xpra icon
Bug tracker and wiki

Opened 16 months ago

Closed 5 months ago

#1646 closed defect (fixed)

ssh client integration via paramiko

Reported by: Antoine Martin Owned by: J. Max Mena
Priority: major Milestone: 2.4
Component: client Version: trunk
Keywords: Cc:

Description (last modified by Antoine Martin)

Rather than calling putty plink or ssh, we could rely on paramiko which would give us tighter integration with the ssh authentication, allowing us to do things like:

  • prompt for passphrase or password (see #1645)
  • prompt for host keys
  • give better error messages


This may help with #1421: Xpra-Launcher closes silently after clicking connect - missing feedback until application shows up

Change History (11)

comment:1 Changed 10 months ago by Antoine Martin

Description: modified (diff)
Status: newassigned

comment:2 Changed 9 months ago by Antoine Martin

Milestone: 3.02.4

see also ssh plink fix: r19411

Last edited 8 months ago by Antoine Martin (previous) (diff)

comment:3 Changed 6 months ago by Antoine Martin

Initial support for paramiko ssh added in r19933. It works pretty well and allows us to see meaningful debug messages with -d ssh.
It doesn't ask for password or key passphrases yet and it isn't the default (requires --ssh=paramiko), but individual authentication mechanisms can be turned off for testing, ie:

XPRA_SSH_AGENT_AUTH=0 xpra attach ssh://username:password@ -d ssh --ssh=ssh

Still TODO:

  • we need to either poll + wait for the "run-xpra" command to see if it runs (and risk running it multiple times if it fails) or duplicate the ugly if+else code used by plain ssh, yuk
  • read from stderr and do something with it - maybe just log it
  • socket info assumes we have a real socket (we do, but it's hidden), override the info method for ssh transport
  • GUI for passphrase / password, accepting new / changed host keys (hard because this code runs before the main loop - we may need to exec a utility)
  • disable those prompts when running embedded without a display (ie: proxy backend connections)
  • make it the default, show the alternative in the config file
  • add to macos jhbuild, msys2 installation - deal with py2app and cx_freeze bundling
  • add deb and rpm dependencies
Last edited 6 months ago by Antoine Martin (previous) (diff)

comment:4 Changed 6 months ago by Antoine Martin

See ticket:1892#comment:13 : we should aim to support more login shells than the current ssh / plink solution.

Last edited 6 months ago by Antoine Martin (previous) (diff)

comment:5 Changed 6 months ago by Antoine Martin


  • checks each remote-xpra option
  • reads stderr
  • fixes socket info

comment:6 Changed 6 months ago by Antoine Martin


  • r19938 adds the tty prompts for password and key passphrases.
  • r19941: GUI for confirming host keys
  • r19943: GUI for password and key passphrase input
  • r19945: use "auto" for ssh option, default to paramiko if it is installed - DEB and RPM dependency added (but not for centos7 as this would require EPEL)
  • r19946: better window-size tuning and env vars to configure (window-size, timeout)
  • wiki updates: wiki/SSH, wiki/Network, etc
  • r19950: moved code to a submodule
  • #1920 builtin SSH server support
  • r19960 + r19961 macos jhbuild paramiko module

Still TODO:

  • unit tests
  • maybe the GUI should be fullscreen? grab keyboard / mouse?
  • win32 and macos packaging
  • find a way to make paramiko use the same host keys as openssh, to avoid host key warnings for known hosts when switching over to paramiko
Last edited 6 months ago by Antoine Martin (previous) (diff)

comment:7 Changed 6 months ago by Antoine Martin

platform and compatibility woes:

comment:8 Changed 6 months ago by Antoine Martin

Workaround for installing pynacl on win32:

pacman -S mingw-w64-i686-libsodium
export SODIUM_INSTALL=system
easy_install-3.7 -U -Z pynacl

Applied to setup files in r20009.

comment:9 Changed 6 months ago by Antoine Martin


  • r20008: use ssh logger for ssh initialization errors
  • r20009: build pynacl against the system libsodium library
  • r20011: tell cx_freeze that we need pynacl bundled
  • r20040 + r20041: support code for openssh's ssh.exe binary with --ssh=ssh on ms windows (does not work - refuses to read or write from our pipes it seems), including the ssh-pageant-git would allow it to talk to putty's pagent key agent too
Last edited 5 months ago by Antoine Martin (previous) (diff)

comment:10 Changed 5 months ago by Antoine Martin

Owner: changed from Antoine Martin to J. Max Mena
Status: assignednew
Summary: ssh integrationssh client integration via paramiko

Minor updates:

  • r20137 default to paramiko on macos
  • r20135 better debug output

This ticket should solve non-bash login shell issues, see ticket:1892#comment:16. Note: paramiko is not the default on win32 because plink already provides a GUI there, might as well stick to it, for now anyway.

For server SSH support see #1920, follow up ticket: #1937

@maxmylyn: we now provide a much better UI for SSH connections on macos and Linux (use --ssh="ssh -x" to revert to running openssh in a subprocess), the same UI can be enabled on win32 with --ssh=paramiko.

Last edited 5 months ago by Antoine Martin (previous) (diff)

comment:11 Changed 5 months ago by J. Max Mena

Resolution: fixed
Status: newclosed

Played around with this for a while today as well and everything seems to be behaving nicely - checked with both Fedora and MacOS.

Noted and closing.

Note: See TracTickets for help on using tickets.