ssh woes on windows

Mark Hammond mhammond at
Wed Jul 30 06:12:01 BST 2008

Hi John,

A month ago, you wrote:

> My best guess is that your key isn't properly uploaded to Launchpad.
> Looking here:
> I only see a "ssh-dss" public key, which I believe is a "DSA" key, not
> an RSA key. And IIRC, Launchpad no longer allows access via DSA keys.

Yes, something was a little strange with my keys on launchpad, and that does explain much of the strangeness I saw.  I've since experimented in a much more "controlled" environment with the state of bzr and ssh on Windows.
> I like using ssh.exe because I have it configured already. It knows
> what
> usernames I'm going to be using to access different hosts (jameinel
> here, jam, there, bzr_conversion on that machine.) It knows if I have 3
> different keys and I want to use a different one for each host. (Though
> with any agent, you pretty much just load all your keys in, and then go
> from there.)
> Both paramiko and ssh are able to prompt for the passphrases on my
> keys.

Yeah, I've found that paramiko does correctly prompt for your passphrase in the same way as using ssh explicitly (ie, only the key that will actually be used is prompted).  However, I have found one critical difference - paramiko seems unable to use (cygwin's) ssh-agent on Windows.  I recently sent a mail to the paramiko list, but the short story is that once ssh-agent is setup correctly, BZR_SVN=ssh will use the agent, while BZR_SVN=paramiko will still prompt for the passphrase, just as ssh itself does if the agent isn't running.

FWIW, Paramiko will automatically try *both* the pageant keys and the default id_dsa/id_rsa keys.

So - getting back to the original point of this mail - what should the default ssh implementation be on Windows?  If paramiko supported ssh-agent, its obvious to me that paramiko should be the default.  Would you agree?

But - given the state of things today, whatever we choose, someone potentially "looses" (ie, needs to explicitly change BZR_SVN):

* If we choose 'search for ssh, fallback to paramiko', the person who uses pageant to manage their keys but also has ssh.exe on their path will need to set BZR_SSH=paramiko (or plink), else they will see a cryptic error message ("ERROR: Connection closed...") and the operation will fail.

* If we choose paramiko, the person using ssh-agent must set BZR_SSH=ssh, otherwise they will be prompted each time for their passphrase - but once supplied, the operation will succeed.

The way I see things is:

* Windows users are far more likely to use pageant to manage their keys, but there is also a reasonable change a copy of ssh.exe will be found on PATH (it is for me ;)

* In the failure scenarios above, the person using ssh-agent still works - just not optimally.  However, the person using pageant fails to work at all, and there isn't a clear indication how the problem should be fixed for them.

All of which leads me to the conclusion that even without ssh-agent support, paramiko should still be the default ssh implementation.  Is there something I've missed in the above?  Any other thoughts?



More information about the bazaar mailing list