Bazaar

authentication.conf isn't used with openssh

Bug #203186 reported by Vlad A.
12
Affects Status Importance Assigned to Milestone
Bazaar
Fix Released
Wishlist
Vincent Ladeuil
Bazaar 1.6

Bug Description

OS: Linux Ubuntu 7.10

I wrote authentication.conf:

[My_Project]
sheme=sftp
host=server
user=vlad
password=PASSWORD

But any commands i type, ask me to enter password.
If i export environment variable BZR_SSH and assign it "paramiko" (Thanks to Alexander Belchenko) all fine.
So.

> export BZR_SSH=paramiko
> bzr revno sftp://vlad@server/path/to/rep
Connected (version 2.0, client OpenSSH_4.7)
Authentication type (password) not permitted.
Authentication (keyboard-interactive) successful!
Secsh channel 1 opened.
Opened sftp connection (server version 3)
14

> unset BZR_SSH
> bzr revno sftp://vlad@server/path/to/rep
Password:

Revision history for this message
Aaron Bentley (abentley) wrote :

That's very strange, because it looks like
1. BZR_SSH=paramiko is still running OpenSSH
2. Your server is configured to not permit passwords, only keyboard-interactive.

Revision history for this message
John A Meinel (jameinel) wrote :

AFAIK neither openssh nor plink support passing in the username and password from the calling process.

I know that openssh explicitly connects to the terminal so as to avoid some forms of password security problems. I would guess plink uses similar actions.

So only when you use the "built-in" ssh connection can we supply a password ourselves.

I'm tempted to mark this Won't Fix, because there isn't really any way we can fix it.

Revision history for this message
John A Meinel (jameinel) wrote :

This is because Openssh doesn't let the calling process pass in a password. So technically, it is by-design for openssh.

Instead you should look into using ssh-keygen and sharing ssh keys. Possibly along with ssh-agent (in case you want to keep a password on your ssh keys.)

Changed in bzr:
importance: Undecided → Wishlist
status: New → Won't Fix
Revision history for this message
Alexander Belchenko (bialix) wrote : Re: [Bug 203186] [NEW] authentication.conf isn't used with openssh

I'd like to say that I track down this bug with Vlad at Exception #7 seminar (March 15, 2008).

When BZR_SSH is not set then by default on his machine OpenSSH is used and it's always
prompt for password. And bzr even don't try to read authentication.conf file (I checked this
with additional trace.mutter in constructor).

When I did `export BZR_SSH=paramiko`, then all works ok.

Revision history for this message
Robert Collins (lifeless) wrote :

 status invalid

It is inappropriate for bzr to intercept secure password entry for
openssh; authentication.conf is only for http/ftp/https.

-Rob

Changed in bzr:
status: Won't Fix → Invalid
Revision history for this message
Nathan Adams (nadams) wrote :

This should probably be noted in the User Guide.

Revision history for this message
Vincent Ladeuil (vila) wrote :

Yes, the User guide should be updated.

The spec mentioned that:

Note that ssh servers can be configured to use keys instead of (``user``,
``password``) and, when used with appropriate agents, provide the same kind of
comfort this specification aims to provide for all other schemes. These
specification do not try to cover these configurations by providing
pass-phrases, but the mechanisms presented *can* be used to provide users.

We could issue a warning that the password will not be used if defined though.

Vincent Ladeuil (vila)
Changed in bzr:
assignee: nobody → v-ladeuil
Revision history for this message
Vincent Ladeuil (vila) wrote :

I will propose a patch that issue a warning if a password is defined in a ssh section.

Changed in bzr:
status: Invalid → In Progress
Vincent Ladeuil (vila)
Changed in bzr:
status: In Progress → Fix Committed
Vincent Ladeuil (vila)
Changed in bzr:
milestone: none → 1.6
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.