Bug #109703 Shell not obeying IdentityAgent config in .ssh/config file
Submitted: 19 Jan 2023 12:56 Modified: 7 Feb 2023 12:48
Reporter: Jay Janssen Email Updates:
Status: Verified Impact on me:
Category:Shell General / Core Client Severity:S3 (Non-critical)
Version:8.0.31 OS:MacOS
Assigned to: CPU Architecture:ARM

[19 Jan 2023 12:56] Jay Janssen
I am using mysql-shell from my work laptop to connect to databases over an ssh tunnel.  

My company has a custom SSH agent.  I have discovered with some effort that mysql shell does not obey an "IdentityAgent" directive to specify the unix socket for that agent in my .ssh/config file.  Specifically, mysql shell will prompt me for a "Passphrase:" for my ssh tunnel host, but if I ssh directly to that host I get no such prompt.

MySQL shell DOES obey if I specify the same socket path using an SSH_AUTH_SOCK environment variable with the same socket path that I'm using for the IdentityAgent config.  If this is set properly, I no longer get the "Passphrase:" prompt and my connection succeeds.  

How to repeat:
1. Have an SSH host you can use for tunneling in mysql shell.  It should use an ssh key with a passphrase attached.
2. Ensure the socket path to your ssh agent is in an `IdentityAgent` line in an appropriate place in your .ssh/config
3. Ensure SSH_AUTH_SOCK is unset in your environment (`unset SSH_AUTH_SOCK`)
4. Attempt to use the SSH host via `shell.connect({ssh:"ssh hostname",...`
5. Get a passphrase prompt

Suggested fix:
I know you are using libssh.  Possibly there is an updated version there or the bug can be passed upstream.
[6 Feb 2023 21:09] MySQL Verification Team

I'm not sure if I should leave this as "unsupported" as that's the real status of this bug or "verified". The "upstream" - you can report that bug to libssh but afaik it already exist (could not find it now but I'm pretty sure I'v seen it). 

Thank you for the report
[7 Feb 2023 12:48] Jay Janssen
My take is this:  I am not using libssh, I am using mysqlsh and this is my issue.  For all I know you already may be planning an alternative to libssh.  I think it'd be much more appropriate if Oracle staff raised the issue with the libssh developers if you feel that's where the problem lies.