Paegent plus paramiko problems
Martin Packman
martin.packman at canonical.com
Wed Nov 9 17:45:06 UTC 2011
Bazaar has had a number of reports about bad interaction between
Pageant[1] and paramiko[2] resulting in either "lost ssh-agent" or
access denied on a .pag file.
The various bug entries[3] are a little confused, but several
different causes are listed:
* Using 64-bit windows
* Having run Pageant as an administrator
* Using bzr from an elevated console
* Unclear and not reproducible
The problems all stem from the slightly funky IPC mechanism Pageant
uses, and differences in the paramiko implementation of it. To talk to
the agent, the client looks for the 'Pageant' window, writes to a
mapped file, passes the name of the mapping as a message to the
agent's window, and when the (synchronous) call returns, reads the
result back from the same mapping.
The paramiko implementation has a few notable differences from the
client code in the PuTTY project. Rather than using a named mapping
backed only by pagefile, it uses a actual temporary file on disk.
Prior to Python 2.5 this was all the mmap module supported, using -1
as the fd has since been allowed. In the 0.61 release, Pageant
adjusted the security checks so elevated processes could talk to an
unprivileged agent from the same user and visa versa. In Python there
is no facility for passing security descriptors when creating the
mapping, so doing this in paramiko would not be trivial.
The various bugs appear to boil down to the following issues:
* In paramiko the struct for passing the name isn't constructed with
the right size types for 64-bit systems.
* If the file paramiko created (using tempfile.mktmp and open...) for
the mapping is held open by another process, unlink will fail.
* Pageant will leak the mapping handle if doesn't have the same
security context as the shared mapping:
int ret = 0;
...
filemap = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, mapname);
...
if (!EqualSid(mapowner, ourself))
return 0; /* security ID mismatch! */
...
CloseHandle(filemap);
return ret;
* A mismatched security context will be reported by paramiko as "lost
ssh-agent"... if unlink doesn't later fail.
The first issue already has a proposed fix[4], and the second could be
addressed by not creating a file on disk where possible. Beyond that,
tolerating unlink failing, and reporting a better error when Pageant
exists but refuses to talk would also be helpful.
For previous issues with paramiko, Bazaar developers have applied
patches in Debian and Ubuntu[5], but there's no obvious process for
doing this for the windows installer. Is it time to seek a new
upstream maintainer for the package?
Martin
[1] Part of PuTTY, used as a ssh agent on Windows
<http://www.chiark.greenend.org.uk/~sgtatham/putty/>
[2] A python module implementing the SSH2 protocol
<http://www.lag.net/paramiko/>
[3] Bug reports on bzr problems with Pageant
<https://bugs.launchpad.net/bzr/+bug/644995>
<https://bugs.launchpad.net/bzr/+bug/820805>
<https://bugs.launchpad.net/bzr/+bug/824760>
<https://bugs.launchpad.net/bzr/+bug/886562>
[4] "Support Pageant on 64-bit Python"
<https://bugs.launchpad.net/paramiko/+bug/736955>
<https://github.com/jaraco/paramiko/commit/1939b1c55270bf7a92fdb1d43208a3b65342f4b2>
[5] "Cherry-pick two patches that have been forwarded upstream"
<https://code.launchpad.net/~jelmer/ubuntu/natty/paramiko/randompool+addressfamilies/+merge/46669>
More information about the bazaar
mailing list