-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've been twiddling around with PuTTY today. Some findings:
1. PuTTY host = session-name
Schuberth's offhand comment:
> This is the only way I use plink, I never call plink with a hostname.
> Using plink with PuTTY sessions also has the advantage that you do not
> need to have pageant running in the background, as you can directly
> specify in the session's settings which private key to use.
Made me take a second look at plink's help:
> Usage: plink [options] [EMAIL PROTECTED] [command]
> ("host" can also be a PuTTY saved session name)
Emphasis on the second line. This makes things tremendously easier for
PuTTY users, since it allows for these use-cases:
1. Non-password protected SSH key
2. Password protected SSH key loaded into pageant (already allowed, but
allows for key disambiguation... more on this when I talk about Subversion)
Which basically covers the most important cases AND it works from Git
Gui. The inability for git to properly communicate with PuTTY via stdin
means that these cases don't work:
1. Passworded SSH
2. Password protected SSH key
Instead, plink goes into an infinite loop of incorrect passwords.
Fixing this is the long-term goal. But since no one has any idea how to
fix this, educating users about what they *can* do with pageant is a
good idea (esp. in the installer). I've gone so far as to set GIT_SSH to
plink in my environment variables.
2. ssh/ssh-agent can do other things
Stdin communication works between ssh.exe and Git, for both msysgit's
bundled version (as far as I can tell, MingW/msys), and Cygwin (the one
that comes first in my path).
The immediate implication of this is that passworded SSH works, but only
from command line, and only if GIT_SSH=ssh.exe. ssh.exe will ask you for
the password and everything is hunky-dory. Git Gui will politely hang
when you try it. Here is another possible feature, and one that can
definitely be moved upstream: having git-gui detect prompts and pass the
prompt on to the user.
If you use ssh and ssh-agent exclusively via command line, you'll find
that everything works. However, you run into a nearly insurmountable
problem if you try to setup ssh-agent outside, and use Git Gui: Git Gui
has no way of finding out what process ID ssh-agent is!
(SSH_AGENT_PID/SSH_AUTH_SOCK). Most Unix Windowing environments
integrate nicely with ssh-agent to propagate this information globally.
It would be possible for Git to do some trickery to find ssh-agent's PID
itself, but this is dirty.
3. Conclusion
* Here are the ways to go:
Passworded SSH login, use GIT_SSH=ssh on Git Bash
Unencrypted SSH key, use GIT_SSH=plink with session on Git Gui/Bash
Encrypted SSH key, use GIT_SSH=ssh on Git Bash. Note that the ssh.exe
key format is different from PuTTY's format; you can use puttygen to
convert to OpenSSH format (see Conversions > Export OpenSSH key)
SSH key loaded in agent, use GIT_SSH=plink with session and pageant on
Git Gui/Bash
* If you want to use both GIT_SSH=ssh/plink, to support the full
complement, set GIT_SSH=plink via Windows, and set GIT_SSH=ssh via the
Git Bash login script. You will also need to maintain two seperate
copies of your private keys: one OpenSSH format, and one PuTTY format.
* Without the port patch, SSH with custom ports will not work with plink.
* My personal situation has a second complication: I use Subversion with
a special key that loads up svnserve. If I use my regular SSH key for
Subversion, or vice versa, things explode. Thus, I usually have this SVN
key in pageant, but not my regular one. The way around this is to use
PuTTY sessions.
4. The Way Forward
* Get stdin forwarding working between PuTTY and Git
* Have git-gui offer an interface for managing ssh-agent
Doing the first will make msysgit work completely with PuTTY. Doing the
second will make msysgit work completely with ssh/ssh-agent. I am
personally in favor of the former, which should prove to be a quick fix
once we figure out what's going wrong.
- --
Edward Z. Yang GnuPG: 0x869C48DA
HTML Purifier <http://htmlpurifier.org> Anti-XSS Filter
[[ 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA ]]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIVWRwqTO+fYacSNoRAhCHAJ9JVrHBzyOdI0Jv+sxiwVgp/3OQ3ACeOEN3
UwfU95NWCUvC4rFEkLnijME=
=Cokb
-----END PGP SIGNATURE-----
