ssh-agent Compatibility with Ruby Net::SSH Desired
I am highly interested in the new 1P8 ssh-agent functionality and I'm hoping this message is received as attempting to help make it better.
Problem:
When attempting to pass authentication from a remote host through a Forwarded Agent setup, 1P8's ssh-agent does not seem to respond to Ruby gem Net::SSH's request to negotiate a protocol version.
Configuration and Background:
* I am using keys which have been previously generated (and have been working with a macOS's default ssh-agent) and imported into 1P8 beta.
* I have SSH_AUTH_SOCK configured to point to ~/.1password/agent.sock as suggested https://developer.1password.com/docs/ssh/get-started#step-4-configure-your-ssh-or-git-client.
* Basic SSH functionality works using the 1P8 ssh-agent in combination with command-line ssh. I can do interactive and non-interactive sessions perfectly fine.
* The company I work for uses https://capistranorb.com to deploy many of its products. This tool uses Net::SSH to make the connections to remote servers and clone code using git from a remote repository (e.g. GitHub).
* The remote server used in testing is running Ubuntu 18.04 with a vanilla OpenSSH configuration as provided by the default AWS EC2 Ubuntu 18.04 AMI.
* I am running Ruby 2.7.5p203 locally with Net::SSH 6.1.0.
Example:
Given the code:
```
!/usr/bin/env ruby
require 'net/ssh'
require 'pp'
Net::SSH.start(ARGV[0], ENV['USER'], verbose: Logger::DEBUG, use_agent: true) do |ssh|
pp ssh.exec!("ssh -T mailto:git@github.com")
end
```
An attempt to use a remote Linux host described above to authenticate to GitHub results in this abbreviated stack trace:
...
D, [2022-02-17T17:37:22.571198 #39032] DEBUG -- net.ssh.authentication.agent[294]: connecting to ssh-agent
D, [2022-02-17T17:37:22.571297 #39032] DEBUG -- net.ssh.authentication.agent[294]: sending agent request 1 len 46
Traceback (most recent call last):
12: from ./stub.rb:6:in `<main>'
11: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh.rb:255:in `start'
10: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/session.rb:72:in `authenticate'
9: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/session.rb:72:in `each'
8: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/session.rb:86:in `block in authenticate'
7: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/methods/publickey.rb:19:in `authenticate'
6: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/key_manager.rb:113:in `each_identity'
5: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/key_manager.rb:204:in `agent'
4: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/agent.rb:68:in `connect'
3: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/agent.rb:105:in `negotiate!'
2: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/agent.rb:221:in `send_and_wait'
1: from /.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/authentication/agent.rb:211:in `read_packet'
/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/net-ssh-6.1.0/lib/net/ssh/buffer.rb:147:in `append': can't modify frozen String: "" (FrozenError)
When using macOS's default ssh-agent with the code above, the relevant debug output looks as such:
D, [2022-02-17T17:37:13.379668 #38897] DEBUG -- net.ssh.authentication.agent[320]: sending agent request 1 len 46
D, [2022-02-17T17:37:13.379802 #38897] DEBUG -- net.ssh.authentication.agent[320]: received agent packet 5 len 1
This output shows that Net::SSH received a response to its inquiry from macOS's ssh-agent.
The relevant Net::SSH code is https://github.com/net-ssh/net-ssh/blob/v6.1.0/lib/net/ssh/authentication/agent.rb#L103, I believe.
I imagine this isn't exactly a Ruby, nor a Net::SSH, problem. My guess is that 1P8's ssh-agent currently lacks the ability to respond to an inquiry about what agent protocol the systems want to use. I'll apologize for my lack of knowledge in the SSH agent space to determine whether or not Net::SSH should make its inquiry optional. If I need to pursue that avenue, I can.
Thank you for taking your time to look through this report. I am very happy to be able to start moving one more of my authentication mechanisms into 1Password!
