search

tmds / Tmds.Ssh

.NET SSH client library
MIT License
177 stars 10 forks source link

Support User Principal Name usernames in connection string #189

Closed jborean93 closed 4 months ago

jborean93 commented 4 months ago

OpenSSH supports using a UPN in the connection string in the format username@REALM@ssh-host. The current logic splits at the first @ so the username in the above would be username and hostname would be REALM@ssh-host. Currently you have to set the explicit UserName property but it would be nice if the connection string parser would work like the ssh binary does.

tmds commented 4 months ago

I was thinking something similar while we were discussing the kerberos credential.

I think we should store the realm in a separate property from UserName, like UserDomainName.

jborean93 commented 4 months ago

I'm not sure what the benefits of having a separate domain/realm property, ultimately it's just a form of the username that is sent to the remote host. For GSSAPI/Kerberos authentication on Linux it doesn't control what cached credential is used, just the remote target you are going to authenticate to.

tmds commented 4 months ago

I think it makes sense for the credential type to determine if it uses UserDomainName.

var settings = new SshClientSettings("ssh.host.com")
{
    Credentials = [ new PrivateKeyCredential("~/.ssh/id_rsa"), new KerberosCredential() ]
}

Here PrivateKeyCredential wouldn't use UserDomainName, and KerberosCredential would.

tmds commented 4 months ago

It also provides an easy way to detect if a realm was included.

tmds commented 4 months ago

I'm looking at the OpenSSH code, and I don't see it try to understand the realm part. So, we can behave accordingly, and just store this in UserName.

jborean93 commented 4 months ago

It also provides an easy way to detect if a realm was included.

I'm not sure we need to know about that, we just treat the username provided as an opaque value that is provided to the server.

I'm looking at the OpenSSH code, and I don't see it try to understand the realm part. So, we can behave accordingly, and just store this in UserName.

Yep they don't use the username for any local actions, it's just provided to the server as is. This issue is trying to provide parity to the ssh command line where I can do ssh username@REALM.COM@target-host where username@REALM.COM is provided as the user name value in the authentication messages for the target server to parse. Right now the only way this is possible is by explicitly providing the UserName property rather than taking advantage of the connection string parser.