Ant support for ssh-agent

antsshssh-agent

I have an existing build.properties file that uses scp like this:

<scp todir="${linux.user}@${linux.site}:@{todir}" keyfile="${ssh.keyfile}" passphrase="${ssh.passphrase}" trust="yes" verbose="@{verbose}">
   <filestocopy />
</scp>

The documentation for that command is here:
https://ant.apache.org/manual/Tasks/scp.html

I would like to move to ssh-agent and eliminate the passphrase. Some people who are using this have configured their ssh to NOT use passwords and leave passphrase blank.

One alternative is to use http://www.jcraft.com/jsch-agent-proxy/ , but I found this 1.5 year old question that says it is not supported yet:

https://stackoverflow.com/questions/19684309/can-ant-using-ssh-encrypted-private-key-from-pageant

This is used in many ant scripts so I need a plan that would allow me to use ssh-agent while still allowing others to continue with their method.

I am on Windows 7 trying to scp files to Linux. I have a Pageant compatible ssh-agent: KeePass2/KeeAgent.

Best Answer

Not exactly what you asked for, but I've solved my similar problem (within Maven Antrun plugin on OS X) by using the exec task instead. So you might use, for example, something like this to replace what you have:

<exec executable="pscp">
   <arg value="dirtocopy"/>
   <arg value="-r"/>
   <arg value="-i"/>
   <arg value="${ssh.keyfile}"/>
   <arg value="${linux.user}@${linux.site}:@{todir}"/>
</exec>

It's not ideal of course. For cross-platform support you'd require everyone to have an SCP implementation already installed, and you'd need conditionals to choose between scp on *nix and pscp or whatever on Windows.

However it has some advantages – ssh-agent integration just works (as per your original request), and you probably don't need the -i argument I've included for completeness.

Caveat: I haven't actually tested this with the PuTTY suite or on Windows

Related Solutions

Linux – SSH Agent Forwarding not working even when using `ssh -A`

I've been trying to troubleshoot this problem for nearly seven years, and finally it get solved -- I launch keychain in my ~/.profile, which starts its own 'ssh-agent', even on machine B & C. This is the source of the problem, because keychain's ssh-agent overshadow the sshd provided one.

Removing it (keychain) from my ~/.profile solved the problem.

Update, another possibility, ssh-agent etc. usually get started as part of starting up the GUI on the local system. e.g., in another case, the call's hidden in /etc/X11/xdm/sys.xsession!

I confirm my SSH Agent Forwarding is working by doing, in MachineA,

ssh -t MachineB ssh MachineC

while ssh MachineB then, within it ssh MachineC was failing.

I'll start it (ssh-agent from keychain etc) manually only from machine A from now on.

Smartcard OpenSSH and PuTTY SSH

I see you are using a Yubico device as a PIV. But on Windows you are using the PUTTY-CAC, and CAPI. This means the Windows 10 builtin PIV code is most likely being used to access the Yubico as a PIV type card. That should work, but it looks the signature returned does not verify. It could also be the Putty CAPI code is not constructing the SSH answer correctly.

looking at the Putty-CAC it is not clear if the code supports SHA256. The original Windows BSP did not, only supporting CALG_SHA1. CALG_SHA_256 was supported later. Microsoft ALG_ID

Putty does have a logging capability that might be helpful. WireShark might also be helpful to see ssh packets being exchanged.

You may want to try using the Putty-CAC PKCS#11 interface and use either the opensc-pkcs11 or Yubico pkcs11 modules.

Upon testing on Windows 10 with Putty-CAC (Client protocol version 2.0; client software version PuTTY_Release_0.70_4) to OpenSSH (Local version string SSH-2.0-OpenSSH_7.7) With a Yubikey 4 with PIV applet. I can get it to work with pkcs11 (opensc-pkcs11.dl) but not with the CAPI. I believe the problem is in Putty-CAC cert-capi.c line 68: if (CryptCreateHash((HCRYPTPROV)hCryptProv, CALG_SHA1, 0, 0, &hHash) != FALSE && I believe the problem is CALG_SHA1 should be CALG_SHA_256As newer OpenSSH do not support sha1 for signatures, but either rsa-sha-256 or rsa_sha-512.

I do not have a good environment setup to rebuild Putty-CAC.

Another good site is https://piv.idmanagement.gov/engineering/ssh/

See bug report at Putty-CAC/Issues/30

After further testing, it was found that removing the Yubico Minidriver package caused things to start working. The driver is not need because Windows 10 has a built in driver for PIV cards or tokens with a PIV applet. The Yubico Minidriver was unable to handle something causing a MessageBox to be displayed, but Putty-CAC did not handle the bad return codes and when ahead and sent a bogus response to SSHD with a bad signature.

Best Answer

Related Solutions

Linux – SSH Agent Forwarding not working even when using `ssh -A`

Smartcard OpenSSH and PuTTY SSH

Related Question