Xpra: Ticket #1646: ssh client integration via paramiko

Rather than calling putty plink or ssh, we could rely on paramiko which would give us tighter integration with the ssh authentication, allowing us to do things like:

prompt for passphrase or password (see #1645)
prompt for host keys
give better error messages

etc

This may help with #1421: Xpra-Launcher closes silently after clicking connect - missing feedback until application shows up

Wed, 28 Mar 2018 06:28:23 GMT - Antoine Martin: status, description changed

status changed from new to assigned
description modified (diff)

Mon, 07 May 2018 05:38:34 GMT - Antoine Martin: milestone changed

milestone changed from 3.0 to 2.4

Mon, 16 Jul 2018 10:20:36 GMT - Antoine Martin:

Initial support for paramiko ssh added in r19933. It works pretty well and allows us to see meaningful debug messages with -d ssh. It doesn't ask for password or key passphrases yet and it isn't the default (requires --ssh=paramiko), but individual authentication mechanisms can be turned off for testing, ie:

XPRA_SSH_AGENT_AUTH=0 xpra attach ssh://username:password@127.0.0.1/ -d ssh --ssh=ssh

Still TODO:

we need to either poll + wait for the "run-xpra" command to see if it runs (and risk running it multiple times if it fails) or duplicate the ugly if+else code used by plain ssh, yuk
read from stderr and do something with it - maybe just log it
socket info assumes we have a real socket (we do, but it's hidden), override the info method for ssh transport
GUI for passphrase / password, accepting new / changed host keys (hard because this code runs before the main loop - we may need to exec a utility)
disable those prompts when running embedded without a display (ie: proxy backend connections)
make it the default, show the alternative in the config file
add to macos jhbuild, msys2 installation - deal with py2app and cx_freeze bundling
add deb and rpm dependencies

Tue, 17 Jul 2018 09:10:18 GMT - Antoine Martin:

See ticket:1892#comment:13 : we should aim to support more login shells than the current ssh / plink solution.

Tue, 17 Jul 2018 21:51:51 GMT - Antoine Martin:

r19937:

checks each remote-xpra option
reads stderr
fixes socket info

Fri, 20 Jul 2018 08:25:15 GMT - Antoine Martin:

Updates:

r19938 adds the tty prompts for password and key passphrases.
r19941: GUI for confirming host keys
r19943: GUI for password and key passphrase input
r19945: use "auto" for ssh option, default to paramiko if it is installed - DEB and RPM dependency added (but not for centos7 as this would require EPEL)
r19946: better window-size tuning and env vars to configure (window-size, timeout)
wiki updates: wiki/SSH, wiki/Network, etc
r19950: moved code to a submodule
#1920 builtin SSH server support
r19960 + r19961 macos jhbuild paramiko module

Still TODO:

unit tests
maybe the GUI should be fullscreen? grab keyboard / mouse?
win32 and macos packaging
find a way to make paramiko use the same host keys as openssh, to avoid host key warnings for known hosts when switching over to paramiko

Sun, 29 Jul 2018 18:01:14 GMT - Antoine Martin:

platform and compatibility woes:

r19964 + r19969 + r19971: disable gssapi whilst we import paramiko
r19972: add paramiko to win32 setup - does not build with python 3.x: Gettting 'Exception: ERROR: The 'make' utility is missing from PATH' error while installing pynacl in python 3.7.

Fri, 03 Aug 2018 13:49:51 GMT - Antoine Martin:

Workaround for installing pynacl on win32:

pacman -S mingw-w64-i686-libsodium
export SODIUM_INSTALL=system
easy_install-3.7 -U -Z pynacl

Applied to setup files in r20009.

Fri, 03 Aug 2018 16:37:03 GMT - Antoine Martin:

Updates:

r20008: use ssh logger for ssh initialization errors
r20009: build pynacl against the system libsodium library
r20011: tell cx_freeze that we need pynacl bundled
r20040 + r20041: support code for openssh's ssh.exe binary with --ssh=ssh on ms windows (does not work - refuses to read or write from our pipes it seems), including the ssh-pageant-git would allow it to talk to putty's pagent key agent too

Mon, 20 Aug 2018 09:08:39 GMT - Antoine Martin: owner, status, summary changed

owner changed from Antoine Martin to J. Max Mena
status changed from assigned to new
summary changed from ssh integration to ssh client integration via paramiko

Minor updates:

r20137 default to paramiko on macos
r20135 better debug output

This ticket should solve non-bash login shell issues, see ticket:1892#comment:16. Note: paramiko is not the default on win32 because plink already provides a GUI there, might as well stick to it, for now anyway.

For server SSH support see #1920, follow up ticket: #1937

@maxmylyn: we now provide a much better UI for SSH connections on macos and Linux (use --ssh="ssh -x" to revert to running openssh in a subprocess), the same UI can be enabled on win32 with --ssh=paramiko.

Fri, 24 Aug 2018 22:41:35 GMT - J. Max Mena: status changed; resolution set

status changed from new to closed
resolution set to fixed

Played around with this for a while today as well and everything seems to be behaving nicely - checked with both Fedora and MacOS.

Noted and closing.

Tue, 23 Apr 2019 01:45:37 GMT - Antoine Martin:

Sat, 23 Jan 2021 05:29:59 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1646