ymnk / jsch-agent-proxy Goto Github PK

The tag for the 0.0.9 release is missing from the GitHub repository.

Doesn't matter where, eg. bintray jcenter would be ok, too
I know I can easily build the project but it would be way more convenient just to grab it from the internet.

I am trying to use this lib in a gradle build script. If the packages would be released in a maven repo, I could easily write build scripts that run everywhere. But without release in a repo, I either have to put the lib into every project that is using it :-( or my scripts will run only in specific environments (with a private repo that contains the lib).

Hi Atsuhiko, sorry to bother you with this but would it be possible to publish a new version of jsch-agent-proxy that includes a merge of the usocket_path branch?

Thank you very much!

Would be great to see ssh agent support in https://github.com/shikhar/sshj

See hierynomus/sshj#33 for the corresponding issue in sshj,

OS: RHEL 7.3

I don't seem to have a 'netcat' application at all, however I do have a 'ncat' that does have a -U option. As far as I can tell, it is the same application.

Could the application try both?

[WARNING] Failed to connect to SSH-agent
com.jcraft.jsch.agentproxy.AgentProxyException: netcat does not support -U option.
	at com.jcraft.jsch.agentproxy.usocket.NCUSocketFactory.<init>(NCUSocketFactory.java:70)
	at com.github.danielflower.mavenplugins.release.SshAgentSessionFactory.createDefaultJSch(SshAgentSessionFactory.java:80)
	at org.eclipse.jgit.transport.JschConfigSessionFactory.getJSch(JschConfigSessionFactory.java:261)
	at org.eclipse.jgit.transport.JschConfigSessionFactory.createSession(JschConfigSessionFactory.java:220)
	at org.eclipse.jgit.transport.JschConfigSessionFactory.createSession(JschConfigSessionFactory.java:176)
	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:110)
	at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:137)
	at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:264)
	at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:162)
	at org.eclipse.jgit.api.LsRemoteCommand.execute(LsRemoteCommand.java:198)
	at org.eclipse.jgit.api.LsRemoteCommand.call(LsRemoteCommand.java:159)
	at com.github.danielflower.mavenplugins.release.LocalGitRepo.allRemoteTags(LocalGitRepo.java:186)
	at com.github.danielflower.mavenplugins.release.Reactor.getRemoteBuildNumbers(Reactor.java:120)
	at com.github.danielflower.mavenplugins.release.Reactor.fromProjects(Reactor.java:46)
	at com.github.danielflower.mavenplugins.release.NextMojo.execute(NextMojo.java:37)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)

I'm getting this error when trying to use this lib on a shared server with quite a lot of users:

java.lang.ArrayIndexOutOfBoundsException: 1024
    at com.jcraft.jsch.agentproxy.Buffer.getByte(Buffer.java:142)
    at com.jcraft.jsch.agentproxy.Buffer.getShort(Buffer.java:138)
    at com.jcraft.jsch.agentproxy.Buffer.getInt(Buffer.java:123)
    at com.jcraft.jsch.agentproxy.Buffer.getString(Buffer.java:181)
    at com.jcraft.jsch.agentproxy.AgentProxy.getIdentities(AgentProxy.java:112)
    at com.jcraft.jsch.agentproxy.RemoteIdentityRepository.getIdentities(RemoteIdentityRepository.java:47)
    at com.jcraft.jsch.UserAuthPublicKey.start(UserAuthPublicKey.java:39)
    at com.jcraft.jsch.Session.connect(Session.java:463)
    at com.jcraft.jsch.Session.connect(Session.java:183)

If this can help, in AgentProxy.getIdentities(), I get:

• rcode=0
• count=267
• it crashes at i=127

The factory is NCUSocketFactory.
The version of netcat is 1.84 (on CentOS 6.X).

