 Welcome to Git Credentials Binding plug-in mentoring session. It's the 28th of May. Let's look at the topics that I think we've got to consider today. So here's what I had, username, password, binding prototype on Windows, private key on Linux and Windows, and private key with passphrase. And it sounds like our shoot that you may have started already on private key on Linux and Windows. Would that be an okay order or which order would you like to discuss? Yeah, this is fine. And are there other topics you'd like to add onto the list? No, for now, first I am working on the private key and the passphrase, then I will set up the environment properly. So Windows and other platforms like CentOS and the Git versions also I have to test on VS Git versions like 1.8. So then I will continue further. But for now my focus is the private key with passphrase. Great. And do you want to share what you've observed so far? You mentioned Bouncy Castle and maybe you could share that and I can take some notes here and then we can have a brief discussion. So in the Bouncy, yeah, so I was like going around, going and watching 1.7, let me open the Java docs. You say you were looking at the Bouncy Castle Java doc? Yeah, okay, I was opening it right now. So first of all, like I generated my I mean like the P the encryption key using open SSH. So the command was like SSH key gen and it was generated in a new format, which was not supported by Bouncy Castle API. So I had to convert that key to PEM format. Then it was supported by Bouncy Castle API. And after that, there was a decode and in decode method, which used the string, which used the private key in string format and the passphrase to decode the private key protected by the passphrase and generate a new PEM encodable object. With that, I can write that, take the private key from that object and write it in a binary format and provide it to the command, grid SSH command. So the passphrase thing was not an issue, but the new format thing was an issue for me, that open SSH generates key now. So did I capture that correctly? The open SSH format that's currently generated and I assume this is, could you share with me which open SSH version you're running? Is it 8.4, 8.3? I think it's SSH minus V. So on my Ubuntu it's 7.6. No, it's not working. And it's 8.4 on Debian, a pre-release of Debian 11 of Bullseye. So a wide range of values there possible. Are you running Centos? Which operating system you're running? Ubuntu. And 18 or 20? 20.04. Okay, good. Well, so let's just, I can look it up already then. So Docker run, let's see Ubuntu. And you said you're running 20.1? 0.4. 20, okay. All right. So I got it's 8.2 P1. Okay, good. So 8.2. All right. So reasonably modern when you're not running, you're not running Centos 7, for instance, with many very old programs. Great. Okay. So the private key. Go ahead. I know I was just saying that I used to work on Centos before, but the functionality right about that was very limited. So I have to shift from Centos to Ubuntu. Okay. Yeah, and we ultimately do have to care about Centos. So we'll, what you've discovered for this one may be also a different thing with Centos 7's OS support. So again, it's, let's see if I can try that. Apparently not there either. Yeah. So Centos 7 goes all the way back to open SSH 7.4. So yeah. So certainly we've got a wide range of SSH versions that need to be aware that they are available. So the user generates the encrypted key using the latest open SSH point. Then what should we do then? Like it will not support the bounds because they're playing. I thought, well, is there a, is there a way in Bouncy Castle to do the conversion to PEM format? I was looking for that, but I didn't found it. Oh, okay. All right. But I have to go, I have to see a little more about that. I think if I can figure out, I will tell you on the chat. Great. Okay. All right. So this feels like it's a very good thing for you to be investigating during, during this period of community bonding. Glad that you started it. That's really great. And when you did the conversion to PEM format, does open SSH accept PEM format? Yeah. Open SSH, I mean, like in what context, openness, how, I mean, if I have done the conversion, the, the headers change or make, mean the format changes, the openness, I don't understand it. How mean, how will open SSH will accept it? Well, so, so if you, if you convert, if you convert the, if, if the, the private key we receive from the user is a, and open SSH, let's say it's open SSH 8.2 in a format not supported by Bouncy Castle, then we have to find a way to convert it to PEM to separate it out to, to decrypt the, the, the past phrase protected private key, right? Yeah. And once we've done that, then we need to create a new private key which is decrypted and pass that. And that new private key needs to be accept, needs to be acceptable to open SSH, SSH, because it'll do the work. It will, it will be the one that when command line get connects through SSH protocol, it actually delegates to SSH to do the, to do the communication. I mean, I have not checked them with, I'm not checking with the open SSH effect. I mean, I have converted the key using the SSH keys in command. So it was accepting for back then, but I don't know if I have, I'm converting the key using Bouncy Castle API, if it supports, then it will support the open SSH format or not. Okay, so more needs more investigation then. Good. Okay. So the, the sequence, the sequence might be open SSH eight dot two passphrase protected private key converted to PEM format and PEM format decrypted. And that's PEM format, passphrase protected private key, right? Did I understand that correctly? Okay. And then PEM format, passphrase protected private key decrypted to a, and I was assuming it would be PEM format, but so to a question mark private key without passphrase protection. Hmm. Yeah. Is that, have I understood correctly the sequence? And then the private key without passphrase protection pass to open SSH for use in the, in the get credentials binding. So does that make sense? Yeah, this is okay. No, I have reached. Okay. So you did this step and you did this step and oh, you did. Okay. Great. All right. And then open SSH communicates to remote get server. Let's call it this authenticates to remote get server with using private key without passphrase protection. Yeah. Okay. Good. I haven't checked if we had it and still just you and me. Okay. Interesting. I'm going to ask some questions. I think that Justin warned me he might not be available today. So, so Justin I knew already had something for today and I'm not sure on on Markey. So we'll we'll just continue. Let's keep going and identify how things are going. Okay. Yeah. Anything else that you wanted to review with regard to private key with passphrase on Linux and Windows? Okay. I think we have