-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: username and password support for SSH connection type #1126
base: main
Are you sure you want to change the base?
Conversation
Pushed a super rough draft of auth handler logic this morning. Very rough around the edges but wanted to get thoughts down in some (semi) organized manner. Will further test and refine as time allows. |
First up, thank you for working on this. It'll be a big improvement for us. A few random thoughts:
From your top message: "Users should still be able to specify an identify file for keys that have a passphrase." ; do you mean "for keys that don't have a passphrase"? For keys that do, you would need to develop the ability to de-shield them after loading them from disk, to pass to the private key method. Probably safer to just expect users to set up ssh-agent, if that's where they're at. [although it's true that that is unfortunate on windows] |
client/src/connection/ssh/index.ts
Outdated
|
||
constructor(c?: Config) { | ||
super(); | ||
this._config = c; | ||
this.conn = new Client(); | ||
this._conn = new Client(); | ||
this._authMethods = ["publickey", "password", "keyboard-interactive"]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Attempt non-interactive methods first, falling back to interactive ones.
@chunky in a few test scenarios in house, I'm seeing the auth method for agent and public key coming back from the server simply as "publickey". I'm wondering if the library is adding in agent based on set config options?
Essentially, these strings are well known auth methods that are supported by ssh itself. I think it would be great to get these from the server by initially sending "none" up to prompt for a response. We need to then roll through the list of methods that we can support in the extension (which should be most of them except for the kerberos methods) and then make sure that before we try it, that it's in the "server supported list".
client/src/connection/ssh/index.ts
Outdated
parsedKeyResult instanceof Error && | ||
parsedKeyResult.message === | ||
"Encrypted OpenSSH private key detected, but no passphrase given" | ||
) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ssh2 library has a function that can assist with detecting that the key file specified on the config property is encrypted, which is a nice help to allow users to specify shielded and unshielded key paths on the connection profile (if they dont want to / cant use use agent). Right now with the code below if we detect a passphrase we'd prompt for it before sending it on. Generally I'm against storing these kinds of passphrases in a secret for reasons mentioned above. If a user wants passphrase persistence then perhaps agent is the ideal solution.
client/src/connection/ssh/index.ts
Outdated
}); | ||
} | ||
} | ||
} else if (process.env.SSH_AUTH_SOCK) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty straightforward, this is the agent method that we supported in the before state. Users can still elect not to specify a key file on the connection profile and have the agent do all of the work (if they have set it up).
client/src/connection/ssh/index.ts
Outdated
}); | ||
} | ||
break; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Support both password and keyboard-interactive. Prompt user "just in time".
All good feedback. I generally agree with thoughts above. I've put comments around changes that I think support these items. On the issue of whether or not to store the passwords in secrets, we have some precedent for doing this in other connection types. I do agree though that generally for ssh interaction with other solutions, anytime passwordless or passphraseless interactions are intended, that I've seen docs push users towards agent or public key. |
I would like to see the authentication method gssapi-with-mic added. This will be beneficial to those in corporate environments where Kerberos Tickets enable you to access other resources such as file systems, databases, APIs, etc ... while eliminating the need for the person to enter their credentials. |
If you can figure it out, yes, the kerberos SSO stuff is great where available. That was another thing I couldn't figure out. It works on some of our servers. Another of those "if it works it's magical and absolutely preferred". I think the distinction between "agent" and "public key" is a manifestation from the ssh2 library, not the server. In practice it might mean taking two bites at the key-based apple, which is explicitly afforded by the Auth handler mechanism |
Yea that's what the current changeset has, inside of "publickey" we'd look for whether or not the user has set their keyfile on the connection profile, if so we'd use that file, otherwise we'd defer to agent.
One challenge is that the ssh2 library doesnt support GSSAPI methods yet: |
@smorrisj I missed this comment from earlier: "I'm seeing the auth method for agent and public key coming back from the server simply as "publickey". I'm wondering if the library is adding in agent based on set config options?" From the server's perspective, these are the same thing; it just wants to do a key-based handshake. But on the client, they're different beasts. With ssh2's 'agent' they go get it from a daemon running on a socket, while 'publickey' is just a thing where you hand ssh2 the ready-to-use bytes. |
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
const SECOND = 1000; | ||
export const KEEPALIVE_INTERVAL = 60 * SECOND; //How often (in milliseconds) to send SSH-level keepalive packets to the server. Set to 0 to disable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chunky any thoughts on going with these values for keepalive and max unanswered?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@smorrisj 60 seconds is a reasonable figure - I think I usually set it to 30, but I have no strong feelings as long as it's well inside 90.
