net-ssh does not require ed25519 dependencies

[mfazekas]

There are a number of (mostly natvie) gems required for ed25519 implementation to work.

• rbnacl-libsodium
• rbnacl
• bcrypt_pbkdf

Currently it's up to the user to install them and net-ssh will complain, if those dependencies are not there/incorrect versions.

The following reasons led to this decision:

1. Net-ssh advertises itself as "Pure ruby implementation of (SSH"
2. bcrypt_pbkdf is not available on Java
3. rbnacl-libsodium doesn't have precompiled binaries for windows

[mfazekas]

See capistrano/capistrano#1825

[leehambley]

@mfazekas thanks for the numbered list, that clarifies the situation pretty well and confirms what I'd suspected after poking through the gemspec here and installation instructions for rbnacl.

I wonder if a solution here is to use a post-install message to clarify why this is the case, or whether there's a better solution?

Edit: thanks also for reacting to my post inside 6 minutes! That's gotta be some kind of FOSS collaboration record :) either way, it's very appreciated.

[mfazekas]

There is no concrete plans to solve this issue. The priority was getting 4.0 out of the door, and this compromise allows 4.0 to continue to run on wide range of platforms (eg Java and windows).

There are the following options:

1. leave this as is and let those dependencies be someone else's issue. Improve documentation.
2. separate net-ssh to net-ssh-core and net-ssh where net-ssh-core is pure ruby, and net-ssh is the complete bundle with those dependencies marked as required. (or the other way around introduce a net-ssh-complete that has those dependencies)
3. add java support to bcrypt_pbkdf and add precompiled windows libs to rbnacl-libsodium and make net-ssh require them. prebuilt binaries for windows RubyCrypto/rbnacl-libsodium#9
4. wait for new openssl to implement stuff needed for ed25519 support

[leehambley]

There is no current plan to solve this issue.

I'm not enthralled by any of the options set-out, but I'd imagine you aren't either. It's a real shame that we're no longer able to do SSH with pure Ruby.

The "improve documentation" issue came up because we were deciding what to do with Capistrano, and SSHKit, and by then people are three layers removed from the source of the "problem".

Suggest the following: we treat this as the documentation issue that it is.

Quick question to that, is there a specific error raised when trying to connect to a server that expects ed25519 keys, or is it a completely typical "Authentication Failure" ?

[mattbrictson]

Quick question to that, is there a specific error raised when trying to connect to a server that expects ed25519 keys

Yes, it looks like this:

NotImplementedError: unsupported key type `ssh-ed25519' -- see rbnacl-libsodium is not part of the bundle. Add it to Gemfile.

Although this is helpful, it is still less than ideal because:

1. The error lists only one missing gem, even though you need three. This means you need to make at least three failed attempts and dig through a slightly different error each time to fully troubleshoot.
2. The error message doesn't indicate the version of the gem that is required, which is important for rbnacl in particular (net-ssh doesn't support the newest version).
3. If it is true that Windows and JRuby are unsupported platforms for these gems, then these errors lead to you a dead end.

Perhaps better documentation and error messaging is the right way to address this in the short term.

[mfazekas]

Maybe the best would be pointing them to a web page or just this github issue, so they can get more information.

The error lists only one missing gem, even though you need three. This means you need to make at least three failed attempts and dig through a slightly different error each time to fully troubleshoot.

I'll work on improving the message.

Actually net-ssh should not deal with rbnacl-libsodium. If the user machine has libsodium installed (via brew, or other ways) then he don't have to have rbnacl-libsodium installed.

The error message doesn't indicate the version of the gem that is required, which is important for rbnacl in particular (net-ssh doesn't support the newest version).

I'll need to allow rbnacl 4.0 in net-ssh 4.0.1, and yes i need to print the requirements.

If it is true that Windows and JRuby are unsupported platforms for these gems, then these errors lead to you a dead end.

So windows is an issue because rbnacl-libsodium doesn't have precompiled libsodium, so you'll have trouble installing that if you don't have c compiler on your windows machine. If you do have or install libsodium via other means windows should work just fine.

On jruby there is no bcrypt_pbkdf but we don't require it on jruby. bcrypt_pbkdf is only required for reading password protected ed25519 keys, so if you have non encrypted keys or your keys are in agent then there is no need for that.

[mattbrictson]

@mfazekas thanks for the detailed explanation and for putting in the time and effort to maintain net-ssh.

Regarding documentation, would you accept a PR that adds a "how to" document for ssh-ed25519 support? I could place this as a Markdown file in the net-ssh repo, and projects like Capistrano and SSHKit could then link to it.

[mfazekas]

@mattbrictson sure we can put a howto to the repo, i was just wondering if it's something that's going to change a lot, maybe a wikipage or just github issue could be a better place. Esp if you add a link to it you have to carefull about branch/tag as any howto inside the repo should only apply to that specific version.