[Proposal] use ssh-agent for remote connections

[luchaos]

phpseclib allows to use the system's ssh-agent for providing the key for ssh connections since two months. Laravel does not seem to provide this option next to username/password and private_key/passphrase authentication for remote connections.

Background:

Searching for the reason why both the passphrase for and the path to private keys have to be provided (see related stackoverflow question) I found out that phpseclib does indeed have an undocumented implementation for ssh-agent but Laravel does not make use of this method in its SecLibGateway.

Implementation ideas:

Either allow to set key to true in config/remote.phpconnections array or even fall back to ssh-agent when none of password,keyor keyphrase is set.
Another option could be to add another config field like agent accepting Booleans specifically for this, which seems unnecessary to me, though.

config/remote.php

return array(
    'default' => 'production',
    'connections' => array(
        'production' => array(
            'host'      => 'serverhaspublickey.com',
            'username'  => '',
            'password'  => '',
            'key'       => true, // invokes ssh-agent
            'keyphrase' => '',
            'root'      => '/var/www',
        ),
    ), 

laravel/framework/src/Illuminate/Remote/SecLibGateway.php

Either extend getAuthForLogin() or loadRsaKey() with an according routine to pass an instance of System_SSH_Agent instead of Crypt_RSA to login() at line 85.
As it may be done and can be seen in the source file's header comment here

Works both with phpseclib's SSH2 and SFTP:

 <?php
     include('System/SSH/Agent.php');
     include('Net/SSH2.php');

     $agent = new System_SSH_Agent();

     $ssh = new Net_SSH2('www.domain.tld');
     if (!$ssh->login('username', $agent)) {
         exit('Login Failed');
     }

     echo $ssh->exec('pwd');
     echo $ssh->exec('ls -la');
 ?>

[hannesvdvreken]

👍

Maybe use the System SSH agent in the absence of the key value in the connection configuration.

[passioncoder]

+1 for this, storing unencrypted passphrases in tmp files is not what you usually want.

[riotCode]

👍 this would be a good improvement, this needs to be a pull request!! :)

[GrahamCampbell]

According to @robclancy we're not allowed to ask for pull requests @riotCode.

[luchaos]

@GrahamCampbell @riotCode well, at least that's how I interpreted that section in CONTRIBUTING.md.

Before sending a pull request for a new feature, you should first create an issue with `[Proposal]` in the title. The proposal should describe the new feature, as well as implementation ideas. The proposal will then be reviewed and either approved or denied. Once a proposal is approved, a pull request may be created implementing the new feature. Pull requests which do not follow this guideline will be closed immediately.

Code is more or less written. Still waiting for review/denial/approval. Not sure if this should have been a [Request] instead?

[GrahamCampbell]

@luchaos [Request] should be used if you are proposing something, but don't want to make the implementation yourself. [Proposal] is more along the lines that you are willing to provide an implementation in a pull request.

[robclancy]

You know you can say my name without tagging me and annoying me with some random issue I don't even want to read.

[luchaos]

@GrahamCampbell thanks for clearing that up concisely
does anyone from the core team have any further thoughts on this?
btw. windows machines would not quite benefit from this feature yet according to phpseclib's System_SSH_Agent source:
$this->fsock = fsockopen('unix://' . $address, 0, $errno, $errstr);

[GrahamCampbell]

@luchaos There is no core team. @taylorotwell is the creator and only maintainer.

[luchaos]

Cautiously ignoring the "let's talk about it" part after two weeks for about 10 lines of quite non-intrusive code here's a suggestion:
https://github.com/luchaos/framework/commit/cd211fc0a4b60812b90971aa8e3a37112410ca4e
Running the existing tests showed no errors and it's working like a charm on OS X.

I went with a twice-cooked approach for the remotes config as follows:

    'connections' => array(
        'production' => array(
            'host'      => 'example.com',
            'username'  => 'luchaos',
            'agent'     => true, // invokes ssh-agent
            'key'       => true, // invokes ssh-agent
        ),
    ),

I'm still not too sure about two things, though:

• I didn't go all too deep with Windows since the amount of possibilities to establish a ssh-agent-like system with putty/cygwin (and how it's done) really turns me off. Using the existing remote connection options in a Win7 env worked well as usual.
• I assume the Remote/SSH part of Laravel was not meant to work outside a cli-interface? Afaik fetching the socket path on a unix system will not work outside the shell as it will not be populated to $_ENV nor $_SERVER by default. phpseclib depends on at least one being present.

@GrahamCampbell Thanks, I know. I guess I made false presumptions for the review process of proposals when reading about core maintainers reviewing feature requests in contributing.md. To understand the combination of readme.md, contributing.md and how to correctly label issues could've been less of a guess - but maybe that's just me.

[luchaos]

Option for ssh-agent is available now 👍