Start a new topic

Native OpenSSH support in WIndows

Hi! Microsoft is currently incorporating OpenSSH into Windows. Link: https://arstechnica.com/gadgets/2017/12/microsoft-quietly-snuck-an-ssh-client-and-server-into-the-latest-windows-10/

Let's start using it.


Thanks


1 person likes this idea

Here's the documentation of rebex' implementation of agent support:

https://www.rebex.net/doc/api/Rebex.Net.SshAuthenticationAgent.html


According to the docs, they implemented is according to the following RFC
https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent-00


Since we can't really verify the implementation, it might be best to contact rebex directly with a repro case and detailed logs to find out if there's bug or issue in their implementation.


Either using their Q&A forum https://forum.rebex.net/

or directly support@rebex.net


Regards,
Stefan

I got a response from the Rebex forum: 
https://forum.rebex.net/22511/rebex-ssh-username-and-private-key-no-password?show=22514#a22514


The method to do this would be: 
public void Login(string userName, SshPrivateKey privateKey)


I believe RoyalTS is sending username and a blank password via this method:
public void Login(string userName, string password, SshPrivateKey privateKey)



I'm using 1password with royal TS and it is working great. I'll share some screenshots of my setup so that it has help when I'm back this afternoon.

I have an SSH (rebux) based connection in a folder called "2-linux"

image


The credential settings of this connection is to use the parent.


image


Under Security -> General, I have the following settings (PublicKey, OpenSSH, Fingerprint)


image


The parent folder credentials log in as root, with a random password. Totally random, not related to the password for the servers at all, just generated via RoyalTS and put in there. I dunno why I did that, but I haven't had issues so maybe you could try?


image


I'm using RoyalTS for Windows version 7.0.50823, and 1Password for Windows 8.10.16




That worked.  So a password is being required even if it isn't used for the connection.  Thank you.

Hi Steve and Thomas,


thanks for the feedback and the information. I can do a couple of things to make it "better" hopefully.


1) I could drop the requirement for username and password. In this case I will take the %USERNAME% environment variable

2) If no password is provided (but a private key file), I will call the API overload which doesn't require the password.


This should then make it much easier if an SSH agent is used. What do you think?


Regards,
Stefan

1) Would this be the username of whatever credential is active? I'm not familiar with environment variables with RoyalTS.

2) This should work.

Re 1: this would mean that if no credential is provided at all, it will automatically assume the username in %USERNAME% environment variable of the Windows system you are running Royal TS. This means if you have an SSH authentication agent running and the username of the remote system is identical to the username of your client, Royal TS will assume this username automatically. I believe it's the default behavior on *nix systems / open ssh systems.

That should work.

Just tried it, and it isn't covering my scenario.  


This is the scenario closest to what I need.

2) If no password is provided (but a private key file), I will call the API overload which doesn't require the password.


The issue is that I am not specifying a private key in RoyalTS.  I am only supplying the "bitnami" username on the authentication screen.  1Password listens on OpenSSH and provides the key information, externally of RoyalTS.


if a username is supplied and password is not supplied, I want you to call the API overload, regardless of whether a key is specified in RoyalTS.

When username and password and key: 
public void Login(string userName, string password, SshPrivateKey privateKey)


When username and password and no key:

public void Login(string userName, string password)


When username and no password and no key:

public void Login(string userName)



When username and no password and key:

public void Login(string userName, SshPrivateKey privateKey)


Hi Thomas,


I'm afraid that's not possible. The Rebex API doesn't work that way. If I call the API Ssh.Login(username), it will invoke the AuthenticationRequest event to ask for the password:

https://www.rebex.net/doc/api/Rebex.Net.Ssh.Login.html#Rebex_Net_Ssh_Login_System_String_


The only valid call where the username alone can be provided, is the one where an SshAuthenticationAgent is specified:

https://www.rebex.net/doc/api/Rebex.Net.Ssh.Login.html#Rebex_Net_Ssh_Login_System_String_Rebex_Net_SshAuthenticationAgent_


If 1Password can act as an OpenSSH authentication agent which is compatible with the implementation of Rebex, it may work but only if you also specify that a OpenSSH authentication agent should be used:

Did you try that?

Therein lies the problem.  If I specify "OpenSSH Agent", it still requires a username and password, although Rebex doesn't send the password[, or the password is ignored by the server being connected to].  This is what Steve Addison found several days ago.


Using OpenSSH Agent

Specifying a credential with username and a complex password [for some reason a short password wouldn't work], allows for 1Password to trigger and allows logging into the server.


Looks like it is just a quirk that I am going to have to live with.  


Thanks for your time looking into the issue.

Hi Thomas,


I think I found another code path where a username alone could initiate a prompt. I've done some more tests and could improve the behavior in these situations. If you configured an ssh agent, you should now be able to use a connection without a password/key configuration - assuming your agent provides all the missing details.


Regards,
Stefan

Login or Signup to post a comment