New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added ability to specify agent socket #360
Conversation
3466837
to
6030812
Compare
Thanks much for the PR, can you please describe your usecase? |
6030812
to
66b418f
Compare
@mfazekas didn't quite get your comment, could you elaborate please? |
Sorry i was not reading your change carefully enough. I assumed So your version is this: Net::SSH::start(user,host,agent_socket_addres:'/foo/bar') what i was asking is this: Net::SSH::start(user,host,agent_socket_factory: ->{ UNIXSocket.open('/foo/bar') }) But again, please explain your usecase. |
66b418f
to
8e596ef
Compare
I've placed the desc later on :). |
multiple users with multiple agents sounds an esoteric usecase. I find |
Its a multi tenant app that uses net-ssh for some actions, the user inserts his private key, hence all the users passwords will be cached on the same ssh-agent which is a security issue. |
Hi @mfazekas think of a multi-tenant management application. And remember that "multiple users with multiple agents" is the original design of ssh-agent. In a linux machine you run an ssh-agent per user, because ssh-agent is not multi-tenant itself and you don't want to cache all the keys in a single place for all the users. |
I'd suggest renamig that method it can be just |
@simon3z, @alongoldboim thanks for clarifying the usecase, it makes sense that way. |
8e596ef
to
2d26f59
Compare
@mfazekas Needed changes were made and tests fixed, please review again :) |
2d26f59
to
ab73856
Compare
@@ -357,7 +357,7 @@ def auth_agent_channel(session, channel, packet) | |||
channel[:invisible] = true | |||
|
|||
begin | |||
agent = Authentication::Agent.connect(logger) | |||
agent = Authentication::Agent.connect(logger, self.session.options[:agent_socket_factory]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can't we just write session
vs self.session
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
Looks good to me, a test would be good to have. |
12ddcf5
to
e7a7438
Compare
@mfazekas Added test to make sure that if we pass a lambda it will use its value instead of the regular ENV. |
e7a7438
to
e343a8c
Compare
e343a8c
to
9007b5d
Compare
Thanks much! |
i'll try to release 4.0.0.alpha4 this weekend |
Hey @mfazekas, I'm trying the new fix and i got a small problem you might help me with, I'm trying to do a nested ssh and for some reason the forwarding doesn't work (works if agent_socket_factory isn't passed), debugging the code it seems it uses the correct agent with the correct socket, what did i miss ? :) require 'net/ssh'
agent_socket = "/tmp/ssh/ssh_a"
FileUtils.mkdir_p '/tmp/ssh_manageiq'
system "ssh-agent -a #{agent_socket}"
Net::SSH.start('10.35.4.213', 'root', :paranoid => false, :forward_agent => true, :agent_socket_factory => ->{ UNIXSocket.open(agent_socket) },
:key_data => ['key']) do |ssh|
res = ssh.exec!("ssh -o 'StrictHostKeyChecking no' root@10.35.4.163" + " echo $?")
end the problem is that the agent.identities arn't being set. |
@mfazekas i though net-ssh will add the key we connect with to the running agent automatically, apparently it doesn't, ill just do it manually, maybe we should consider adding the current key to the agent by default? |
I assume there might be usecase where auto adding the programatically defined key_data to agent automatically is not desirable. So maybe an option to add that to session. |
@mfazekas your right, when ill get some time ill do a patch for that as well. |
Adding the option to specify a socket that will be used, this is useful in case we have multiple agents running and multiple users using the net-ssh at the same time (that's why changing the ENV variable is not really practical).