Bug 541274 - ssh: support for ssh-agent in the Apache MINA sshd client
Summary: ssh: support for ssh-agent in the Apache MINA sshd client
Status: RESOLVED FIXED
Alias: None
Product: JGit
Classification: Technology
Component: JGit (show other bugs)
Version: 5.2   Edit
Hardware: PC Unix All
: P3 enhancement (vote)
Target Milestone: 6.0   Edit
Assignee: Thomas Wolf CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on: 520927
Blocks:
  Show dependency tree
 
Reported: 2018-11-17 16:35 EST by Thomas Wolf CLA
Modified: 2022-07-08 01:36 EDT (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Wolf CLA 2018-11-17 16:35:28 EST 
See also bug 179924. The main problem is that this will need native code to access a unix domain socket. Apache MINA sshd uses Tomcat APR for this.
Comment 1 Thomas Wolf CLA 2018-11-19 11:06:36 EST 
See also bug 541275 for Pageant support on Windows.
Comment 2 Konrad Windszus CLA 2019-01-18 04:39:53 EST 
Further references about the agent support in Mina SSHD: https://github.com/apache/mina-sshd#proxy-agent. The actual code which leverages Tomcat APR is at https://github.com/apache/mina-sshd/blob/52b8553db683514ba65a3e8b482cc1ef760091cc/sshd-core/src/main/java/org/apache/sshd/agent/unix/AgentClient.java#L62.
Comment 3 Konrad Windszus CLA 2021-03-08 04:00:09 EST 
I think with Java 16 there should be SSH Agent client support possible without a native code dependency (thanks for https://openjdk.java.net/jeps/380). I opened https://issues.apache.org/jira/browse/SSHD-1139 for that.
Comment 4 Thomas Wolf CLA 2021-10-21 19:24:49 EDT 
I have a prototype using JNA for this. Needs more (manual) testing, though.
Comment 5 Thomas Wolf CLA 2021-11-04 03:55:51 EDT 
Basic support added in https://git.eclipse.org/r/c/jgit/jgit/+/186859 .

Limitations:

* ssh config AddKeysToAgent is not supported yet.
* ssh config IdentityAgent is not supported yet.
* Agent keys are not used at all when "IdentitiesOnly yes" is set.
* No integration with native keystore (on Mac, ssh config UseKeychain)

The first three will be done properly once Apache MINA sshd 2.8.0 is released. We need upstream improvements for this.

For now, use of agent keys is suppressed with "IdentitiesOnly yes" instead of "IdentityAgent none".

Keychain integration is a long way off.
Comment 6 Konrad Windszus CLA 2022-07-08 00:31:29 EDT 
Any chance for a backport to 5.13? I would like to leverage that for Maven SCM.
Comment 7 Thomas Wolf CLA 2022-07-08 01:32:22 EDT 
Not from my side.

1. JGit 5.13 is in maintenance mode; it gets critical bug and performance fixes,
   but not completely new features.
2. JGit 5.13 uses Apache MINA sshd 2.7.0, which means AddKeysToAgent and
   IdentityAgent cannot be supported properly.
Comment 8 Thomas Wolf CLA 2022-07-08 01:36:13 EDT 
To tie up a loose end here: OS X keychain integration is not doable. Technically it would be possible, but it'll fail on security policy grounds. See bug 577078 comment 3.