search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.3k stars 1.43k forks source link

Support MSYS2 ssh-agent sockets on Windows #4681

Open wheybags opened 4 years ago

wheybags commented 4 years ago

Summary

Support using ssh keys from msys installations, like the one which ships with git, or anything else which can connect to an ssh-agent socket.

Context

I use ssh and git on windows through the copy of msys that ships with git (git bash). I can start an ssh-agent there, or I can set the SSH_AUTH_SOCKET environment variable. When I used keeagent, I could set a socket location in keeagent settings, and it would run an ssh agent that I could point at in git bash. I can't currently (to the best of my knowledge) use keepassxc's ssh agent functionality from git bash.

I can see two methods of implementing this:

Apologies if this is a duplicate issue, I did try searching older issues, but I didn't find anything.

droidmonkey commented 4 years ago

Will be in the next release: https://github.com/keepassxreboot/keepassxc/pull/3801

wheybags commented 4 years ago

Ah great, thanks!

hifi commented 4 years ago

Overriding the socket is only supported on non-Windows platforms in develop at this point.

Does MSYS2 use a named pipe like OpenSSH for Windows does?

hifi commented 4 years ago

Did a quick look. Cygwin/MSYS2 sockets are an authentication hack with a temporary text file and a loopback TCP socket.

I'm not really sure if this is in the scope of KeePassXC. An external agent multiplexer that ties together Pageant, OpenSSH for Windows and Cygwin/MSYS2 is probably a better solution here.

You can likely make MSYS2 git use plink.exe (from PuTTY) and use Pageant to connect to git repositories over SSH.

I'll keep this issue open for now if it ends up making sense to add Cygwin/MSYS2 socket support.

Okeanos commented 3 years ago

As a workaround you can use the Windows 10 OpenSSH agent introduced sometime before version 1803. This involves messing with Git Bash a little, though, and has to be (partially) redone each time you update Git Bash.

Now delete stuff from Git Bash (note that you should NOT delete %ProgramFiles%\Git\usr\bin\ssh-copy-id, though, as there is no Windows supplied alternative):

%ProgramFiles%\Git\usr\bin\ssh-add.exe
%ProgramFiles%\Git\usr\bin\ssh-agent.exe
%ProgramFiles%\Git\usr\bin\ssh-keygen.exe
%ProgramFiles%\Git\usr\bin\ssh-keyscan.exe
%ProgramFiles%\Git\usr\bin\ssh-pageant.exe
%ProgramFiles%\Git\usr\bin\ssh.exe
%ProgramFiles%\Git\usr\bin\sshd.exe

There are a couple of additional issues with this workaround beyond the "repeat after update"-thing, though, as Windows 10 OpenSSH is seriously outdated (PowerShell/Win32-OpenSSH/issues/1693) and suffers from things you may or may not experience due to that such as PowerShell/Win32-OpenSSH/issues/1322, PowerShell/Win32-OpenSSH/issues/1172, PowerShell/Win32-OpenSSH/issues/1515. Additionally, if you do (not) decide to remove the Git Bash bundled SSH binaries, some unrelated tooling may break (see git-for-windows/git/issues/1683).

For me personally it was kind of fine to be honest regardless of the linked issues 🤷‍♂️ .

Okeanos commented 2 years ago

Git for Windows 2.33.0 was recently released that allows selecting an arbitrary non-bundled SSH version, e.g. the Win32 one shipped by Windows 10.

With that in place, using KeePassXC as a source of SSH Keys for Git for Windows becomes trivial. Imho that is a workaround close enough to a fix to this issue.

Okeanos commented 2 years ago

Somewhat related to this issue I stumbled across Win32-OpenSSH#1761 – there are ideas to support Unix SSH_AUTH_SOCK compatible output from Windows OpenSSH. This may be another workaround/alternative solution to the Git For Windows + ssh-agent socket problem in the future.

Okeanos commented 1 year ago

Even though I am loath to bump this again: KeePass + KeeAgent offer a SSH Agent solution that can replace both the Windows OpenSSH Agent as well as the Git-Bash OpenSSH Agent and provide SSH keys to both at the same time.

How is this different from just using the Windows OpenSSH Agent in Git-Bash (and everywhere else) you might ask? Well, Windows OpenSSH has some very uncomfortable bugs (such as this one, still occurs even though it says fixed) that render is unusable/unreliable in a lot of cases. That means using KeePassXC with SSH on Windows becomes unreliable and as a result I have to retract my previous statement that using Windows OpenSSH is a "workaround close enough to a fix".

Personally, I like KeePassXC way better than plain KeePass, particularly because of the way superior Browser integration and technically the native SSH support (Putty is not an option for me personally), but not having reliable SSH is a huge problem for me. Is there any way that some of the magic happening in KeeAgent (that offers support for Pseudo-Linux-Sockets along with Windows Named Pipes) can be replicated here? Is there something that can be done to facilitate that beyond providing an implementation as PR?

Edit: There's also the wsl-agent-bridge that apparently transforms the Windows OpenSSH output into a (WSL compatible) Pseudo-Linux-Socket. As well as wsl-ssh-pageant which also does apparently do something similar.

Okeanos commented 11 months ago

There exists an open PR for Windows OpenSSH to support the previously mentioned Unix sockets. Let's see how that plays out.

I also recently stumbled across OmniSSHAgent that may be of interest here.