Plink from Windows service cannot find Pageant

5.3k views Asked by At

I have one windows service which will use plink.exe for SSH connection and I found that Plink cannot find the running Pageant.

Here is the steps I have done so far.

  1. Install Windows service to run as particular user
  2. Before starting Windows service, I log in as that user and start Pageant with PuTTY generated key.
  3. Then I start the Windows service (but I can't manage to make it work since Plink cannot find Pageant and server reply as No supported authentication methods available.)

Note: If I run Windows service as console application with that user, everything is working fine.

3

There are 3 answers

6
Soe Moe On BEST ANSWER

As @Eugene point out, it is Session 0 Isolation.

I managed to solve the issue by not using agent but directly passed the private key and password to plink.exe. By doing that, I'm able to run without using pageant.

To start plink.exe without agent;

plink.exe -noagent -i private_key.ppk -pw mypassword -P 1234 [email protected]
1
Eugene Mayevski 'Callback On

PLink will be run in Service session (Session\0) while pageant runs in user session (Session\1). Plink uses some interprocess communication which, as it looks from your problem, doesn't work across sessions. Most likely there's MMF communication inside and objects are created without prefix, i.e. they become session-only (not global). You would need to build custom version of plink to solve the problem.

0
Martin Prikryl On

Pageant explicitly allows feeding keys to an application (PuTTY, PSFTP, PSCP, WinSCP, FileZilla) running in the same Windows session only. This is obviously for security reasons, not to allow a different user on the same machine hijack private keys loaded by another users. And even for convenience (ironically), so that you do not inadvertently use keys of a different user (leading possibly to having your account locked due to invalid login attempts).

Also note that the Pageant is not intended for an automation anyway. For the automation, use the private key explicitly, using the -i command-line parameter.
See https://the.earth.li/~sgtatham/putty/latest/htmldoc/Chapter3.html#using-cmdline-identity

Such private key have to be unencrypted. Note that this imposes security risk, if someone gains access to the key. You should consider restricting an access to the unprotected private key file to the local account that runs the script only (using Windows file system permissions).