ssh client integration via paramiko

[totaam]

Rather than calling putty plink or ssh, we could rely on paramiko which would give us tighter integration with the ssh authentication, allowing us to do things like:

• prompt for passphrase or password (see Authorization Prompts #1645)
• prompt for host keys
• give better error messages
  etc

This may help with #1421: Xpra-Launcher closes silently after clicking connect - missing feedback until application shows up

[totaam]

see also ssh plink fix: r19411

[totaam]

Initial support for paramiko ssh added in r19933. It works pretty well and allows us to see meaningful debug messages with -d ssh.
It doesn't ask for password or key passphrases yet and it isn't the default (requires --ssh=paramiko), but individual authentication mechanisms can be turned off for testing, ie:

XPRA_SSH_AGENT_AUTH=0 xpra attach ssh://username:password@127.0.0.1/ -d ssh --ssh=ssh

Still TODO:

• we need to either poll + wait for the "run-xpra" command to see if it runs (and risk running it multiple times if it fails) or duplicate the ugly if+else code used by plain ssh, yuk
• read from stderr and do something with it - maybe just log it
• socket info assumes we have a real socket (we do, but it's hidden), override the info method for ssh transport
• GUI for passphrase / password, accepting new / changed host keys (hard because this code runs before the main loop - we may need to exec a utility)
• disable those prompts when running embedded without a display (ie: proxy backend connections)
• make it the default, show the alternative in the config file
• add to macos jhbuild, msys2 installation - deal with py2app and cx_freeze bundling
• add deb and rpm dependencies

[totaam]

See #1892 comment 13 : we should aim to support more login shells than the current ssh / plink solution.

[totaam]

r19937:

• checks each remote-xpra option
• reads stderr
• fixes socket info

[totaam]

Updates:

• r19938 adds the tty prompts for password and key passphrases.
• r19941: GUI for confirming host keys
• r19943: GUI for password and key passphrase input
• r19945: use "auto" for ssh option, default to paramiko if it is installed - DEB and RPM dependency added (but not for centos7 as this would require EPEL)
• r19946: better window-size tuning and env vars to configure (window-size, timeout)
• wiki updates: [SSH], [Network](../wiki/SSH], [../wiki/Network), [SSH], [Network](../wiki/SSH], [../wiki/Network), etc
• r19950: moved code to a submodule
• SSH server support #1920 builtin SSH server support
• r19960 + r19961 macos jhbuild paramiko module

Still TODO:

• unit tests
• maybe the GUI should be fullscreen? grab keyboard / mouse?
• win32 and macos packaging
• find a way to make paramiko use the same host keys as openssh, to avoid host key warnings for known hosts when switching over to paramiko

[totaam]

platform and compatibility woes:

• r19964 + r19969 + r19971: disable gssapi whilst we import paramiko
• r19972: add paramiko to win32 setup - does not build with python 3.x: Failing to install on Windows MinGW, Document Compiling On Windows, Gettting 'Exception: ERROR: The 'make' utility is missing from PATH' error while installing pynacl in python 3.7.

[totaam]

Workaround for installing pynacl on win32:

pacman -S mingw-w64-i686-libsodium
export SODIUM_INSTALL=system
easy_install-3.7 -U -Z pynacl

Applied to setup files in r20009.

[totaam]

Updates:

• r20008: use ssh logger for ssh initialization errors
• r20009: build pynacl against the system libsodium library
• r20011: tell cx_freeze that we need pynacl bundled
• r20040 + r20041: support code for openssh's ssh.exe binary with --ssh=ssh on ms windows (does not work - refuses to read or write from our pipes it seems), including the ssh-pageant-git would allow it to talk to putty's pagent key agent too

[totaam]

Minor updates:

• r20137 default to paramiko on macos
• r20135 better debug output

This ticket should solve non-bash login shell issues, see #1892#comment:16. Note: paramiko is not the default on win32 because plink already provides a GUI there, might as well stick to it, for now anyway.

For server SSH support see #1920, follow up ticket: #1937

@maxmylyn: we now provide a much better UI for SSH connections on macos and Linux (use --ssh="ssh -x" to revert to running openssh in a subprocess), the same UI can be enabled on win32 with --ssh=paramiko.

[totaam]

2018-08-24 23:41:35: maxmylyn commented

---

Played around with this for a while today as well and everything seems to be behaving nicely - checked with both Fedora and MacOS.

Noted and closing.

[totaam]

See also: #1937, #2097, #2448, #2549