New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

win_pageant fails when running as Administrator and PAgeant is running as UAC-limited account #98

Closed
jaraco opened this Issue Oct 24, 2012 · 3 comments

Comments

Projects
None yet
2 participants
@jaraco
Contributor

jaraco commented Oct 24, 2012

I've adopted Windows 8, which is much more aggressive about requiring UAC (i.e. some apps refuse to run unless UAC is enabled). As a result, I've started using UAC, and I'm running into issues with interprocess communication, such as win_pageant uses for communicating with PAgeant. This is one such issue.

When one invokes win_pagent when running as Administrator (but with PAgeant running as the UAC limited user), it fails to communicate with the process:

PS C:\Users\jaraco> python -c "import ssh.agent; ssh.agent.Agent()"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "C:\Users\jaraco\AppData\Roaming\Python\Python27\site-packages\ssh-1.7.13-py2.7.egg\ssh\agent.py", line 323, in __init__
    self._connect(conn)
  File "C:\Users\jaraco\AppData\Roaming\Python\Python27\site-packages\ssh-1.7.13-py2.7.egg\ssh\agent.py", line 70, in _connect
    ptype, result = self._send_message(chr(SSH2_AGENTC_REQUEST_IDENTITIES))
  File "C:\Users\jaraco\AppData\Roaming\Python\Python27\site-packages\ssh-1.7.13-py2.7.egg\ssh\agent.py", line 87, in _send_message
    l = self._read_all(4)
  File "C:\Users\jaraco\AppData\Roaming\Python\Python27\site-packages\ssh-1.7.13-py2.7.egg\ssh\agent.py", line 95, in _read_all
    raise SSHException('lost ssh-agent')
ssh.SSHException: lost ssh-agent

Run the same command in the same environment, but as a limited user, and it does not fail. Reverse the roles (run ssh.agent.Agent in a limited context with PAgeant as an Administrator), and it fails similarly.

I've confirmed that pscp (PuTTY's implementation of scp) is able to get keys from the PAgeant even in this situation (where pscp is running as Administrator but PAgeant is not). Therefore, it should be possible for the ssh library to do the same.

I expect I own this ticket, so I will investigate. Any tips appreciated.

@jaraco

This comment has been minimized.

Contributor

jaraco commented Oct 24, 2012

I found this code which has comments specifically addressing this issue. I'll work on porting the details to paramiko.

jaraco added a commit to jaraco/paramiko that referenced this issue Nov 1, 2012

Initial work toward setting security attributes on the memory-mapped …
…file used to communicate with PAgeant (per issue paramiko#98).
@jaraco

This comment has been minimized.

Contributor

jaraco commented Nov 1, 2012

I've started work on this in this issue in this branch. It appears as if quite a bit of functionality will need to be implemented in C or c-types or called from pywin32, because mmap doesn't provide an interface for specifying the security identifier (SID), and the reference implementation makes quite a few API calls in order to implement creating the memory-mapped file under the user's own SID.

jaraco added a commit to jaraco/paramiko that referenced this issue Nov 23, 2012

Create the memory map with the security attributes for the current us…
…er (rather than the default) to avoid permissions failures when the client and the agent run in different UAC contexts. Fixes paramiko#98.
@bitprophet

This comment has been minimized.

Member

bitprophet commented Mar 19, 2013

See #112 for further discussion.

@bitprophet bitprophet closed this Mar 19, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment