Support for sandboxed SSH config about sequel-ace HOT 31 CLOSED

Would be good to allow that by request or maybe by some button in preferences or on first launch. I have tons of configurations in ~/.ssh/config

from sequel-ace.

Can't we just get the permission from the user to access his complete $HOME/.ssh/ folder, and all the files it contains? (Do the sandboxing tools allow that, asking the user to choose a folder, and getting read access to all the files contained?)

from sequel-ace.

I think a combo of the options discussed might be appropriate.
An option in settings to "use system .ssh directory" which if enabled pops up a file browser and requires the user to navigate to their ssh directory and select the entire directory (we could validate the path is correct) so we can bookmark the directory.

Then, in the Tunnel setup, we would skip adding our own ssh config and known hosts file if this "use system .ssh directory" option was enabled. (the option could probably also be connection-specific)

Thoughts?

from sequel-ace.

I think a combo of the options discussed might be appropriate.
An option in settings to "use system .ssh directory" which if enabled pops up a file browser and requires the user to navigate to their ssh directory and select the entire directory (we could validate the path is correct) so we can bookmark the directory.

Then, in the Tunnel setup, we would skip adding our own ssh config and known hosts file if this "use system .ssh directory" option was enabled. (the option could probably also be connection-specific)

Thoughts?

This is exactly what I'm hoping for. I would prefer to grant permissions to my .ssh/config file.

I'm force to keep using Sequel Pro and deal with the tabs crashing bug until this feature becomes available. Currently, my organization requires an ssh/config entry which looks something like this.

Host company-server-prod6
  User          gandalf
  Port          22
  HostName      company-server-prod6
  ForwardAgent  yes
  IdentityFile  ~/.ssh/id_rsa_gandalf
  ProxyCommand  ssh -A -l gandalf -i ~/.ssh/id_rsa_gandalf -W %h:%p -q proxy -p22

The -q proxy line is another ssh/config entry being reference. Hopefully this helps provide some diversity in how others are using the ssh/config.

from sequel-ace.

I bet we could do that, @gboudreau, but it does run sorta counter to the sandbox mentality. Requiring manual specification of keys gives us a level of separation that sandbox intends. I would rather by default stay in a tight box and let users choose to expand that box as desired, which, I believe, is the intention of sandboxing.

from sequel-ace.

It probably makes sense to open a new issue specifically for ScaleFT as this issue is about support for a custom SSH config file, which we do now support. Also happy to help on the Ace side in any way possible, but I don't know much about ScaleFT.

from sequel-ace.

I think a global configuration file would be great. That’s actually how the SSH config file works normally, filtering by host.

You make a very good point about the known hosts file. Another tricky thing is, because of the Match directive, the custom known hosts file only applies when the sft resolve command ends with a successful 0 exit status. I believe that known hosts file is automatically updated by sft and should ideally not be cached.

I’m starting to wonder whether such an integration is possible within an app sandbox.

I think it should be possible with bookmarks! I know @jamesstout has some experience with them in other parts of Ace already. Should be able to allow users to choose new ssh config and known hosts files in settings and keep bookmarks to them and then use these files instead of Sequel Ace's default embedded ones if specified!

from sequel-ace.

Due to some awesome work from @dj95, this capability has been added! Please check out the latest release and let us know if works/doesn't. In the app's preferences, you can specify a custom ssh config file. Additionally, if your config file references other files, we can't access them due to sandbox by default. If you need to grant sequel ace access to additional support files, you can do so in the Files tab of the app's preferences.

https://github.com/Sequel-Ace/Sequel-Ace/releases/tag/2.1.1-beta4

from sequel-ace.

Thanks for this. I added the files that it needed to access (including both my ssh config file and the id files it refers to). Initially I didn't see the config to select my ssh config file, so it was left at its internal default, but what was odd is that SA then attempted to use one of my SSH identity files as a config file, which obviously didn't work!

/usr/bin/ssh -v -N -S none -o ControlMaster=no -o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o NumberOfPasswordPrompts=3 -o UserKnownHostsFile=/Users/marcus/Library/Containers/com.sequel-ace.sequel-ace/Data/.keys/ssh_known_hosts_strict -F /Users/marcus/.ssh/id_ed25519 -o TCPKeepAlive=no -o ServerAliveInterval=60 -o ServerAliveCountMax=1 

Why would it even try to do that?

Anyway, I saw the error of my ways and selected my custom config file properly, and then it worked just fine, but I thought I'd mention this as it seems like a likely failure combo.

from sequel-ace.

I highly doubt the sandbox allows wildcarded file names. Probably always has to be full, explicit paths.
I'm pretty sure password protected key files should work! Connections already let you specify your private key directly. Are you talking about your private key specified with the the connection or one specified via a config file?

