gpg-agent with OpenSSH on Windows

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

gpg-agent with OpenSSH on Windows

Gerhard Poul
Hi,

I've recently started using a Windows notebook at work and wanted to take this as an opportunity to use gpg-agent because I'm planning to use a YubiKey as well to sign future git commits.

After reading about Microsoft's OpenSSH Port beta [1] that works from PowerShell I decided to try using it instead of PuTTY, but the ssh-add was not able to connect to gpg-agent.

To figure out why I learned more than I wanted to know, but I guess that's how one usually gets involved in projects ;-)

I opened an issue [2] and it seems that ssh-add has been adapted to use named pipes on Windows, wheres that is not the mechanism that gpg-agent currently uses.

If my understanding of what I read over the last days is correct, then gpg-agent on Windows only works with enable-putty-support, but there is currently no client that works with enable-ssh-support and the enable-ssh-support does not currently use named pipes on Windows.

Now I'd like to confirm with you whether my understanding is correct and whether there are any current plans in regards to using named pipes on Windows. If the enable-ssh-support is currently not working on Windows with any client anyway, then that could be ported to use the same mechanism that [1] uses and no functionality would be harmed.

Is there currently any ongoing work in this direction? Has something like this already been discussed?

Regards,
Gerhard

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent with OpenSSH on Windows

Werner Koch
On Thu, 20 Apr 2017 09:15, [hidden email] said:

> I opened an issue [2] and it seems that ssh-add has been adapted to use
> named pipes on Windows, wheres that is not the mechanism that gpg-agent

Arghh.  Named Pipes under Windows are very hard to use as an emulation
for local sockets.  The problem is that there is no mechanism to make
sure that they work only on the local machine.  With the right
credentials you can use them remotely - which is a bad idea to implement
a local (ie. non-remote) IPC.

Frankly, OpenSSH should not use that and resort to our or the new Cygwin
way of emulating local sockets.

On Unix we use plain local sockets.  On Windows we listen on 127.0.0.1
for a TCP connection; the port and a cookie is given in a file created
by the server and thus the connection is secured using file permissions.
Cygwin does something very similar.

Putty (and GnuPG's pageant support) support wraps the communication into
Windows messages.


Shalom-Salam,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

attachment0 (199 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: gpg-agent with OpenSSH on Windows

Gerhard Poul
On Sun, Apr 23, 2017 at 7:01 PM, Werner Koch <[hidden email]> wrote:

> On Thu, 20 Apr 2017 09:15, [hidden email] said:
>
>> I opened an issue [2] and it seems that ssh-add has been adapted to use
>> named pipes on Windows, wheres that is not the mechanism that gpg-agent
>
> Arghh.  Named Pipes under Windows are very hard to use as an emulation
> for local sockets.  The problem is that there is no mechanism to make
> sure that they work only on the local machine.  With the right
> credentials you can use them remotely - which is a bad idea to implement
> a local (ie. non-remote) IPC.

I'm not saying named pipes are the right choice, but that's what
they've currently implemented in this beta. There also seems to be
some documentation or at least newsgroup posts about how to restrict
named pipes to only be used locally, but it requires some specific
settings and I've not tested whether it works as described.

> Frankly, OpenSSH should not use that and resort to our or the new Cygwin
> way of emulating local sockets.

It might be worthwhile to wait and see whether the code is going to
merged as-is or not before planning how to proceed.

> On Unix we use plain local sockets.  On Windows we listen on 127.0.0.1
> for a TCP connection; the port and a cookie is given in a file created
> by the server and thus the connection is secured using file permissions.
> Cygwin does something very similar.

This should work with named pipes as well.

Regards,
Gerhard

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Loading...