Peter Stuge <[email protected]> writes:
>> - a patch which adds callback-based function for "publickey" authentication
>> (The existing file-based function is now implemented with the
>> callback-based function)
>>
>> - a sample program which demonstrates authentication using ssh-agent
>> (To play with this, add ssh2_agent.c to noinst_PROGRAMS in
>> example/simple/Makefile.am, rebuild, and run it as "ssh2_agent host user")
>
> I think that we want to have more of ssh2_agent.c within libssh2
> itself, I'm not sure about the callback approach.
Thanks for the response. Indeed I realized that the code to talk to
ssh-agent is too complicated to let users write it by themselves.
> The thing to keep in mind here is that applications should be able to
> control which keys will be tried for the auth. Servers might accept
> only 1 attempt for the pubkey auth, and if there are several keys
> available (some in file, some in agent) then it is important to be
> able to choose which one to use. I don't know exactly how to expose
> this.
>
> On one hand I want a function "do pubkey auth" which will just do the
> right thing possibly trying all keys, on the other hand I want to
> allow control over which keys will be tried, in which order.
>
>
> Also note that Pageant is the de-facto standard agent in Windows and
> it uses different IPC than the OpenSSH agent, so that needs to be
> abstracted. Ideally we would also support OpenSSH ssh-agent on
> Cygwin, which probably uses yet another form of IPC.
All of them seem to use the same command set as OpenSSH's ssh-agent,
though I need some experiment on Windows. So we would be able to share
most of the code.
How about the following API?
#include <libssh2.h>
#include <libssh2_agent.h>
int main(void)
{
LIBSSH2_AGENT *agent;
LIBSSH2_PUBLICKEY *identities;
int nidentities, i;
...
/* Connect to ssh-agent (Peagent here) */
agent = libssh2_agent_connect_peagent(session);
/* Request a list of identities */
libssh2_agent_list_identities(agent, &identities, &nidentities);
/* Try to authenticate with identities one by one */
for (i = 0; i < nidentities; i++) {
/* Skip identities which we don't want to use */
if (...) {
continue;
}
if (libssh2_userauth_agent(session, username, &identities[i])) {
printf("\tAuthentication by public key %s failed!\n",
identities[i].comment);
} else {
printf("\tAuthentication by public key %s succeeded!\n",
identities[i].comment);
break;
}
}
...
}
If it looks OK, I will try to implement it this weekend.
BTW, I wanted ssh-agent suppurt for NetworkManager-openssh, which
internally uses libssh2, to be better integrated with gnome-keyring:
http://github.com/ueno/network-manager-openssh
Regards,
--
Daiki Ueno
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