I talk about private key specified in a config file

I think what happens with wildcards in ssh_config is the app tries to list files in a folder it doesn't have access to. The app has access to specific files, but not to the whole folder, so trying to list all the files in the folder is not working, even for the files in that folder the app has access to.

May be the solution to this would be to be able to give SA permission on the folder where the included file(s) are? Currently I can't seem to be able to give access to a folder.

IMO the best scenario for "SSH power users" is to be able to support all options from the standard ssh config file, including the private key. When using many ssh-enabed softwares and a whole bunch of servers it's way easier to have everything in the same configuration reused by all softwares. I don't mind giving permissions to SA on required folders/files to have everything centralized/standard.

I am wondering otherwise is there a way to run SA out of the sandbox, as was SequelPro, to bypass all those limitations?

from sequel-ace.

This seems like a great idea! One difficulty I foresee is that you have a path to a specific file to use for a known hosts file. This would require, perhaps, that we allow you to specify a custom known hosts file in addition to custom ssh config.

My gut is to add connection options to specify a path to a config file and known hosts file and then perhaps holding bookmarks to those (as opposed to copying them into the app). It would likely be simpler if these were global to the application, but we could consider making them connection-specific? Would it work for you if they were global to the application (selected in Sequel Ace Preferences)?

from sequel-ace.

I think a global configuration file would be great. That’s actually how the SSH config file works normally, filtering by host.

You make a very good point about the known hosts file. Another tricky thing is, because of the Match directive, the custom known hosts file only applies when the sft resolve command ends with a successful 0 exit status. I believe that known hosts file is automatically updated by sft and should ideally not be cached.

I’m starting to wonder whether such an integration is possible within an app sandbox.

from sequel-ace.

Nice. Keep in mind that the config references the known hosts file by its absolute path. I’m curious to know whether bookmarks would allow that, or if it would need to reference a path within the app sandbox.

from sequel-ace.

An option in settings to "use system .ssh directory" which if enabled pops up a file browser and requires the user to navigate to their ssh directory and select the entire directory (we could validate the path is correct) so we can bookmark the directory.

This would be wonderful. It would also render the ability to add custom ssh config and known hosts files unnecessary. I wouldn't recommend supporting this if the former idea is feasible.

from sequel-ace.

Nice. Keep in mind that the config references the known hosts file by its absolute path. I’m curious to know whether bookmarks would allow that, or if it would need to reference a path within the app sandbox.

Can be anywhere, as long as the user selects the file/folder manually via an open panel. There may be system files you can't access though.

from sequel-ace.

Is it expected that the Include directives in the ssh config file does not work in this context? My ssh configuration is split in many files as to be able to re-use some same parts from different contexts but with this build I get (I replaced the absolute path right after debug1 to a relative one)

debug1: ~/.ssh/config line 9: include ~/.ssh/hosts_* matched no files

I also tried using include directives with absolute paths without success.

from sequel-ace.

@MacTrophy Did you try using absolute full paths ("/Users/Jason/known_hosts") and manually granting sequel ace access to these files additionally in the "Files" tab of preferences as I mentioned above?

from sequel-ace.

@MacTrophy Did you try using absolute full paths ("/Users/Jason/known_hosts") and manually granting sequel ace access to these files additionally in the "Files" tab of preferences as I mentioned above?

Yes I just verified that Sequel Ace has access to the included files and tried with absolute full paths in the config file and still it says it matches no files.

I also verified basic file system permissions and the included files are readable by all users/groups.

Oh, if I remove the wildcard and specify the files one by one it works. May be this is a hint?

Does Sequel Ace support password-protected private key files? It seems to complain about each lines of my private key when I remove the wildcard.

from sequel-ace.

@MacTrophy Did you try using absolute full paths ("/Users/Jason/known_hosts") and manually granting sequel ace access to these files additionally in the "Files" tab of preferences as I mentioned above?

Yes I just verified that Sequel Ace has access to the included files and tried with absolute full paths in the config file and still it says it matches no files.

I also verified basic file system permissions and the included files are readable by all users/groups.

Oh, if I remove the wildcard and specify the files one by one it works. May be this is a hint?

Does Sequel Ace support password-protected private key files? It seems to complain about each lines of my private key when I remove the wildcard.

I highly doubt the sandbox allows wildcarded file names. Probably always has to be full, explicit paths.
I'm pretty sure password protected key files should work! Connections already let you specify your private key directly. Are you talking about your private key specified with the the connection or one specified via a config file?

from sequel-ace.

I highly doubt the sandbox allows wildcarded file names. Probably always has to be full, explicit paths.

I think what happens with wildcards in ssh_config is the app tries to list files in a folder it doesn't have access to. The app has access to specific files, but not to the whole folder, so trying to list all the files in the folder is not working, even for the files in that folder the app has access to.

from sequel-ace.

