This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Re: cygport improvements: upload, fish, src_prep_fini_hook
- From: Andrew Schulman <schulman dot andrew at epa dot gov>
- To: cygwin-apps at cygwin dot com
- Date: Fri, 19 Dec 2014 10:13:15 -0500
- Subject: Re: cygport improvements: upload, fish, src_prep_fini_hook
- Authentication-results: sourceware.org; auth=none
- References: <i1c74ah3hi6gdirp06o45tq2kcstclnr14 at 4ax dot com> <i1c74ah3hi6gdirp06o45tq2kcstclnr14-e09XROE/p8c at public dot gmane dot org> <544D0CC5 dot 9030600 at cygwin dot com> <nu2s4al5tup14gfvge083ri8u9j6t62c7m at 4ax dot com> <nu2s4al5tup14gfvge083ri8u9j6t62c7m-e09XROE/p8c at public dot gmane dot org> <547F5B88 dot 3020403 at cygwin dot com>
> Here's what I have at the moment based on your branch as of a few weeks
> ago. However, with password-protected SSH keys, the password prompt
> isn't handled properly. Any ideas?
OK, I've looked into this. It can be done, but the only solution I can see
so far is ugly. Here's the deal:
Using lftp:
There's no way to get lftp to ask for a passphrase if and only if it needs
one. I asked about this on the lftp list, and Alexander confirmed it. lftp
will either always ask for a passphrase, if the connect string looks like
cygwin@cygwin.com
or never ask for one, if it looks like
cygwin:@cygwin.com
So the only way to get lftp to ask for a passphrase iff it needs one is to
figure out in advance which key will be used, find out whether the key is
encrypted, and use that to pick one of the above connect strings. More
about that below.
Using sftp:
sftp seems as though it might work better, since it will prompt the user
for a passphrase if and only if it needs one to decrypt the key. But to
feed a batch script to sftp you have to use sftp -b, and unfortunately that
disables interactive prompting for the passphrase. I checked this by
running sftp -b with an encrypted key, and sure enough, it didn't prompt
for the passphrase but just reported "Connection closed".
So this all kind of sucks. The only solution I can see so far is:
(1) Run ssh -v cygwin@cygwin.com initially, and scrape stderr to find the
file name of the key that's being used. (Between ssh-agents, IdentityFile
entries in .ssh/config, and default key file names, I don't think there's
any other sane way to figure out what key file ssh will use.)
(2) Run ssh-keygen -y or similar, to figure out whether the key is
encrypted.
(3) If the key is encrypted, run
lftp sftp://cygwin@cygwin.com
so lftp will prompt for the passphrase. If it's not encrypted, run
lftp sftp://cygwin:@cygwin.com
and lftp won't prompt.
Is this solution acceptable? It's ugly and slow (an extra ssh connection),
but I guess it should be reliable.
Is there some better way that I'm overlooking? An expect script? That's
starting to sound like a lot of work.
Andrew