RFC: Add support Passwordless SSH & PKs with passwords

Hello.

Can there be support for passwordless SSH logins with PKs? The keys can also have passwords and when this is the case HeidiSQL cannot be used with such a set up.

I don't know if there are some limitations on plink.exe's side but overall this would be a nice feature.

I ma personally using HeidiSQL only on Linux and running on wine and it is awesome. Thanks for the good work - I will 'return some of that love soon'.

What do you think of such a feature? Sure I can manage this with some SSH Tunneling magic but it would be nice if Heidi supported this out of the box.

Did you try that actually out? Or is there some technical requirement to support passwordless SSH logins which HeidiSQL does not have currently?

Hello, yes I tried it of course. Basically an input for the key's password is missing. Sometimes the keys themselves have passwords used to unlock the key and then send it - which is my situation. The current password dialog is for the SSH pass that is to be transmitted to the server.

Only PK without a password (on the key itself) works flawlessly.

Ok, so the key file can have a password? That's new to me. And plink.exe supports such keys?

The passphrase is used to encrypt the key on disk otherwise anyone who gains access to the key file can actually use the key. Putty does support generating PKs with passwords the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter8.html#puttygen-passphrase. I am having a hard time finding how to unlock the key visa plink.exe. It is not mentioned explicitly in the docs. Plink seems to expect that people use it interactively and should generally just prompt you for the key's passphrase. However I've done some testing and it does not...

borislav@borkata:~/Downloads/putty$ wine PLINK.EXE -ssh -t borislav@10.10.0.1 -i borislav-id_rsa
Unable to use key file "borislav-id_rsa" (OpenSSH SSH-2 private key)
Using username "borislav".
FATAL ERROR: Disconnected: No supported authentication methods available (server sent: publickey)

@ansgar sadly it seems you cannot do anything at this time.

For anyone wanting to achieve this anyway there is a workaround. You can create a SSH tunnel from a local port to the MySQL server. Then point Heidi's connection to the local port as plain TCP. It should work.

Ok. However, thanks for the update!

Thnaks for the reactivity! :)

@ansgar Private key can have (and usually have) a password to protect them (it's usually called "Passphrase").

And remote systems may be setup to allow access only with private keys, without requiring a password.

For instance, here's how I've been able to connect to a remote MySQL instance in such a server:

1. Launch plink in a cmd.exe session:

plink.exe MyRemoteHost -ssh -N -P 22 -l MyUserName -i "private-key.ppk" -L 127.0.0.1:3307:127.0.0.1:3306 -noagent

2. Here's the output:

Using username "MyUserName".
Passphrase for key "XYZ":

(where XYZ is the optional key comment saved in the private key file)

I enter the private key passphrase and I'm ready to connect to the remote MySQL instance via 127.0.0.1:3307

One important thing to be noted (for @borislavsabev) is that the private key myst be in PuTTY format, not in OpenSSH format.

My private key file (in PuTYTY format) is something like this:

PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: XYZ
Public-Lines: 6
...some chars...
Private-Lines: 14
...some chars...
Private-MAC: ...some chars...

whereas private keys in OpenSSH format are usually something like

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: ...some chars...

...some chars...
-----END RSA PRIVATE KEY-----

You can use PuTTYgen to convert your private key to/from putty <-> openssh format (as well as to create new private keys).

If you are receiving the infamous PLink: Passphrase for key error you might want to use Pageant (an SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink) as a workaround. Once started the agent (downloadable from the PuTTY website) is accessible from the system tray. Open Pageant and add you passphrase protected key.

Now try connecting to the database using a SSH tunnel in HeidiSQL and the key (which you unlocked in Pageant) will be used without bothering to ask you to enter the passphrase again (until you shut down Pageant obviously).