Call OpenSSH client directly instead of embedded SSH one

aeris shared this idea 7 years ago
Under Consideration

Seems mongobooster uses built-in SSH client.


This leads to some problems or missing features :

  • No usage of already existing ssh_config file
  • No support for bounce server
  • No support for SSH agent (for keys protected or embedded into smartcard and to avoid password storage inside mongobooster)
  • No support for custom SSH configuration/client (eg https://github.com/aeris/ssh-ident for identity separation)
  • No support for existing SSH multiplexing (ControlMaster)
  • More generally, no support of all built-in OpenSSH features not currently ported to MongoBooster (ECDSA/ED25519 host & client key type, CHACHA20+POLY1305 encryption, Curve25519 key exchange, SSHFP fingerprint support…)


Will be better to have an option to run directly official SSH client (ideally from PATH lookup for ssh-ident compatibility) instead of embedded one to have all those features needed to access some mongodb production server.

Replies (3)

photo
1

Is there any progress on this? The current implementieren is not really usable as on the one hand more and more people using more modern SSH keys (which are currently not supported by this client) and also SSH agents are not supported. That's odd. :-(

photo
1

Thank you for your feedback.

Could you list which modern SSH keys are not supported?

NoSQLBooster V7.0 uses the SSH2 1.3.0. All support keys, https://github.com/mscdex/ssh2/tree/v1.3.0#client-methods

And, Can you tell me which mongo GUI supports SSH agents? For reference and learning

photo
1

Hi,

sure.


Could you list which modern SSH keys are not supported?

I've a key which is a ed25519 and this one is rejected with the following message:

SSH Error:Cannot parse privateKey: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT","stack":"Error: Cannot parse privateKey: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT


I tested it in several ways. But it doesn't work.


With alternative applications like DataGrip 2021.3.4 it works either with the SSH agent but also with the key I used with NoSQLBooster 7.0.8.


Maybe some background:

  1. OS: Windows 11 64Bit
  2. SSH Key: ed25519
  3. SSH Agent: Windows builtin Open SSH-Agent

photo
2

We have worked out a new test build to support more format. Please download and give it a try.

http://s3.mongobooster.com/download/releasesv7/nosqlbooster4mongo-7.0.10-beta.1.exe


If it still does not work, could you please give the format of your key? pem, open SSH or putty?

e.g.

-----BEGIN RSA PRIVATE KEY-----

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

-----END RSA PRIVATE KEY-----

photo
1

Ok, with this version it seems to work. I used regular OpenSSH ed25519 key in PEM format. Like:

-----BEGIN OPENSSH PRIVATE KEY-----
[..]
-----END OPENSSH PRIVATE KEY-----

photo
1

Finally support for either Pageant and/or Windows Open SSH-Agent + regular Unix based Open SSH-Agent might be highly appreciated. 🙂

photo
1

Thx. Could you tell me what are the advantages of external SSH agents over built-in SSH agents?

photo
1

Could you tell me what are the advantages of external SSH agents over built-in SSH agents?

Sure! I believe the easiest way to answer this questions is to link to 2 articles which explaining this the best way I cannot do it better:

  1. https://unix.stackexchange.com/questions/72552/whats-the-purpose-of-ssh-agent#answer-72558
  2. https://smallstep.com/blog/ssh-agent-explained/

For personally the following points are important:

  1. I don't have to trust another application (like NoSQLBooster) that the whole application is 100% trustworthy. Because this application will never see my private key itself.
  2. I don't have to type in over and over again my passwords (of my private key somewhere).
  3. I don't have to remember which is the right key for the target server, because I'm (personally) have to deal with ~14 different keys. The Agent is doing that for me.
  4. Less configuration for applications, because it just works.

photo
1

My private keys are kept on a hardware storage (yubikey) and cannot be exported. I have an ssh-agent that can work with the storage but can't find how to use it with NoSQLBooster.

photo
Leave a Comment
 
Attach a file