covered all till now. I have what apps to research. I think we have covered it. Great. Congratulations that well and that's you're doing exactly the right thing in this phase to explore and understand and be sure we we identify any bumps that are likely to happen during implementation. So I assume that you've probably not tried anything on Windows yet. This is I think all maybe we should put that note. This is this is Linux for right now and and that seems like you're investigating the most what I'd call the highest risk part of the entire thing. So this is a great thing for you to be investigating and exploring. Everything else can wait. This is Linux. They have been I have not tested on Sandpost. Right. Right. And and that's for me that's just fine. I think testing on one Linux is already very good and testing then on a Windows. We'll find a different set of likely a different set of problems and a different set of things that we need to explore. Okay. So that are there other things that you and I should discuss today to to get is there anything else that you want to to discuss or any questions you want to raise? There was one thing but it is not in the priority list. But like I am so the implementation that of the bindings is that I'm carrying out is like I'm not I mean they these bindings are only one second one second. I mean okay. So the git environment variables such as git ask pass or get SSH are only used to perform the operations like in the previous bindings of the credential binding we have seen like they have a user name binding and the pass password binding and the pass is binding but I am not performing that so only the environment variable binding I'm performing. And I think that is exactly correct because we don't want the user to so let's let me say it this way the binding implementations are intentionally only using git specific bind environment variables that avoids confusing the user with require by requiring them to choose correct names for those variables right because if we don't use if we don't use git I think it's git ask pass or is it git ssh ask pass I I don't remember if we don't use the correct name it is git ask pass and git ssh then ssh ask pass so it's list actually ssh ask pass okay yeah and git ssh and git ssh command then the user okay then the if we don't use the correct then the the git commands won't work right they expect exactly those environment variables and and the files associated with them right because in addition to defining the environment variables you're also defining placing files on the disk that contain the specific content that we need the username prompt the password prompt etc yeah okay yeah so for me that the fact that you're using only get specific environment variables is exactly correct we we aren't trying to give them a general purpose this is how you pass pass ssh configuration things to ssh that's not what this this binding does it's just to focus on command line git yeah but I was concerned like in the freestyle job there is an option parametric expression so in that since I have not provided any environment variables for that purpose so I'm not sure it will work ah okay yeah so that's a good question and um may need to check with Justin in our next session on the parameterized expression because I don't I don't know how that how that would interact with a a binding that provides no user modifiable environment variables right we we're not giving them a choice of what name they should use it has to be these names we'll control them um yeah okay yeah so that that feels like a good question either you could explore it if if you get if time allows or it's it's worth just asking and seeing if Justin already knows the answer very good any any other questions related to your to binding implementations or other the law this is how much time researched oh this is great this is read okay so let's let me go back over some previous notes just to be sure and we we we got the answer to the what about jgit question you were okay with that okay and you're exploring the private key now and oh oh oh that's one I had an action item actually okay so let me make some notes here mark to to check with Justin um Rishabh and Markey to see if they should be designated as get client plug-in maintainers at least one of them so that they have merged permission the idea is so I talked with Markey about it and he was he was willing and he's got experience maintaining other get related plugins I haven't checked with with other plug-in maintainers and have you found anything that surprised you where you said oh we shouldn't put this implementation in the get client it's still okay to put it in the get client yeah okay yeah I think it should be in there because the functionality get client provide with the like the lower level working is good for the for the bindings great okay all right also I was thinking like uh like the fun like the bouncy cancel functionality we are able to crack it then that could also be used in the get client plug-in authentication yes and and and that matches with what um Jesse Glick had suggested he said hey mark you're doing an awful lot of heroic efforts in the get client plug-in to use passphrase protected private keys and you could just crack the break decrypt the passphrase protected into a non-protected and use it and avoid a whole lot of problems and so you're absolutely right that would be a bonus if we found a way to do that that's certainly not one of the goals of the project but that would be a real bonus because it would make certain pieces of code in the get client plug-in much much simpler yeah good yes okay any other questions that come to mind no okay well so while we're here then I'm just going to take a minute and I'm actually going to go ahead and send the mail so that I've asked all the right people okay so compose a message to to see to bobby sandal to bolivia and lami who are the others oh roman oh roman long leon okay apparently I don't have all their email addresses I'll have to look them up separately I'll ask the question afterwards I you don't need to wait for me while we're on the phone we're on this call okay any any other topics well there was one like I was exploring the sorry I was exploring the the big client scripts for the SSH SSH authentication and there was I was a bit confused in display there was a keyword like this in the script display and 00 what was that I was not sure about doc that's a that's a very that's a fun one to to share with you so good let me put it this way why is there a display equals zero colon zero or it's from a main main equals colon zero right why is there why is there a environment variable and and the history there is that command line SSH with passphrase in some linux variants will open a controlling open the controlling terminal um let's see how is it unless