#1646 closed defect (fixed)
ssh client integration via paramiko
| Reported by: | Antoine Martin | Owned by: | J. Max Mena |
|---|---|---|---|
| Priority: | major | Milestone: | 2.4 |
| Component: | client | Version: | trunk |
| Keywords: | Cc: |
Description (last modified by )
Rather than calling putty plink or ssh, we could rely on paramiko which would give us tighter integration with the ssh authentication, allowing us to do things like:
- prompt for passphrase or password (see #1645)
- prompt for host keys
- give better error messages
etc
This may help with #1421: Xpra-Launcher closes silently after clicking connect - missing feedback until application shows up
Change History (12)
comment:1 Changed 3 years ago by
| Description: | modified (diff) |
|---|---|
| Status: | new → assigned |
comment:3 Changed 3 years ago by
Initial support for paramiko ssh added in r19933. It works pretty well and allows us to see meaningful debug messages with -d ssh.
It doesn't ask for password or key passphrases yet and it isn't the default (requires --ssh=paramiko), but individual authentication mechanisms can be turned off for testing, ie:
XPRA_SSH_AGENT_AUTH=0 xpra attach ssh://username:password@127.0.0.1/ -d ssh --ssh=ssh
Still TODO:
- we need to either poll + wait for the "run-xpra" command to see if it runs (and risk running it multiple times if it fails) or duplicate the ugly if+else code used by plain ssh, yuk
- read from stderr and do something with it - maybe just log it
- socket info assumes we have a real socket (we do, but it's hidden), override the info method for ssh transport
- GUI for passphrase / password, accepting new / changed host keys (hard because this code runs before the main loop - we may need to exec a utility)
- disable those prompts when running embedded without a display (ie: proxy backend connections)
- make it the default, show the alternative in the config file
- add to macos jhbuild, msys2 installation - deal with py2app and cx_freeze bundling
- add deb and rpm dependencies
comment:4 Changed 3 years ago by
See ticket:1892#comment:13 : we should aim to support more login shells than the current ssh / plink solution.
comment:6 Changed 3 years ago by
Updates:
- r19938 adds the tty prompts for password and key passphrases.
- r19941: GUI for confirming host keys
- r19943: GUI for password and key passphrase input
- r19945: use "auto" for ssh option, default to paramiko if it is installed - DEB and RPM dependency added (but not for centos7 as this would require EPEL)
- r19946: better window-size tuning and env vars to configure (window-size, timeout)
- wiki updates: wiki/SSH, wiki/Network, etc
- r19950: moved code to a submodule
- #1920 builtin SSH server support
- r19960 + r19961 macos jhbuild paramiko module
Still TODO:
- unit tests
- maybe the GUI should be fullscreen? grab keyboard / mouse?
- win32 and macos packaging
- find a way to make paramiko use the same host keys as openssh, to avoid host key warnings for known hosts when switching over to paramiko
comment:7 Changed 2 years ago by
platform and compatibility woes:
- r19964 + r19969 + r19971: disable gssapi whilst we import paramiko
- r19972: add paramiko to win32 setup - does not build with python 3.x: Failing to install on Windows MinGW, Document Compiling On Windows, Gettting 'Exception: ERROR: The 'make' utility is missing from PATH' error while installing pynacl in python 3.7.
comment:8 Changed 2 years ago by
Workaround for installing pynacl on win32:
pacman -S mingw-w64-i686-libsodium export SODIUM_INSTALL=system easy_install-3.7 -U -Z pynacl
Applied to setup files in r20009.
comment:9 Changed 2 years ago by
Updates:
- r20008: use ssh logger for ssh initialization errors
- r20009: build pynacl against the system libsodium library
- r20011: tell cx_freeze that we need pynacl bundled
- r20040 + r20041: support code for openssh's
ssh.exebinary with--ssh=sshon ms windows (does not work - refuses to read or write from our pipes it seems), including thessh-pageant-gitwould allow it to talk to putty's pagent key agent too
TODO:
- win32: bundle puttygen and convert putty keys to openssh format as needed using:
$ puttygen id_dsa.ppk -O private-openssh -o id_dsa $ puttygen id_dsa.ppk -O public-openssh -o id_dsa.pub
comment:10 Changed 2 years ago by
| Owner: | changed from Antoine Martin to J. Max Mena |
|---|---|
| Status: | assigned → new |
| Summary: | ssh integration → ssh client integration via paramiko |
Minor updates:
This ticket should solve non-bash login shell issues, see ticket:1892#comment:16. Note: paramiko is not the default on win32 because plink already provides a GUI there, might as well stick to it, for now anyway.
For server SSH support see #1920, follow up ticket: #1937
@maxmylyn: we now provide a much better UI for SSH connections on macos and Linux (use --ssh="ssh -x" to revert to running openssh in a subprocess), the same UI can be enabled on win32 with --ssh=paramiko.
comment:11 Changed 2 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Played around with this for a while today as well and everything seems to be behaving nicely - checked with both Fedora and MacOS.
Noted and closing.
copyleft 2010 - 2020
see also ssh plink fix: r19411