SSH: Use OpenSSH instead of libssh2 for authentication with Git hosts
#3191
Conversation
|
|
bnjmnt4n
force-pushed
the
ssh-openssh
branch
5 times, most recently
from
2e422ea
to
4c08a85
Compare
|
Could you include a list of reasons for this switch in the PR description? Would be good for historical purposes, especially for elsewhere in Rust where people may try to make the case for switching. |
bnjmnt4n
force-pushed
the
ssh-openssh
branch
3 times, most recently
from
ebfee1a
to
3543cbd
Compare
|
Could you link said blocking PRs? |
|
@khionu updated! |
|
I'm wondering if other SSH implementations are susceptible also.
|
Not relevant to us, the exploit targeted the server-side daemon |
bnjmnt4n
force-pushed
the
ssh-openssh
branch
2 times, most recently
from
3fbe3a8
to
6152514
Compare
|
I anticipate that changing to OpenSSH will probably fix the same issue on Windows that #3554 is attempting to address. Hard to imagine it being anything other than strictly better. |
bnjmnt4n
force-pushed
the
ssh-openssh
branch
3 times, most recently
from
3a2a16a
to
bb55edf
Compare
|
The following patch fixes the Nix build for me: diff --git a/Cargo.lock b/Cargo.lock
index 4b1d4c56f8...9a1f618ca9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1846,7 +1846,6 @@
dependencies = [
"cc",
"libc",
- "libssh2-sys",
"libz-sys",
"openssl-sys",
"pkg-config",
@@ -1864,20 +1863,6 @@
]
[[package]]
-name = "libssh2-sys"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2dc8a030b787e2119a731f1951d6a773e2280c660f8ec4b0f5e1505a386e71ee"
-dependencies = [
- "cc",
- "libc",
- "libz-sys",
- "openssl-sys",
- "pkg-config",
- "vcpkg",
-]
-
-[[package]]
name = "libz-sys"
version = "1.1.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
diff --git a/flake.nix b/flake.nix
index 4fba5310ff...c06feae22c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -84,7 +84,7 @@
cargoLock.lockFile = ./Cargo.lock;
cargoLock.outputHashes = {
- "git2-0.18.3" = "sha256-Kfg3xWIAarAxeIo2wL30OFni7X4Thf9EzaXbFTWsehE=";
+ "git2-0.18.3" = "sha256-3g7ajPfLfuPWh46rIa70wQRWLZ+jZXBApkyPlJULi/I=";
};
nativeBuildInputs = with pkgs; [
gzip(An ironically retro way to share the change, I realize!) |
bnjmnt4n
force-pushed
the
ssh-openssh
branch
2 times, most recently
from
223c3c0
to
ca22436
Compare
|
The CI failure for this PR seems to be the same as for #4080 (comment). |
|
Also closes #401. Looks like one of the two upstream PRs has landed and we're just waiting on rust-lang/git2-rs#1031 to finalize this? Or are there other blockers? |
One scenario I just ran into with JJ is when connections are only possible when ~/.ssh/config must be read to make a connection. With local login sessions, ssh-agent takes care of reading ~/.ssh/config and providing keys, but that is not the case in remote ssh sessions, which have env variables that point to a remote ssh-agent. For example:
Examples for scenarios where ~/.ssh/config must be read in order to establish a connection are:
|
This PR switches to OpenSSH instead of
libssh2for authentication with Git hosts. It allows configuration specified in~/.ssh/configto be read when connecting via SSH, e.g. specifying custom keys to use for different hosts, or using a different SSH agent. In general, the OpenSSH-based connection seems slightly more robust then thelibssh2version, but I think there are still some issues which do not work well (eg., it didn't work for me when I hadn't connected to the host before, and didn't display the unknown host interaction that thesshbinary does).I still need to look into whether this affects other workflows (eg. git credentials).
Marking this as a draft since this also depends on upstream PRs to land (
rust-lang/git2-rs#1032 which bumps the version of(update: landed), and rust-lang/git2-rs#1031 which buildslibgit2libgit2using OpenSSH for SSH execution), but I'm creating the PR for improved visibility.Closes #63.
If you're interested in using this, the following code can be used to build this branch locally:
Checklist
If applicable:
CHANGELOG.md