distal-attribute
distal-attribute
distal-attribute
distal-attribute

Dialog for verifying the host key over SSH

Krotki posted 7 months ago in Feature discussion
I think it would be useful to create a dialog for verifying ssh host.

Right now if host key is not present in local cache, SSH connection will fail silently. I think HeidiSQL uses plink -batch option for that.

It would be cool if HeidiSQL could parse warning and show dialog what to do.

I'm using HeidiSQL on linux and every time I'm connecting to new host i need to remember to connect to my server using plink over wine first. This is a bit annoying.
ansgar posted 7 months ago
Yes, this is issue #2902. Only that's a horrifying issue to solve. But yes, this is surely a problem.
ansgar posted 7 months ago
Please test r4736 - works here without getting the "accept key" dialog. But not yet tested on Wine.
ansgar posted 7 months ago
Ah, the -batch option in plink does not provide a way to silence the "accept key" dialog, it just does not ask and fails if you don't have accepted the key yet.
jfalch posted 7 months ago
does NOT work on my XP SP3 - with a session of type 'ssh tunnel', always shows an alert:
PLink exited unexpected. Command line was: /C echo y|"C:\Programme\Remote\PuTTy\plink.exe" -ssh falch@bsi-netz.de -N -L 3307:127.0.0.1:3306
and does not connect.
NB: a) the server´s key is already cached in registry;
b) i´m using an alternate command processor, (tcc.exe from JPSoft.com), and %COMSPEC% is correctly set to point to it.
jfalch posted 7 months ago
NB executing
%COMSPEC% /C echo y|"C:\Programme\Remote\PuTTy\plink.exe" -ssh falch@bsi-netz.de -N -L 3307:127.0.0.1:3306
will invoke plink Ok, show Using username ... and builds the tunnel.
ansgar posted 7 months ago
r4738 now uses the path of your COMSPEC environment variable. Please try again.
jfalch posted 7 months ago
error message prefix has changed: now it´s
could not execute PLink:
/C ...

otherwise unchanged, sorry.
jfalch posted 7 months ago
PS: could you not check for the existence of a cached host key fingerprint, and use the "%COMSPEC% /C echo y|" method only if there is none for the current host ? They live in the registry at HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys.
ansgar posted 7 months ago
You mean, that "echo y | plink ..." interrupts plink.exe in some way? But why does that then work here with an uncached and a cached key?
jfalch posted 7 months ago
"echo y|plink ..." does indeed completely interrupt plink.exe insofar as it is not executed -> no connect.
The new message prefix "Could not execute PLink:" seems to indicate to me a failure in CreateProcess (or whatever you are using).

"why does that then work here" ? Sorry, I have no idea. I only can assume that it might be related to my command processor tcc, which in around 10 years has to be proven to be otherwise completely compatible with cmd.exe, including calls from CreateProcess().
Possibly the "execute PLink" error code might help...
ansgar posted 7 months ago
I fear I have to parse stdout and stderror, and send input to stdin for the plink process. If only that was better documented. It's quite complicated and such code looks very old-style, pointers left and right.
jfalch posted 7 months ago
That´s quite tough, I agree. I think I remember a JEDI component that does this; unfortunately, I do not have access to my development environment before friday...
Krotki posted 7 months ago
I think accepting all hosts is not a good idea. You are vulnerable for man in the middle attack.

I think to do this properly you need to choose on of:

1. In 'createprocess' pipe to stdin, stdout, stderr and parse whats there - if warning present, show dialog to user with options to accept or deny host. I saw few examples for that in delphi I can post them later here.

2. Use some library for creating ssh connection, which will give you mode options for error handling and configuration. This would potentially be a big task but maybe its a good idea to get rid of plink dependency anyway.
ansgar posted 7 months ago
Your second idea is not new, I also thought about including some SSH library to build into Heidi. But I could not find a single one which is compatible to the GPL library. All of those I found were commercial. So I'll stick to plink.exe for now. Which is not the baddest idea, as plink/putty is very popular in the world of free software. Parsing input and sending output of/to a process could only be better documented. Feel free to send code snippets here.
Krotki posted 7 months ago
For 1.: http://forum.codecall.net/topic/72472-execute-a-console-program-and-capture-its-output/
Here autor is waiting to process to finish instead we should:
do {
sleep for some time

}
Krotki posted 7 months ago
Ignore prev post ...

For 1.: http://forum.codecall.net/topic/72472-execute-a-console-program-and-capture-its-output/
Here autor is waiting to process to finish instead we should:
do {
sleep for some time
check if there is some more data in stdout, copy it to local buffer
slit buffer by new lines
} while (lastChar is not ')' or '>')

or something similar :)

for 2. i found http://wiki.freepascal.org/Synapse#SSH.2FTelnet_client_sample_program
I'm not sure about licenses tho. And for a quick fix first approach seems to be easier.
Krotki posted 7 months ago
I could try to implement this later but I need get my hands on legit delphi copy. Probably i could download a trial from shomewere. I haven't coded in pascal for ages but it can be funsmile
ansgar posted 7 months ago
I have checked at least 4 example snippets from some forum and stackoverflow, and none of them worked here. Always access violations or empty output or whatever.

What about using CreateProcess() to run plink.exe in a visible console window? Heidi would still be able to control (exit) the process, only the wait timeout is difficult, as I would not knew whether plink is waiting for a server response or waits for user input ("store key in cache? (y/n)"). If it runs into a network timeout after 30 seconds there is surely an exitcode I can parse, but what about the point where the user has hit "y"?
ansgar posted 7 months ago
I have found a very promising unit which does all the process stuff, including a confirmation dialog for the "store in cache" question: http://www.delphipraxis.net/70989-komponente-fuer-ssh-verbindung-6.html
ansgar posted 7 months ago
Krotki posted 7 months ago
Yeah, this is exactly what i meant :)

I downloaded delphi trial, but installation takes ages ...
I got several warnings about unit - i don't know how to resolve those, but since you already fixed the issue I'm not going to investigate it further.
ansgar posted 7 months ago
I have not yet committed, and I'm not yet happy with the code. But I am on the way to adapt that from different code examples into Heidi's connection layer.

Please login to leave a reply, or register at first.