Bug 541274

Summary: ssh: support for ssh-agent in the Apache MINA sshd client
Product: [Technology] JGit Reporter: Thomas Wolf <twolf>
Component: JGitAssignee: Thomas Wolf <twolf>
Status: RESOLVED FIXED QA Contact:
Severity: enhancement    
Priority: P3 CC: akarypid, akurtakov, andreas.hoehmann, carsten.pfeiffer, gunnar, konrad_w
Version: 5.2   
Target Milestone: 6.0   
Hardware: PC   
OS: Unix All   
See Also: https://bugs.eclipse.org/bugs/show_bug.cgi?id=541275
https://bugs.eclipse.org/bugs/show_bug.cgi?id=545684
https://bugs.eclipse.org/bugs/show_bug.cgi?id=179924
https://git.eclipse.org/r/c/jgit/jgit/+/186859
https://bugs.eclipse.org/bugs/show_bug.cgi?id=577078
Whiteboard:
Bug Depends on: 520927    
Bug Blocks:    

Description Thomas Wolf CLA 2018-11-17 16:35:28 EST 
See also bug 179924. The main problem is that this will need native code to access a unix domain socket. Apache MINA sshd uses Tomcat APR for this.
Comment 1 Thomas Wolf CLA 2018-11-19 11:06:36 EST 
See also bug 541275 for Pageant support on Windows.
Comment 2 Konrad Windszus CLA 2019-01-18 04:39:53 EST 
Further references about the agent support in Mina SSHD: https://github.com/apache/mina-sshd#proxy-agent. The actual code which leverages Tomcat APR is at https://github.com/apache/mina-sshd/blob/52b8553db683514ba65a3e8b482cc1ef760091cc/sshd-core/src/main/java/org/apache/sshd/agent/unix/AgentClient.java#L62.
Comment 3 Konrad Windszus CLA 2021-03-08 04:00:09 EST 
I think with Java 16 there should be SSH Agent client support possible without a native code dependency (thanks for https://openjdk.java.net/jeps/380). I opened https://issues.apache.org/jira/browse/SSHD-1139 for that.
Comment 4 Thomas Wolf CLA 2021-10-21 19:24:49 EDT 
I have a prototype using JNA for this. Needs more (manual) testing, though.
Comment 5 Thomas Wolf CLA 2021-11-04 03:55:51 EDT 
Basic support added in https://git.eclipse.org/r/c/jgit/jgit/+/186859 .

Limitations:

* ssh config AddKeysToAgent is not supported yet.
* ssh config IdentityAgent is not supported yet.
* Agent keys are not used at all when "IdentitiesOnly yes" is set.
* No integration with native keystore (on Mac, ssh config UseKeychain)

The first three will be done properly once Apache MINA sshd 2.8.0 is released. We need upstream improvements for this.

For now, use of agent keys is suppressed with "IdentitiesOnly yes" instead of "IdentityAgent none".

Keychain integration is a long way off.
Comment 6 Konrad Windszus CLA 2022-07-08 00:31:29 EDT 
Any chance for a backport to 5.13? I would like to leverage that for Maven SCM.
Comment 7 Thomas Wolf CLA 2022-07-08 01:32:22 EDT 
Not from my side.

1. JGit 5.13 is in maintenance mode; it gets critical bug and performance fixes,
   but not completely new features.
2. JGit 5.13 uses Apache MINA sshd 2.7.0, which means AddKeysToAgent and
   IdentityAgent cannot be supported properly.
Comment 8 Thomas Wolf CLA 2022-07-08 01:36:13 EDT 
To tie up a loose end here: OS X keychain integration is not doable. Technically it would be possible, but it'll fail on security policy grounds. See bug 577078 comment 3.