Paegent plus paramiko problems

[Martin Pool]

On 10 November 2011 04:45, Martin Packman <martin.packman at canonical.com> wrote:
> Bazaar has had a number of reports about bad interaction between
> Pageant[1] and paramiko[2] resulting in either "lost ssh-agent" or
> access denied on a .pag file.

Thanks for analyzing it; for some reason there has been a spate of
these recently.

I want to ask about avoiding the situation as well as solving it.

Having a separately locked ssh key file is not necessarily the most
critical thing if people already have a logon password and whole-disk
or home-directory encryption, as is reasonable common.  In fact for
the common case where the ssh key is unlocked soon after logon and
remains unlocked the whole time, I'd argue there is only a marginal
incremental benefit.  I realize there are some people who want every
security layer they can get, and in some cases reasonably so.

If you have the key file unlocked, is bzr on Windows happy to just
access it directly?

I suspect some Windows bzr users don't actually want putty, they just
want to use ssh keys.

I wonder if we can do some cheap and tolerably secure agent-equivalent
by putting the key in to some kind of per-session storage, or even
just keeping it alive for the length of one bzr explorer instance.

> For previous issues with paramiko, Bazaar developers have applied
> patches in Debian and Ubuntu[5], but there's no obvious process for
> doing this for the windows installer. Is it time to seek a new
> upstream maintainer for the package?

If it's orphaned upstream, since it's important to us we adopt it, at
least so we can put in these fixes.

m