ssh woes on windows
mhammond at skippinet.com.au
Wed Jul 30 06:12:01 BST 2008
A month ago, you wrote:
> My best guess is that your key isn't properly uploaded to Launchpad.
> Looking here:
> I only see a "ssh-dss" public key, which I believe is a "DSA" key, not
> an RSA key. And IIRC, Launchpad no longer allows access via DSA keys.
Yes, something was a little strange with my keys on launchpad, and that does explain much of the strangeness I saw. I've since experimented in a much more "controlled" environment with the state of bzr and ssh on Windows.
> I like using ssh.exe because I have it configured already. It knows
> usernames I'm going to be using to access different hosts (jameinel
> here, jam, there, bzr_conversion on that machine.) It knows if I have 3
> different keys and I want to use a different one for each host. (Though
> with any agent, you pretty much just load all your keys in, and then go
> from there.)
> Both paramiko and ssh are able to prompt for the passphrases on my
Yeah, I've found that paramiko does correctly prompt for your passphrase in the same way as using ssh explicitly (ie, only the key that will actually be used is prompted). However, I have found one critical difference - paramiko seems unable to use (cygwin's) ssh-agent on Windows. I recently sent a mail to the paramiko list, but the short story is that once ssh-agent is setup correctly, BZR_SVN=ssh will use the agent, while BZR_SVN=paramiko will still prompt for the passphrase, just as ssh itself does if the agent isn't running.
FWIW, Paramiko will automatically try *both* the pageant keys and the default id_dsa/id_rsa keys.
So - getting back to the original point of this mail - what should the default ssh implementation be on Windows? If paramiko supported ssh-agent, its obvious to me that paramiko should be the default. Would you agree?
But - given the state of things today, whatever we choose, someone potentially "looses" (ie, needs to explicitly change BZR_SVN):
* If we choose 'search for ssh, fallback to paramiko', the person who uses pageant to manage their keys but also has ssh.exe on their path will need to set BZR_SSH=paramiko (or plink), else they will see a cryptic error message ("ERROR: Connection closed...") and the operation will fail.
* If we choose paramiko, the person using ssh-agent must set BZR_SSH=ssh, otherwise they will be prompted each time for their passphrase - but once supplied, the operation will succeed.
The way I see things is:
* Windows users are far more likely to use pageant to manage their keys, but there is also a reasonable change a copy of ssh.exe will be found on PATH (it is for me ;)
* In the failure scenarios above, the person using ssh-agent still works - just not optimally. However, the person using pageant fails to work at all, and there isn't a clear indication how the problem should be fixed for them.
All of which leads me to the conclusion that even without ssh-agent support, paramiko should still be the default ssh implementation. Is there something I've missed in the above? Any other thoughts?
More information about the bazaar