I'm currently using Cygwin's openssh implementation in Windows, with
ssh-agent to cache keys. This mainly works fine, except that I also
use TortoiseSVN, which uses plink, so I'm also using pageant to cache
keys. I'd like to find a way to avoid caching the keys twice.

I've tried switching TortoiseSVN to use Cygwin's ssh client, but then I
get irritating CMD window popups every time it runs. (They go away
immediately after the query, but something like "svn log" makes two
queries.) Maybe I could get rid of those windows, but then I'm not
quite sure how to get the required env variables SSH_AGENT_PID and
SSH_AUTH_SOCK into the Windows environment
when I run ssh-agent. (I've put them in by hand for testing, but that
doesn't always seem reliable. I'm guessing that TortoiseSVN is only
passing along the ones it sees when it starts up.)

Another possibility might be to have Cygwin's ssh ask Pageant for the
key. Is there any sort of shim available that could do this? It would
look like ssh-agent to openssh, but would be able to do what plink
does and ask pageant for a decrypted key.

Thanks for any advice on this...

<google@murdoch-sutherland.com> wrote:
> Another possibility might be to have Cygwin's ssh ask Pageant for the
> key. Is there any sort of shim available that could do this? It would
> look like ssh-agent to openssh, but would be able to do what plink
> does and ask pageant for a decrypted key.

Minor correction: no application ever asks Pageant (or ssh-agent)
for a decrypted key. If it gave out the actual keys it would be
totally derelict in its duty. Its function is to keep the keys to
itself but provide individual _signatures_ on demand.

But that doesn't affect your main point. A shim layer as you
describe, behaving as an OpenSSH ssh-agent to ssh processes and
behaving as an ssh process to Pageant, sounds like a really good
idea to me. The only slight snag is that the last time we looked
communication between Pageant and Cygwin processes had a strange
Windows security problem, as described here:

http://www.chiark.greenend.org.uk/~s...s-pageant.html

There's a workaround described there, though, so it's probably not
impossible to rig up something that does the job.
--
Simon Tatham What do we want? ROT13!
<anakin@pobox.com> When do we want it? ABJ!

Simon Tatham wrote:
> <google@murdoch-sutherland.com> wrote:
> > Another possibility might be to have Cygwin's ssh ask Pageant for the
> > key. Is there any sort of shim available that could do this? It would
> > look like ssh-agent to openssh, but would be able to do what plink
> > does and ask pageant for a decrypted key.
>
> Minor correction: no application ever asks Pageant (or ssh-agent)
> for a decrypted key. If it gave out the actual keys it would be
> totally derelict in its duty. Its function is to keep the keys to
> itself but provide individual _signatures_ on demand.
>
> But that doesn't affect your main point. A shim layer as you
> describe, behaving as an OpenSSH ssh-agent to ssh processes and
> behaving as an ssh process to Pageant, sounds like a really good
> idea to me. The only slight snag is that the last time we looked
> communication between Pageant and Cygwin processes had a strange
> Windows security problem, as described here:
>
> http://www.chiark.greenend.org.uk/~s...s-pageant.html
>
> There's a workaround described there, though, so it's probably not
> impossible to rig up something that does the job.

Thanks for the encouragement. I'm not the one to do it, since I don't
know the insides of either ssh-agent or Pageant, but you probably
guessed that from my misunderstanding about the protocol. If there's
someone else out there who wants to take this on, I'd be happy to test
it :-).

Duncan Murdoch