I got aware of this project after reading this issue in Eclipse's Bugzilla: https://bugs.eclipse.org/bugs/show_bug.cgi?id=179924

First of all, thank you very much for putting so much afford into creating this, I really appreciate it.
After reading your commment (https://bugs.eclipse.org/bugs/show_bug.cgi?id=179924#c86), I tried installing it through the Eclipse "Install new software" option and chose your ssh-agent proxy. Everything went just fine, at least there was no error...
Unfortunately, I am not able to set anything under General > ... > SSH Agent, since the window doesn't offer anything to be checked.

Here is a screenshot of the installed plugin:

Here is a screenshot of the SSH Agent window:

I am using Eclipse Mars 4.5 on Ubuntu 15.04.
Both Eclipse and Ubuntu were restarted several times.
If you need more information, please let me know.

Since SSHj's group ID change, it is not possible to use jsch-agent-proxy-sshj with the latest SSHj versions (which we are looking to do in jclouds).

PR #24 has already been closed, but there is no released version of jsch-agent-proxy-sshj that includes it.

Would it be possible to create a new release? Many thanks!

In particular that ssh-agent is not supposed to work on Windows (I'm normally using ssh-agent from MinGW and defining SSH_AUTH_SOCK in my user environment)

Please upload jsch-agent-proxy jars to Maven Repository

All functions in AgentProxy share an instance Buffer object, making it unsafe to access the agent, even just for query functions such as getIdentities, from multiple threads.

Clicking UsingPageant.java link sends to 404 page.

I have set up SSH login with agent proxy from my desktop (A) to host B, and from B to C.

When i type on A:
ssh -A user@addressB
and on B:
ssh -A user@addressC
it works OK: I can login to C.

Unfortunately, TrileadWithAgentProxy example does't work for me. Authentication from B to C fails, because Java is trying to find a key file on B, i.e. agent forwarding is not working.

All I get is:

mvn exec:java   -Dexec.mainClass="com.jcraft.jsch.agentproxy.examples.TrileadWithAgentProxy"   -Dexec.args="user@addressB date"
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building examples to demonstrate how to use jsch-agent-proxy 0.0.7
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] >>> exec-maven-plugin:1.2.1:java (default-cli) @ jsch.agentproxy.examples >>>
[INFO] 
[INFO] <<< exec-maven-plugin:1.2.1:java (default-cli) @ jsch.agentproxy.examples <<<
[INFO] 
[INFO] --- exec-maven-plugin:1.2.1:java (default-cli) @ jsch.agentproxy.examples ---

By the way, on host B I set up Force Command to automatically login to C, so typing ssh -A user@addressB takes me right to the host C.

Kind regards,
Peter

Would it be possible to add support for adding keys to the agent?

I believe the SSH2_AGENTC_ADD_IDENTITY protocol message would be required, but have no idea how widely supported that is outside of openssh.

In issue 6 it is described how to add new identities to the ssh-agent. In case you have a protected ssh key you always need to provide the passphrase in case you add it. Therefore it would be good to only add an identity if it is not yet there. Is there a reliable method which could be used to check whether ssh-agent already contains an identity?

Windows has its own official port of OpenSSH these days:

https://github.com/PowerShell/Win32-OpenSSH
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview

Jsch doesn't work with it, because there's no SSH_AUTH_SOCK and presumably it wouldn't work if there was.

But I think it would be relatively straightforward to support it. Instead of the socket, it maintains a named pipe at \\.pipe\openssh-ssh-agent. This seems to be a hard-coded name, and not something for which there's a runtime discovery process (beyond maybe scanning the directory for likely pipe names). Anyway, it looks like these pipes can be opened (although not created, but that's not a problem here) just via RandomAccessFile or FileChannel or, say, via Files::newByteChannel. ie: no native code required.

Using RandomAccessFile is probably simplest, I'm guessing, by way of writing a class implementing USocketFactory and its inner interface Socket to be backed by RandomAccessFile on that fixed named pipe, and the changes to ConnectorFactory to identify and return it where appropriate.

