pulumi/changelog
Aaron Friel 4c81c89e4a Improve Git authentication handling
The upstream libraries used, `go-git` and `ssh_config`, have deficiencies which
result in surprising behavior to those familiar with the default behavior of
`git clone`.

First, `go-git` relies on discovering identity files via `ssh_config`, however
the identity files returned are incorrect. Only the single file,
`~/.ssh/identity` (the SSH v1 protocol default) is returned. This TODO has been
outstanding for at least 3 years in `ssh_config`:

1d09c0b505/config.go (L254-L257)

Instead, we read the [reading the four additional
files](https://manpages.ubuntu.com/manpages/xenial/man1/ssh.1.html) SSH uses on
modern systems:

- `~/.ssh/id_rsa`
- `~/.ssh/id_dsa`
- `~/.ssh/id_ecdsa`
- `~/.ssh/id_ed25519`

Second, `go-git` instantiates an SSH Agent eagerly and errors on failing to
access it, regardless of whether it is needed. This is surprising to users who
expect `git clone` to work without an SSH Agent.

302dddeda9/plumbing/transport/ssh/auth_method.go (L185-L203)

Instead, we treat SSH Agent as a fallible, non-erroring source of additional SSH
credentials. Only if it is available do we use it, and should it fail we log an
error and continue without it.

With these changes, users on systems without an SSH Agent configured and using
any of the standard identity files will be able to clone repositories and use
the Automation API with SSH remotes without any additional configuration.
2024-08-14 08:16:10 -07:00
..
pending Improve Git authentication handling 2024-08-14 08:16:10 -07:00
config.yaml Make pulumi install work for policy packs (#16438) 2024-06-21 19:19:21 +00:00