.md — Key Material Format section
  • docs/architecture/decisions/012-auth-ed25519-and-cert-authority.md — authorized_keys format with cert-authority
  • docs/architecture/decisions/011-no-ssh-config-programmatic-api.md — programmatic-first, file paths or in-memory

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink