git2r icon indicating copy to clipboard operation
git2r copied to clipboard
verified publisher icon ropensci

re-use existing ssh credentials

Open cboettig opened this issue 8 years ago • 7 comments

Hey @stewid ,

I'm probably missing something obvious here; but I see that I can create a new credential with cred_ssh_key, but I cannot figure out how to just get a credential object for an existing credential. I tried hacking it with:

cred <- new("cred_ssh_key", publickey = "~/.ssh/id_rsa.pub", privatekey = "~/.ssh/id_rsa", passphrase = "XXX")

but that just gives me an error

Error in 'git2r_clone': Failed to authenticate SSH session: Unable to open public key file

it looks like that error could be due to the function not performing tilde expansion, but full paths to the shh key just give me a different error:

Error in 'git2r_clone': Failed to authenticate SSH session: Callback returned error

and in any event I'm guessing I'm not supposed to be calling new to create my credential object. any suggestions?

cboettig avatar Jun 03 '17 04:06 cboettig

Hi @cboettig

It should be possible to create credentials using

cred <- cred_ssh_key(passphrase = "XXX")

The default values are publickey = "~/.ssh/id_rsa.pub" and privatekey = "~/.ssh/id_rsa". Internally, cred_ssh_key uses normalizePath for performing the tilde expansion.

cred_ssh_key <-  function (publickey = "~/.ssh/id_rsa.pub",
                           privatekey = "~/.ssh/id_rsa", 
                           passphrase = character(0))
{
    publickey = normalizePath(publickey, mustWork = TRUE)
    privatekey = normalizePath(privatekey, mustWork = TRUE)

    if (length(passphrase) == 0) {
        if (ssh_key_needs_passphrase(privatekey)) {
            if (requireNamespace("getPass", quietly = TRUE)) {
                passphrase <- getPass::getPass()
            }
        }
    }

    new("cred_ssh_key",
        publickey  = publickey,
        privatekey = privatekey,
        passphrase = passphrase)
}

Regarding the first error, do you get the expected absolute file path on your machine using?

normalizePath("~/.ssh/id_rsa.pub", mustWork = TRUE)

I'm not sure why you see the second error. Does it work if you instead add your keys to an ssh-agent? If you set the credentials argument in clone to NULL (the default) then it asks the agent for the credentials https://github.com/ropensci/git2r/blob/master/src/git2r_cred.c#L231

stewid avatar Jun 03 '17 13:06 stewid

@stewid thanks! Sorry for my confusion, might be good to adjust the docs on cred_ssh_key, sounded to me like it was creating a brand new key itself; I was afraid it might attempt to overwrite my existing key.

yup, normalizePath works as expected on my machine, so I'm still at a loss with these errors.

Yes, things all work fine with ssh-agent, once set up. I'm working on a remote machine via rstudio-server, so ssh-agent is a bit more annoying than it would otherwise be; i.e. there is no obvious way to use ssh-agent from the R command line if it's not set up to run on login already, so it's hard to get the initial prompt to enter password the first time to unlock ssh-agent. I can get around this by running a git push command from the RStudio console, since it will prompt me for a password the first time and use ssh-agent, and then I'm good to go. But clearly not ideal since I cannot just log into the RStudio server and run a script with git2r that can clone a given list of private repos.

cboettig avatar Jun 03 '17 19:06 cboettig

Thanks for your feedback, I'll clarify the documentation. I think I've had similar issues when I've used passphrase protected keys, it works when I use an ssh agent, but not otherwise. Interesting that git2r raises a different error message for relative vs absolute path. I need to find some time to look into this...

stewid avatar Jun 04 '17 17:06 stewid

I was involved in a thread re: the need to use an ssh agent under certain conditions. We talked about this here https://github.com/hadley/devtools/issues/642#issuecomment-139357055.

jennybc avatar Jun 04 '17 18:06 jennybc

@stewid Thanks. Good to know it's not just me hitting issues on trying to use cred_ssh_key on password-protected credentials. @jennybc thanks to the pointer to that thread as well -- so are you generally able to use cred_ssh_key with password-protected keys; or rely on ssh-agent setup to automatically handle things?

Feels like it would be nice to have direct R bindings to ssh-agent here.

cboettig avatar Jun 05 '17 03:06 cboettig

My recollection is that you must specify credentials as NULL, i.e. allow them to be found in the default place, in order to use ssh keys with a passphrase AND that passphrase needs to be set up with the ssh-agent.

jennybc avatar Jun 05 '17 04:06 jennybc

@jennybc thanks for confirming, that matches what I'm seeing as well. So some solution to to use password-protected credentials without ssh-agent set up, (and/or ability to call ssh-agent and pass it the password directly from the R cli) would really be a nice feature to have.

cboettig avatar Jun 05 '17 17:06 cboettig