It means the USocketFactory bit is a bit misleadingly named, as we'd be implementing windows pipe access through it, but looks like that would allow the least intrusive change, by allowing it to work with the existing SSHAgentConnector.

This ought actually to be in my own capabilities, although dev on windows and maven is out of my normal bailiwick - but this issue is partly also to see if this project is alive or whether I should find another way. ;-)

CentOS 7 does not have the original netcat package, instead it provides a droppin (almost?) 'nmap-ncat' package: https://nmap.org/ncat/

This exposes a 'nc' binary, which does have the -U command. Unfortunately, it seems to expose the help message on stdout, not stderr which is assumed in https://github.com/ymnk/jsch-agent-proxy/blob/master/jsch-agent-proxy-usocket-nc/src/main/java/com/jcraft/jsch/agentproxy/usocket/NCUSocketFactory.java#L45

A quote from 87cdad7#commitcomment-3370774 ,

Perhaps we could allow the user to pass in an optional log callback?
I see that jsch proper has an implementation of this in its Logger class,
though we don't necessarily want to add that as a dependency.

I have an end-user report of the following error occurring during communication between jsch and ssh-agent (the latter provided by openssh 5.9p1-5ubuntu1.1).

java.lang.ArrayIndexOutOfBoundsException
at java.lang.System.arraycopy(Native Method)
at com.jcraft.jsch.agentproxy.Buffer.putByte(Buffer.java:55)
at com.jcraft.jsch.agentproxy.Buffer.putString(Buffer.java:63)
at com.jcraft.jsch.agentproxy.Buffer.putString(Buffer.java:59)
at com.jcraft.jsch.agentproxy.AgentProxy.sign(AgentProxy.java:127)
at com.jcraft.jsch.agentproxy.RemoteIdentityRepository$1.getSignature(RemoteIdentityRepository.java:61)
at com.jcraft.jsch.UserAuthPublicKey.start(UserAuthPublicKey.java:183)
at com.jcraft.jsch.Session.connect(Session.java:442)
at com.jcraft.jsch.Session.connect(Session.java:162)
at org.apache.ivy.plugins.repository.ssh.SshCache.getSession(SshCache.java:372)

After some investigation, it appears that the user in question has a 4096-bit key; this differentiates them from the folks for whom this infrastructure is working without flaw (who are to my knowledge all using default 2048-bit keys).

Perhaps the default 20K buffer is too small?

The SSH implementation in macOS Sierra changed. Keys are no longer automatically added to the SSH Agent on reboot. Thus, with Sierra I have to manually run ssh-add -K <~/path/to/key> from the terminal in order to have the key added to the agent. Once done, jsch-agent-proxy is able to pick it up.

However, there is a setting to allow SSH to automatically add keys to the agent. Thus, on the terminal I don't have to call ssh-add... . I just execute git pull/push and the key is added. SSH still uses the passphrase from the keychain.

http://superuser.com/questions/325662/how-to-make-ssh-agent-automatically-add-the-key-on-demand

Can the AddKeysToAgent option somehow be supported by jsch-agent-proxy? Ideally I want a password less operation from within Eclipse - without running ssh-add on the terminal first.

Hello Team,

Thank you for this great project.
Just wanted to highlight a CVE found on different static analysis tools.

CVE-2016-5725

Description

Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command.
For more information check out https://www.oracle.com/security-alerts/cpuoct2020.html
Files

Do you. ind please help fix this CVE please?

Thank you

KeeAgent plugin for KeePass is able to create Cygwin/MSYS sockets on Windows. Usually the path is exported via SSH_AUTH_SOCK environment variable. Would be nice to have a support for these sockets. Maybe it's more for junixsocket project to be compiled for Cygwin...

The examples declare that they are in package com.jcraft.jsch.agentproxy.examples, but are located under com/jcraft/agentproxy/examples (with no jsch in the name).