SSH key could not be found

[rvernica]

Once I start the application I get this warning in the Notification area:

I have a Pageant running and the key loaded there. I am able to push to my remote Git repository using git-bash and the key in Pageant:

MINGW64 ~/.password-store (master)
$ echo $GIT_SSH
C:\Program Files\PuTTY\plink.exe

MINGW64 ~/.password-store (master)
$ git remote -v
origin  git@.../password-store.git (fetch)
origin  git@.../password-store.git (push)

MINGW64 ~/.password-store (master)
$ git push --set-upstream origin master
Counting objects: 3, done.
Writing objects: 100% (3/3), 243 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To .../password-store.git
 * [new branch]      master -> master
Branch master set up to track remote branch master from origin.

[geluk]

On startup, pass-winmenu will check the protocol of your password store's default remote to see if it uses SSH. If that is the case, it'll look for an SSH key in the location configured in pass-winmenu.yml. If it finds an SSH key, it'll use that key when you click Push to remote or Pull from remote in the notification icon menu.

This message is there to inform you that, since it couldn't find your SSH keys, pass-winmenu will not be able to do this. I should probably make it more clear that it's not trying to suggest that your repository is set up incorrectly.

If you don't use the built-in push/pull functions, you can simply disable the notification by setting no-ssh-key-found to false under notifications.

I realise that this isn't exactly the best way to handle this, but I can't immediately come up with a better solution, so I'm open to any suggestions.

[rvernica]

I did assume only the Push/Pull functionality would be affected. I was not sure why the keys were not found as they are located in %userprofile%\.ssh. It turns out there were not exactly named as the program expected.

I renamed the keys to match the expected file names and the warning no longer appears. Still, when triggering the Push/Pull functionality, I get this error:

My keys have a passphrase, I wonder if that is the cause of this error.

Also, I order to be able to use git push and git pull in git-bash I needed to setup the GIT_SSH environment variable to point to plink.exe. Could this help in this case?

MINGW64 ~/.password-store (master)
$ echo $GIT_SSH
C:\Program Files\PuTTY\plink.exe

[geluk]

I did assume only the Push/Pull functionality would be affected. I was not sure why the keys were not found as they are located in %userprofile%.ssh. It turns out there were not exactly named as the program expected.

This is something worth looking into. SSH keys are hard to identify since they can be named pretty much anything, with or without a file extension, so I just went with the default names as ssh-keygen generates them.
It might be useful to add a config variable such as ssh-key-matches, which could be an array of regex strings to be matched against all files found in ssh-key-search-locations. All matching files are considered to be private keys and should be tried.

Which would end up looking somewhat like this

# A list of paths to search for SSH keys to use when connecting to a remote.
ssh-key-search-locations: ['%userprofile%\.ssh']
# A list of regex strings matched against all files found in the directories
# given by 'ssh-key-search-locations'. Matching files are considered to be 
# SSH keys and will be tried when connecting to a remote.
ssh-key-matches: ['id_.*(?!.pub)$', 'sshkey\.private']

My keys have a passphrase, I wonder if that is the cause of this error.

It most likely is. I haven't implemented passphrases yet, since I'd have to add some hooks to request the passphrase from the user, as well as creating a window where they can enter their passphrase.

Also, I order to be able to use git push and git pull in git-bash I needed to setup the GIT_SSH environment variable to point to plink.exe. Could this help in this case?

Since pass-winmenu uses LibGit2Sharp, I don't believe it honours the same environment variables as git does. It uses its own SSH implementation, which, unfortunately, is still somewhat limited (for instance, ECC keys are not supported yet).

[rvernica]

I see. So delegating the SSH connection and key handling to PuTTY/Pageant might not be straight forward. Pageant has already the key loaded and handles the passphrase.

[geluk]

So delegating the SSH connection and key handling to PuTTY/Pageant might not be straight forward.

I believe so. LibGit2Sharp allows you to define your own SSH credentials provider, which must return the path to a private key file, the path to its public key file, and a password (if applicable).

That means the keypair must be requested from Pageant and saved to some temporary files, after which LibGit2Sharp can be pointed to those files. However, at this point you're storing unencrypted SSH keys on your disk, which is obviously not desirable if you've gone through the effort of password-protecting your keys and setting up an SSH agent.

It's not impossible, but it's no small task either.

On the other hand, extending pass-winmenu so it can request SSH key passwords (and remember them for a set amount of time) itself should be possible, though that does leave users with the issue of having to enter their SSH key password twice; once for SSH/git/etc, and once for pass-winmenu.

Despite this, adding support for passphrases is probably a good idea, since it still helps out those who encrypt their SSH keys but do not run an SSH agent.

[geluk]

I ran into another issue with LibGit2Sharp's SSH implementation; turns out the error you got is more likely being caused by the SSH server and client being unable to agree on a key exchange algorithm. If you check the sshd logs on the remote, you'll probably see something like this:

Unable to negotiate with [host] port [port]: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc [preauth]

As you can see, LibGit2Sharp only offers some rather questionable ciphers, which, on modern SSH servers, are not enabled, and often not even available anymore.

At this point I think it's probably a better idea to stop trying to make SSH through LibGit2Sharp work, and instead just allow users to configure pass-winmenu to rely on an installed Git for fetching from/pushing to the remote. If a user enables this feature, LibGit2Sharp will still be used for all offline actions such as committing or rebasing, but for fetching and pushing, native Git will be called. This means that if you're using a special configuration (unusual credentials provider, SSH agent, etc), then as long as it works from the commandline, it will work for pass-winmenu too.

[geluk]

I've added the native Git feature, so I'll consider this fixed. Feel free to open a new issue if you continue running into synchronisation issues.