Does Sequel Ace support password-protected private key files? It seems to complain about each lines of my private key when I remove the wildcard.

Yes, it does. I exclusively use encrypted SSH keys, and SA justs asks you for the password to decrypt the key, and saves that password in Keychain on success.

from sequel-ace.

Still trying to diagnose what files I need to give access to for ScaleFT to work. Should I be able to get around this by granting Full Disk access to Sequel Ace? I had expected so, but I'm still getting Operation not permitted errors when trying to access files not explicitly bookmarked by adding them to the Accessible files list.

Is there any way I can open up full disk access? Or might we be able to get a log of files that subprocesses attempt to open but that are denied?

from sequel-ace.

I believe full disk access won't work (it's really not full disk access, more like partial and strange disk access).
For accessible files, every single possible file that may be used must be added in that tab. Additionally, in the current release adding a file in the accessible files tab overwrites the ssh config in the network tab, so if you add files please go back and make sure your network tab ssh config is correct (will be patched in next release and fixed in latest beta).

from sequel-ace.

Hi - Apologies for resurrecting this issue - and thanks for everyone’s help already to get this feature enabled. I wanted to cycle back to the original specific request re: using Okta ASA (or ScaleFT) with Sequel Ace. I am attempting to connect to a MySQL host via a SSH bastion host using my SSO user and key.

I am running SA v2.3.0 and I have allowed SA access to the following files via Preferences -> Files:

• ~/.ssh/id_rsa
• ~/.ssh/config
• ~/Library/Application%20Support/ScaleFT/proxycommand_known_hosts
• ~/Library/Application%20Support/ScaleFT/proxycommand_host_key

I have my ~/.ssh/config amended with the ProxyCommand as per the OP.

When connecting, the connection log shows that SA appears to run the proxy command in ~/.ssh/config successfully and then attempt to use the proxycommand_host_key (above), before then attempting ~/.ssh/id_rsa and then failing to connect with access denied.
I am able to ssh to the bastion host using sft via the terminal without issue; even specifying the proxycommand_host_key with -i. I’m wondering what I’m missing here to get SA to connect. Is proxycommand_host_key the correct key to specify in SA in this case?

from sequel-ace.

FWIW, I came to the conclusion that, to make sft work, there were more files needing to be accessible and poor visibility into what files those are. I gave up, but if you know how to determine all the files to expose, then that's great. I'd use strace on Linux to track these but haven't been able to get the OSX equivalent druss to work for me because of sandboxing constraints. 😞

from sequel-ace.

Hi - Apologies for resurrecting this issue - and thanks for everyone’s help already to get this feature enabled. I wanted to cycle back to the original specific request re: using Okta ASA (or ScaleFT) with Sequel Ace. I am attempting to connect to a MySQL host via a SSH bastion host using my SSO user and key.

I am running SA v2.3.0 and I have allowed SA access to the following files via Preferences -> Files:

• ~/.ssh/id_rsa
• ~/.ssh/config
• ~/Library/Application%20Support/ScaleFT/proxycommand_known_hosts
• ~/Library/Application%20Support/ScaleFT/proxycommand_host_key

I have my ~/.ssh/config amended with the ProxyCommand as per the OP.

When connecting, the connection log shows that SA appears to run the proxy command in ~/.ssh/config successfully and then attempt to use the proxycommand_host_key (above), before then attempting ~/.ssh/id_rsa and then failing to connect with access denied.
I am able to ssh to the bastion host using sft via the terminal without issue; even specifying the proxycommand_host_key with -i. I’m wondering what I’m missing here to get SA to connect. Is proxycommand_host_key the correct key to specify in SA in this case?

You could always try enabling full disk access and seeing if it works? Unfortunately, however, some things are just limited by the sandbox.

from sequel-ace.

from sequel-ace.

Thanks both for clarifying. I wasn't sure if I was missing something to get this working. :)

from sequel-ace.

Hi @nilbus, I’m a founder/original developer of ScaleFT, I just noticed this issue and if I can help get SequelAce to work with it via proxycommand I’d be happy to. There should not be too much filesystem access required and it should be pretty simple to figure out what’s missing. Since SequelAce supports proxycommand we should be able to make this work. We can get additional debugging output from sft or customize the ssh config if that might help. Just @ me in this ticket with any questions.

Btw the OS X changes that now block dtruss have gotten me too, instruments is a pretty good tool but I wish I wasn’t forced to use it.

from sequel-ace.

Thanks @robert-chiniquy for taking a look at this! It would be great to get this functionality into Sequel-Ace 😄

from sequel-ace.

Thanks for the suggestion! Opened #694.

from sequel-ace.