The unanswered_threshold, I confess to be unsure about appropriate behaviour. If the comment is right, it's measured in "pings" not in "time". So if you're aiming for 12 hours, it should be (12 * HOUR / KEEPALIVE_INTERVAL). Either way, because this is happening at the SSH/networking level, then 12 hours is probably way too long. Maybe 15 minutes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -118,3 +129,26 @@ Host host.machine.name | |||
``` | |||
|
|||
6. Add the public part of the keypair to the SAS server. Add the contents of the key file to the ~/.ssh/authorized_keys file. | |||
|
|||
### Connection Profile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be 4th level (####
) right?
I'm thinking the title might be better to be something like "Private Key File Path"? As the agent way also involves profile and has profile sample above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in ea17b75
client/src/connection/ssh/types.ts
Outdated
privateKeyFilePath: string; | ||
} | ||
|
||
export const LogLineTypes: LogLineTypeEnum[] = [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: where is it used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Relic from the initial prototype / approach. Removed in 3e1f267.
|
||
private resolveSystemVars = (): void => { | ||
const code = `%let workDir = %sysfunc(pathname(work)); | ||
%put ${WORK_DIR_START_TAG}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so looks like it will suffer #1119 right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed this in testing. One "chunk" of data written to the stream actually contained multiple long lines with breaks on my test environment (I used VA). In testing, this code was able to parse out the actual unix path from the input strings I was seeing come across. Take a look and let me know what you think?
const match = foundWorkDir.match(/\/[^\s\r]+/);
this._workDirectory = match ? match[0] : "";
client/src/connection/LineParser.ts
Outdated
// Copyright © 2024, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
export class LineParser { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we want to remove the itc/LineParser.ts
in favor of this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for catching. I had originally promoted LineParser up higher. A merge must have errantly added it back. Fixed in 76a271f.
client/src/components/profile.ts
Outdated
title: l10n.t("Private Key File Path (optional)"), | ||
placeholder: l10n.t("Enter the private key file path"), | ||
description: l10n.t( | ||
"Enter the local path of the private key file. Leave empty to use SSH Agent.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: do we want to say Leave empty to use SSH Agent or password.
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was already unsure about having such a long description. I think we could shorten it a bit. See 7a2c0b4. Will that work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @jennifert-sas for review
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@scnwwu For "Leave empty to use SSH Agent or password." I would suggest:
"To use the ssh-agent or a password, leave blank."
Not entirely sure if it should be "SSH Agent" or "ssh-agent" - i see both in the GitHub doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ssh-agent
typically refers to the running process in the context of running in the operating system, whereas we generally have been using SSH Agent
for a more general reference, regardless of operating system. I updated the prompt to use "SSH Agent" in 5f9ec57, since in this case we were referring to it more as a general reference?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good - thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Thanks.
1.Create a SSH connection profile and specify an invalid privateKeyFilePath, run some code, it will prompt error message as expected. |
1.Create a SSH connection profile, specify privateKeyFilePath field in connection profile (with a passphrase). |
It cannot create the profile successfully if leave the 'Enter the local private key file path' as blank. For others fields have been filled correctly. |
Fixed in d3c9cd2 |
Fixed in 6d28a43 |
In this setup, we're trying as much as possible to let the SSH client and server negotiate auth based on the server configuration. If you're seeing that message, it means that the SSH client received a disconnect from the server side to close the connection before auth could finish. This can happen in a number of auth setups, for example, if max auth tries are exceeded etc. I think to support the largest number of customer configured auth setups, we should keep this the way it is. |
Summary
Todos:
Store password in Secrets API so that the user is not prompted for a password on each session establishment after initial profile creation.Use masked input field like we do for IOM on the text input prompt.setTimeout
logic will need to be adjusted so that we dont errantly timeout while a user is typing in a password or passphrase.Testing
Connection Profile Prompts:
Auth Refactor:
Users can successfully authenticate to the server to run sas programs using the following auth methods:
Work Directory Detection
Keepalive Changes: