Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

win_pageant fails when running as Administrator and PAgeant is running as UAC-limited account #98

Closed
jaraco opened this issue Oct 24, 2012 · 3 comments · Fixed by #112
Closed

win_pageant fails when running as Administrator and PAgeant is running as UAC-limited account #98

jaraco opened this issue Oct 24, 2012 · 3 comments · Fixed by #112

Comments

@jaraco
Copy link
Contributor

jaraco commented Oct 24, 2012

I've adopted Windows 8, which is much more aggressive about requiring UAC (i.e. some apps refuse to run unless UAC is enabled). As a result, I've started using UAC, and I'm running into issues with interprocess communication, such as win_pageant uses for communicating with PAgeant. This is one such issue.

When one invokes win_pagent when running as Administrator (but with PAgeant running as the UAC limited user), it fails to communicate with the process:

PS C:\Users\jaraco> python -c "import ssh.agent; ssh.agent.Agent()"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "C:\Users\jaraco\AppData\Roaming\Python\Python27\site-packages\ssh-1.7.13-py2.7.egg\ssh\agent.py", line 323, in __init__
    self._connect(conn)
  File "C:\Users\jaraco\AppData\Roaming\Python\Python27\site-packages\ssh-1.7.13-py2.7.egg\ssh\agent.py", line 70, in _connect
    ptype, result = self._send_message(chr(SSH2_AGENTC_REQUEST_IDENTITIES))
  File "C:\Users\jaraco\AppData\Roaming\Python\Python27\site-packages\ssh-1.7.13-py2.7.egg\ssh\agent.py", line 87, in _send_message
    l = self._read_all(4)
  File "C:\Users\jaraco\AppData\Roaming\Python\Python27\site-packages\ssh-1.7.13-py2.7.egg\ssh\agent.py", line 95, in _read_all
    raise SSHException('lost ssh-agent')
ssh.SSHException: lost ssh-agent

Run the same command in the same environment, but as a limited user, and it does not fail. Reverse the roles (run ssh.agent.Agent in a limited context with PAgeant as an Administrator), and it fails similarly.

I've confirmed that pscp (PuTTY's implementation of scp) is able to get keys from the PAgeant even in this situation (where pscp is running as Administrator but PAgeant is not). Therefore, it should be possible for the ssh library to do the same.

I expect I own this ticket, so I will investigate. Any tips appreciated.
@jaraco
Copy link
Contributor Author

jaraco commented Oct 24, 2012

I found this code which has comments specifically addressing this issue. I'll work on porting the details to paramiko.

@jaraco
Copy link
Contributor Author

jaraco commented Nov 1, 2012

I've started work on this in this issue in this branch. It appears as if quite a bit of functionality will need to be implemented in C or c-types or called from pywin32, because mmap doesn't provide an interface for specifying the security identifier (SID), and the reference implementation makes quite a few API calls in order to implement creating the memory-mapped file under the user's own SID.

@jaraco jaraco mentioned this issue Nov 23, 2012
Merged
@bitprophet
Copy link
Member

See #112 for further discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Security attributes on mmap file jaraco/paramiko
2 participants
@bitprophet @jaraco