display equals is set so so what happens then is it does a blocking read waiting for human input and so that setting of the display equals zero colon zero is a workaround for passphrase protected it's part of the mess that we will remove if you can find a way to decrypt passphrase protected private keys in java code uh so uh I did that I mean so in the late midnight I was testing the the work I have done so it was not going it was like not going further it was like only working around like it was like frozen I mean it could be a problem the display was I like I'm don't know so let me put that again so I was working on the SSH binding and I figured out that it will work I put the environment variable I said the environment variable get SSH and I started the build now process and it would not go further it just froze on that so I was confused like it might be due to this it could be yes because because what happens if well it depends if you are using an SSH private key with a passphrase then it may be attempting to open the terminal and if you are running your build from a terminal window it's actually got a controlling terminal then and then it really can do a blocking read and it will wait for human input and usually the way to test that is if it seems to pop freeze if it seems to pause and you're running a command line program like maven press the enter key and that may answer the passphrase prompt now it won't be a valid passphrase but it will answer the passphrase prompt and you get some noise from the the process that says oh no you need to enter it again so at least that's a now that's even that's not a guarantee because terminals are sometimes complicated and how they connect how they connect to the keyboard and disconnect so but but if it blocks if it pauses during a build during an operation that may indicate exactly this now there is there is a command on some Linux systems not available on bsd or mac os if i remember right called set s id and what that does is it it causes the the next program to or the program let's call it this way it's program argument to be detached from any terminal and if you if you were to look up the the system call exists in bsd and in linux and others this is a system call that's used to or a library call that's used to disconnect standard in and standard out and standard error and do those kind of things so in in this case i hope you don't have to use it because there is code in the get client plugin that knows how to do this s set s s i set s id thing but it's intentionally disabled because it feels non portable right if it only works on linux and not on any of the bsds that's that hints to me it's probably not the best choice of things to do see the get client plugin source code for references to set s id if you want and again this is to be avoided so i would hope you don't have to learn anything about it so good that you're exploring display equals yeah that you've seen that as well um have you seen any other surprises like that where we should discuss further i mean also one thing like do we have to use git ssh command environment or get environment variable or it will work with the git ssh environment variable as well um very good question okay or can we limit it to git ssh and i think if i remember correctly git ssh command is the easier syntax is the simpler syntax has simpler syntax but is only available with cli git 2.3 and later so not available by default on sentos 7 let me do a quick check to see about sentos 8 okay so just one second while i do one other check yes okay so sentos 8 has a plenty new enough git version so we could conceivably use git ssh command everywhere but sentos 7 or could check the version of command line git uh the the problem with that checking the version of command line git is it requires a call to command line git and i'm not sure if you want to do that in the command in the credential binding right now you you aren't doing any calls to external programs before entering the binding right there's no no need for you to call separate programs you just initialize environment variables and files uh actually i did i did that there is a method is at least version in the git client plugin so i'm using that to check if the version is 2.3 or not ah okay all right so already using is uh version at least okay good all right yeah so then my preference is that we would use git ssh command as first choice if if we've got a new enough command line git version to do it now if you find that hey there's not a real a real benefit to using git ssh command instead of git ssh that's something you could you could educate us on i had understood it was simpler syntax but because of the complexity of sentos 7 i didn't implement anything to support the simpler syntax okay good any other questions that's all so let me make a list so the environment variables just to be sure that i've got it being used and files being used right so we've got git ssh command and um a private key file that is passed to get us as in the environment variable right and this is it does not if i remember right to have a or it even has a facility to do the do the passphrase right don't remember the ssh command is or the benefit the benefit of this is that it uses the shell script no i mean it runs in the shell but the git ssh it does not execute in the shell it only uses a script that will perform in the shell ah okay so and is run in a shell okay whereas the git ssh is not yeah is a shell script that is invoked by cli get okay great excellent so less convenient because you've got to add one more file yeah okay and requires the shell script file and the private key file okay and then there was git um ask pass and this is is a shell script invoked by cli get uh for username password authentication um yeah okay great as and so it's any environment variable that points to a shell script yeah in vivar that points to a shell script yeah there we go that incorrect references a private key file good okay thanks any other topics that you wanted to be sure we note let's see we're scheduled for our next session our next session is next wednesday your time is that correct it is on yeah next win okay great so let's put that in the notes here meeting 21-6-02 07 30 am ist okay great and i assume i want to talk about that private key with passphrase still and we probably want to carry these forward so that we make sure we discuss them great and that that will be the the that no that won't be my last session because i'm i'm one week later that i go into surgery so we'll still have several meetings after that okay our shit anything else oh no all right thank you very much i will upload i've got the recordings of all of our sessions up to this point i should be able to upload them later tonight and or tomorrow so that they'll be available in the playlist on the youtube channel yes