SSH Agent: Integrate with OpenSSH for Windows #1984
Comments
|
So it appears the QLocalSocket approach would work just fine except the call to Reading the OpenSSH for Windows source it appears the service process would need at least PROCESS_QUERY_INFORMATION and PROCESS_DUP_HANDLE privileges. The original commit that added this hardening was d0ebaff, @rockihack do you happen to have any idea what needs to be added that the connection to ssh-agent service would work without compromising security? Thanks! |
|
@hifi I tried to grant only minimal access rights, same as for protected processes. If this really causes the problem then adding a special DACL entry for the "NT SERVICE\SSHD" user account might work. |
|
What did work is add the privileges I said for LocalSystem account which is the one running the agent. The SSHD user is not used for the agent AFAIK. Once I figure out how to expose this with the Pageant support I'm going to open a PR against 2.4.0. Thanks for your input! EDIT: This is the WIP commit that just switches the Pageant support for OpenSSH for Windows for now: hifi@0db5ee6 |
Windows 10 1803 "Spring Update" brought OpenSSH 7.6p as a standard system utility. This includes the ssh-agent service.
Possible Solution
The agent protocol is exactly the same but some security context or something else is blocking QLocalSocket to directly connect to the named pipe. More work is needed.
Context
Pageant is currently the dominant agent for Windows but OpenSSH will slowly claim that space now that it comes with Windows.
The text was updated successfully, but these errors were encountered: