Xpra: Ticket #1646: ssh client integration via paramiko
Rather than calling putty plink or ssh, we could rely on paramiko which would give us tighter integration with the ssh authentication, allowing us to do things like:
- prompt for passphrase or password (see #1645)
- prompt for host keys
- give better error messages
etc
This may help with #1421: Xpra-Launcher closes silently after clicking connect - missing feedback until application shows up
Wed, 28 Mar 2018 06:28:23 GMT - Antoine Martin: status, description changed
- status
changed from new to assigned
- description
modified (diff)
Mon, 07 May 2018 05:38:34 GMT - Antoine Martin: milestone changed
- milestone
changed from 3.0 to 2.4
see also ssh plink fix: r19411
Mon, 16 Jul 2018 10:20:36 GMT - Antoine Martin:
Initial support for paramiko ssh added in r19933. It works pretty well and allows us to see meaningful debug messages with -d ssh
.
It doesn't ask for password or key passphrases yet and it isn't the default (requires --ssh=paramiko
), but individual authentication mechanisms can be turned off for testing, ie:
XPRA_SSH_AGENT_AUTH=0 xpra attach ssh://username:password@127.0.0.1/ -d ssh --ssh=ssh
Still TODO:
- we need to either poll + wait for the "run-xpra" command to see if it runs (and risk running it multiple times if it fails) or duplicate the ugly if+else code used by plain ssh, yuk
- read from stderr and do something with it - maybe just log it
- socket info assumes we have a real socket (we do, but it's hidden), override the info method for ssh transport
- GUI for passphrase / password, accepting new / changed host keys (hard because this code runs before the main loop - we may need to exec a utility)
- disable those prompts when running embedded without a display (ie: proxy backend connections)
- make it the default, show the alternative in the config file
- add to macos jhbuild, msys2 installation - deal with py2app and cx_freeze bundling
- add deb and rpm dependencies
Tue, 17 Jul 2018 09:10:18 GMT - Antoine Martin:
See ticket:1892#comment:13 : we should aim to support more login shells than the current ssh / plink solution.
Tue, 17 Jul 2018 21:51:51 GMT - Antoine Martin:
r19937:
- checks each remote-xpra option
- reads stderr
- fixes socket info
Fri, 20 Jul 2018 08:25:15 GMT - Antoine Martin:
Updates:
- r19938 adds the tty prompts for password and key passphrases.
- r19941: GUI for confirming host keys
- r19943: GUI for password and key passphrase input
- r19945: use "auto" for ssh option, default to paramiko if it is installed - DEB and RPM dependency added (but not for centos7 as this would require EPEL)
- r19946: better window-size tuning and env vars to configure (window-size, timeout)
- wiki updates: wiki/SSH, wiki/Network, etc
- r19950: moved code to a submodule
- #1920 builtin SSH server support
- r19960 + r19961 macos jhbuild paramiko module
Still TODO:
- unit tests
- maybe the GUI should be fullscreen? grab keyboard / mouse?
- win32 and macos packaging
- find a way to make paramiko use the same host keys as openssh, to avoid host key warnings for known hosts when switching over to paramiko
Sun, 29 Jul 2018 18:01:14 GMT - Antoine Martin:
platform and compatibility woes:
Fri, 03 Aug 2018 13:49:51 GMT - Antoine Martin:
Workaround for installing pynacl on win32:
pacman -S mingw-w64-i686-libsodium
export SODIUM_INSTALL=system
easy_install-3.7 -U -Z pynacl
Applied to setup files in r20009.
Fri, 03 Aug 2018 16:37:03 GMT - Antoine Martin:
Updates:
- r20008: use ssh logger for ssh initialization errors
- r20009: build pynacl against the system libsodium library
- r20011: tell cx_freeze that we need pynacl bundled
- r20040 + r20041: support code for openssh's
ssh.exe
binary with --ssh=ssh
on ms windows (does not work - refuses to read or write from our pipes it seems), including the ssh-pageant-git
would allow it to talk to putty's pagent key agent too
Mon, 20 Aug 2018 09:08:39 GMT - Antoine Martin: owner, status, summary changed
- owner
changed from Antoine Martin to J. Max Mena
- status
changed from assigned to new
- summary
changed from ssh integration to ssh client integration via paramiko
Minor updates:
- r20137 default to paramiko on macos
- r20135 better debug output
This ticket should solve non-bash login shell issues, see ticket:1892#comment:16. Note: paramiko is not the default on win32 because plink already provides a GUI there, might as well stick to it, for now anyway.
For server SSH support see #1920, follow up ticket: #1937
@maxmylyn: we now provide a much better UI for SSH connections on macos and Linux (use --ssh="ssh -x"
to revert to running openssh in a subprocess), the same UI can be enabled on win32 with --ssh=paramiko
.
Fri, 24 Aug 2018 22:41:35 GMT - J. Max Mena: status changed; resolution set
- status
changed from new to closed
- resolution
set to fixed
Played around with this for a while today as well and everything seems to be behaving nicely - checked with both Fedora and MacOS.
Noted and closing.
Tue, 23 Apr 2019 01:45:37 GMT - Antoine Martin:
See also: #1937, #2097, #2448, #2549
Sat, 23 Jan 2021 05:29:59 GMT - migration script:
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1646