Bugfix release for the ssh package

Posted on February 21, 2019 by rOpenSci - open tools for open science in R bloggers | 0 Comments

[This article was first published on rOpenSci - open tools for open science, and kindly contributed to R-bloggers]. (You can report issue about the content on this page here)
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

The ssh package provides a native ssh client for R. You can connect to a remote server over SSH to transfer files via SCP, setup a secure tunnel, or run a command or script on the host while streaming stdout and stderr directly to the client. The intro vignette provides a brief introduction.

This week version 0.4 has been released, so you can install it directly from CRAN:

install.packages("ssh")

The NEWS file shows that this is mostly a bugfix release:

ssh 0.4:
  - Fix for security problem with latest openssh-server
  - Windows/Mac: update libssh to 0.8.6
  - Use new 'askpass' package for password and passphrase prompts
  - Use new ssh_session_is_known_server() api on libssh 0.8 and up
  - Fix bug that would write key to known_hosts for each connection
  - Add support for parsing ipv6 ip-address

There are no new features but upgrading is highly recommended.

OpenSSH and libssh Updates

The most significant changes are due to library upgrades. The Windows and MacOS binary packages have been upgraded to the latest libssh 0.8.6. There have been numerous fixes as listed in the libssh changelog.

logo

On the server side, a recent security patch release of openssh (the standard ssh server) had caused a problem in the R client for copying files via SCP. It is pretty unusual that a server upgrade breaks the client in an established protocol like ssh, but apparently the R client was making a call that is no longer permitted which would cause an error, so this call has been removed.

Authentication and Password Entry

This release also introduces several improvements to the authentication mechanics:

The R package now uses the same ~/.ssh/known_hosts file as the ssh command line utility to store and check server fingerprints. This is an important part of the ssh protocol to protect against MITM attacks. The R client will now automatically add new hosts to the file, and check if a known server fingerprint matches the one from the file.

Finally we now use the askpass package to query the user for a password when needed. This may be needed in two cases: either when you want to log in with username/password authentication, or when reading a private key with a passphrase. With askpass we get secure native password entry programs for various R front-ends, including RStudio, RGui for Windows and R.app for MacOS.

For example, this is what it looks like on MacOS:

macos

And below a screenshot on Windows:

winpass

Hopefully this will help making the package more secure and user-friendly.

To leave a comment for the author, please follow the link and comment on their blog: rOpenSci - open tools for open science.
R-bloggers.com offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

Copyright © 2022 | MH Corporate basic by MH Themes

Never miss an update!
Subscribe to R-bloggers to receive
e-mails with the latest R posts.
(You will not see this message again.)

Click here to close (This popup will not appear again)