Include support for Pageant

[x11x]

Hi, Thanks for your hard work on this project. I have been playing around trying to get sshfs to work with pageant using ssh-pageant without a cygwin installation (just with what is included in this project). I placed ssh-pageant.exe in the same directory as sshfs.exe so it can use the bundled cygwin dlls. By manually setting SSH_AUTH_SOCK environment variable in a cmd.exe shell, I was able to get the bundled ssh.exe to work, however sshfs.exe would not. It seems like it should work, although ssh-pageant.exe's use is very posix shell based (it exports bash code that is meant to be evaled), so I'm a bit unclear about how this should work without a posix shell. I will install a full cygwin environment and try -- it seems like this should work (haven't tried it yet though) However, since sshfs ships with its own cygwin environment, it would be nice if it could include support for pageant without having to also install bash, perhaps with a command-line switch of some kind (I'm not sure the specifics of how this should work). Lots windows users who are not using a full cygwin bash environment would probably be using putty/pageant for ssh, so integration with these tools seems important. Would this be feasible? Thanks again

EDIT: its possible I'm actually experiencing #74 and that what I have done should work after all

[billziss-gh]

I just read a bit about pageant.

I am wondering if it is something that we should include with SSHFS-Win, especially if it needs bash support, etc. Perhaps a better alternative is to build a Cygwin environment and build SSHS in it. All necessary changes to get SSHFS to run in Windows have now been included in the mainline SSHFS project.

[x11x]

Sorry for the delay in replying. Long post below, just sharing everything I've found out about this issue. Probably not much of this is necessarily actionable for SSHFS-Win. I think my comments were a bit misleading and I may have confused myself re the requirement on Bash.

tldr - Bash is not a requirement for ssh-pageant. It seems ssh-pageant should work with SSHFS-Win but I could not get it to. I have not yet tried running SSHFS-Win in a full cygwin environment but that is probably the next step in this issue (SSHFS is not a top priority for me so have not had time to try that yet). So this could be a bug in SSHFS-Win (maybe related to #74, as I mentioned above) or maybe I've simply not set everything up correctly. Either way, its questionable whether SSHFS-Win needs to support this, especially as the Cygwin support is upstreamed, as you noted.

Assuming we could get ssh-pageant to work with SSHFS-Win out of the box (without building in a full cygwin environment), I have some ideas (optional enhancement requests) of how SSHFS-Win could simplify this integration if anyone is interested in this feature, but this is not necessary. I may be able to have a go at PRs for these enhancements but probably not at the moment as I don't have time and again, I have not been able to get ssh-pageant to work with SSHFS-Win anyway.

Putting aside Putty/Pageant support, you may have noticed there are now official native Windows builds of OpenSSH available from the Powershell team (and OpenSSH can even be installed using the Add/Remove Programs and Features Windows settings). So maybe this is the one to support in the future rather than Putty/Pageant... (maybe that needs a separate issue).

(extra info about ssh-agents and my suggestions below, in case they helps anyone...)

What I have learnt about ssh agents: SSH agents in Unix do not require Bash, all they need is a Unix socket and an environment variable (SSH_AUTH_SOCK) set to the path to the socket. The OpenSSH programs (ssh, ssh-add etc.) communicate over this socket with the agent to get key material for authentication. The agent stores the decrypted private keys in memory (users must load their keys into the agent either manually or in some cases automatically, the agent decrypts them by prompting the user for a password, ..). Bash is simply used to bootstrap all this -- the ssh-agent tool generates a small snippet of shell code to be evaluated by the user's shell, e.g. in their .bashrc file -- basically exporting the SSH_AUTH_SOCK environment variable for the other ssh tools to use. Pageant is the agent program for the Putty ssh/telnet/... Windows client/tty emulator. It works in a similar way (I believe) but using a different IPC protocol to OpenSSH and not using Unix sockets as it is a Windows native program (probably is using named pipes which are supported on Windows, not an expert on this). ssh-pageant, which I mentioned above, is a small "glue" program to bridge a running Pageant agent to OpenSSH tools running in a Cygwin environment. As I said above, I was able to get this to work with the ssh.exe bundled with SSHFS-Win, but not with sshfs.exe, which is why I opened this issue. I'm guessing it is something to do with the complexities of how Cygwin implements Unix sockets and how these interoperate with the native Windows named pipes or TCP sockets or however it is done (I have not researched this).

Suggestions for integration (assuming we can get ssh-pageant to work) ssh-pageant supports an -a option allowing you to specify a path to the socket. SSHFS-Win could: 1) check for the presence of the ssh-pageant.exe program either on the PATH or in the same directory as sshfs.exe. (users would simply need to download that exe from the Github repo linked and drop it into the SSHFS-Win program files directory or onto the path somewhere). 2) if sshfs-win finds ssh-pageant, it could generate a tempdir similar to how its done in ssh-pageant 3) invoke ssh-pageant.exe -r -a TMPDIR where TMPDIR is the generated tempdir 4) export the SSH_AUTH_SOCK variable pointing to the socket in the known temporary directory. I believe the temporary directory is not necessary and you could just as well use a known path (e.g. inside %LOCALAPPDATA% or wherever seems appropriate).

Security concerns Since the ssh-agent is storing and communicating the user's private keys, its important that permissions are set correctly on the socket. I am very unfamiliar with windows access controls and how they work with cygwin and would not be confident recommending anything. But how it works in Unix is (I think) the SSH_AUTH_SOCK is restricted to the user from whose shell session it was started (I think 0600 or 0660 permissions are all that's needed). It should not be world readable I guess. So as long as the same can be implemented in windows, there is no danger in having a well-known path to the socket.

[shawnz]

One solution would be to enable the use of plink.exe, which is provided with PuTTY, as the SSH binary. It is a drop-in replacement for ssh.exe which supports the use of Pageant. However, due to issue #86 I believe this is not currently possible. Although I haven't tested this specific configuration so you might want to investigate yourself.

[jupsoleil]

+1 Support of keys is required for me, since many of my servers have password authentication disabled.

[bersbersbers]

Dupe of #267 which offers a solution.