Merge pull request #1428 from smallstep/herman/ssh-agent-config-file

Enable alternate SSH agents for `step ssh` on Windows

Author: hslatman

internal/sshutil/agent_windows.go

@@ -2,6 +2,7 @@ package sshutil
 
 import (
 	"context"
+	"fmt"
 	"net"
 	"os"
 
@@ -26,19 +27,21 @@ func dialAgent() (*Agent, error) {
 		// Connect to Windows pipe at the supplied address
 		conn, err := winio.DialPipeContext(context.Background(), socket)
 		if err != nil {
-			return nil, errors.Wrap(err, "error connecting with ssh-agent at pipe specified by environment variable SSH_AUTH_SOCK")
+			return nil, errors.Wrap(err, fmt.Sprintf("failed to connect to SSH agent at SSH_AUTH_SOCK=%s", socket))
 		}
+
 		return &Agent{
 			ExtendedAgent: agent.NewClient(conn),
 			Conn:          conn,
 		}, nil
 	}
 
-	// DEFAULT: Windows OpenSSH agent
-	conn, err := winio.DialPipeContext(context.Background(), `\\.\\pipe\\openssh-ssh-agent`)
+	pipeName := determineWindowsPipeName()
+	conn, err := winio.DialPipeContext(context.Background(), pipeName)
 	if err != nil {
 		return nil, errors.Wrap(err, "error connecting with ssh-agent")
 	}
+
 	return &Agent{
 		ExtendedAgent: agent.NewClient(conn),
 		Conn:          conn,

internal/sshutil/pipe.go

@@ -0,0 +1,46 @@
+package sshutil
+
+import (
+	"bufio"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+const (
+	// defaultPipeName is the default Windows OpenSSH agent pipe
+	defaultPipeName = `\\.\\pipe\\openssh-ssh-agent`
+)
+
+func determineWindowsPipeName() string {
+	homePath := os.Getenv("HOMEPATH") // TODO(hs): add default if not set?
+	sshAgentConfigFile := filepath.Join(homePath, ".ssh", "config")
+
+	if pipeName := readWindowsPipeNameFrom(sshAgentConfigFile); pipeName != "" {
+		return pipeName
+	}
+
+	return defaultPipeName
+}
+
+var (
+	re  = regexp.MustCompile(`/`)
+	re2 = regexp.MustCompile(`[\s\"]*`)
+)
+
+func readWindowsPipeNameFrom(configFile string) (pipeName string) {
+	file, err := os.Open(configFile)
+	if err == nil {
+		sc := bufio.NewScanner(file)
+		for sc.Scan() {
+			line := sc.Text()
+			if len(line) > 15 && strings.HasPrefix(line, "IdentityAgent") {
+				pipeName = re2.ReplaceAllString(re.ReplaceAllString(line[14:], "\\"), "")
+				break
+			}
+		}
+	}
+
+	return
+}

internal/sshutil/pipe_test.go

@@ -0,0 +1,68 @@
+package sshutil
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDeterminesWindowsPipeName(t *testing.T) {
+	t.Run("default", func(t *testing.T) {
+		assert.Equal(t, `\\.\\pipe\\openssh-ssh-agent`, determineWindowsPipeName())
+	})
+
+	t.Run("valid-config-file", func(t *testing.T) {
+		dir := t.TempDir()
+		file := filepath.Join(dir, ".ssh", "config")
+
+		t.Setenv("HOMEPATH", dir)
+		err := os.Mkdir(filepath.Join(dir, ".ssh"), 0777)
+		require.NoError(t, err)
+		err = os.WriteFile(file, []byte(`IdentityAgent \\.\\pipe\\pageant.user.abcd`), 0600)
+		require.NoError(t, err)
+
+		assert.Equal(t, `\\.\\pipe\\pageant.user.abcd`, determineWindowsPipeName())
+	})
+
+	t.Run("invalid-config-file", func(t *testing.T) {
+		dir := t.TempDir()
+		file := filepath.Join(dir, ".ssh", "config")
+
+		t.Setenv("HOMEPATH", dir)
+		err := os.Mkdir(filepath.Join(dir, ".ssh"), 0777)
+		require.NoError(t, err)
+		err = os.WriteFile(file, []byte(`NoIdentityAgent \\.\\pipe\\pageant.user.abcd`), 0600)
+		require.NoError(t, err)
+
+		assert.Equal(t, `\\.\\pipe\\openssh-ssh-agent`, determineWindowsPipeName())
+	})
+}
+
+func TestReadsWindowsPipeNameFromFile(t *testing.T) {
+	t.Run("empty-path", func(t *testing.T) {
+		assert.Equal(t, ``, readWindowsPipeNameFrom(""))
+	})
+
+	t.Run("valid-config-file", func(t *testing.T) {
+		dir := t.TempDir()
+		file := filepath.Join(dir, "config")
+
+		err := os.WriteFile(file, []byte(`IdentityAgent \\.\\pipe\\pageant.user.abcd`), 0600)
+		require.NoError(t, err)
+
+		assert.Equal(t, `\\.\\pipe\\pageant.user.abcd`, readWindowsPipeNameFrom(file))
+	})
+
+	t.Run("invalid-config-file", func(t *testing.T) {
+		dir := t.TempDir()
+		file := filepath.Join(dir, "config")
+
+		err := os.WriteFile(file, []byte(`NoIdentityAgent \\.\\pipe\\pageant.user.abcd`), 0600)
+		require.NoError(t, err)
+
+		assert.Equal(t, ``, readWindowsPipeNameFrom(file))
+	})
+}