search

sassoftware / vscode-sas-extension

This SAS Extension for Visual Studio Code provides support for the SAS language, including features such as SAS syntax highlighting, code completion, hover help, code folding, outline, SAS code snippets and run SAS code.
https://sassoftware.github.io/vscode-sas-extension/
Apache License 2.0
117 stars 47 forks source link

[SSH connection] Fallback auth when SSH_AUTH_SOCK unavailable #1059

Open chunky opened 3 months ago

chunky commented 3 months ago

Is your feature request related to a problem? Please describe.

I'm in a Windows-heavy environment with Linux servers running 9.4, and IOM is unavailable. My userbase are highly skilled statisticians/economists/researchers, not really interested in messing around with environment variables or "arcane ssh stuff".

On Windows in particular, ssh-agent and setting environment variables are high-friction. I am reasonably expecting my users to have git [including git-bash and ssh/ssh-agent/etc] installed, but not any other SSH client. Some of them have PuTTY and PuTTY Keys configured, but that's much less common.

Current (Disliked) Workflow

Currently the process looks like this:

  1. One-time setup:
    1. Use the windows control panel for environment variables to set SSH_AUTH_SOCK to c:/Users/$USER/ssh.sock
    2. Create a 9.4 SSH profile for SAS, in VS Code.
  2. Every time they log in:
    1. Open git-bash
    2. Run ssh-agent -a /c/Users/$USER/ssh.sock
    3. Run ssh-add

Which is a little heavy on magick, highly error-prone, and a bunch more steps than most analysts enjoy repeating. One option is to try and have VS code execute the one-off stuff on startup using a task, but that seems brittle and hard to debug.

Describe the solution you'd like

The ssh2 npm module that this plugin uses can take a "password" item in the configuration. The function getSession in client/src/connection/ssh/index.ts:24 could be edited to ask for a password, if the SSH_AUTH_SOCK environment variable isn't set. Notionally:

export function getSession(c: Config): Session {
  if(!sessionInstance) {
      if (!process.env.SSH_AUTH_SOCK) {
        c.password = await createInputTextBox(ProfilePromptType.ClientSecret, c.password, true);
      }
      sessionInstance = new SSHSession();
      sessionInstance.config = c;
  }
  return sessionInstance;
}

Then, around line 71 in the same file, add password: this._config.password to the relevant configuration creation.

Describe alternatives you've considered

Use npm ssh2's authhandler to ask for a password as a fallback

According to this documentation, you can stuff some additional items into the authHandler when connecting: https://www.npmjs.com/package/ssh2#client

The last example there provides a callback for use as a keyboard-interactive authhandler.

I think this is the best solution, if it works; for example, on servers that don't allow keyboard-interactive, the prompt never appears. And if SSH_AUTH_SOCK is set, but ssh keys haven't been added to the agent, then this approach will still do the right thing. My proposed solution above doesn't work, if the env.var is set but it doesn't have the key. And moving the prompt to run every time is super annoying, if the ssh agent + keys are working.

I didn't primarily suggest this because I don't know the VS Code ecosystem enough to know if this is feasible.

Allow user to specify a ssh key as part of their SAS profiles

The ssh2 module, as one of its authhandlers, lets you specify a private key. This could be an optional item that users can add to specific profiles in their SAS config, eg:

"SAS.connectionProfiles": {
   "pandora_ssh": {
       "connectionType": "ssh",
       "host": "pandora.rand.org",
       "saspath": "/usr/local/sas/bin/sas_en",
       "username": "chunky",
       // This line is new
       "identityfile": "c:/Users/chunky/.ssh/id_dsa"
   }
}

I didn't suggest this solution primarily because, if the users have passwords on their identity file, there isn't a password prompt mechanism available [and the JSON config shouldn't afford people adding a passphrase]

Environment

SAS version 9.4 on Linux. Windows 10 clients.

scnwwu commented 3 months ago

If you're following the steps in https://sassoftware.github.io/vscode-sas-extension/Configurations/Profiles/sas9ssh#windows The steps are all one-time setup. The ssh-agent is running as a service and you don't need to repeat any steps in daily connection.

Feature request for password auth is tracked in #294

chunky commented 3 months ago

I had found that documentation, but there are two difficulties:

  1. One of the predicates on the "Get OpenSSH Installed" page linked is that "users are in the administrators group", which is not usually true across our environment.
    • And getting it installed, for users who don't have admin rights, is challenging.
  2. That's quite a lot of one-time setup; my users will shy away from anything that requires much setup, and go back to their current processes
    • Adding a "request a password on first session connect" to the VS Code plugin is zero setup for the user, hence this recommendation

That feature request for password auth is now more than a year old, which makes me worry it's backburnered. I'm in the process of trying to raise the SAS VS Code Plugin as an option right now; if I don't succeed in making this easy in the next weeks/months, then for budget and project-management reasons I don't have an opportunity to try again for the next couple years.

chunky commented 3 months ago

Update: I tried following the instructions provided, since my user can elevate to administrative privileges.

Our organisation has disabled the windows store enterprise-wide. No-one here is able to use windows "optional features", so there's no way to install the recommended SSH components.