git.delta.rocks / remowt / refs/commits / 705d3cdac982

difftreelog

feat initial work on russh+remowt prototype

mvluospuYaroslav Bolyukin2024-08-24parent: #5cb6be4.patch.diff
in: trunk

30 files changed

added.rustfmt.tomldiffbeforeafterboth
--- /dev/null
+++ b/.rustfmt.toml
@@ -0,0 +1 @@
+hard_tabs = true
modifiedCargo.lockdiffbeforeafterboth
after · Cargo.lock
306 packageslockfile v3
modifiedCargo.tomldiffbeforeafterboth
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -2,6 +2,6 @@
 members = ["cmds/*", "crates/*"]
 resolver = "2"
 
-[workspace.packages]
+[workspace.dependencies]
 bifrostlink = { path = "../bifrostlink/crates/bifrostlink" }
 bifrostlink-ports = { path = "../bifrostlink/crates/bifrostlink-ports" }
addedJustfilediffbeforeafterboth
--- /dev/null
+++ b/Justfile
@@ -0,0 +1,12 @@
+dev: dev-build dev-install
+
+dev-install:
+	mkdir -p ./target/libexec
+	ln -sf ./target/x86_64-unknown-linux-musl/release/remowt-agent ./target/libexec/remowt-x86_64-linux
+
+dev-build:
+	cargo build --release --target=x86_64-unknown-linux-musl -p remowt-agent
+
+dev-deploy: dev-build dev-install
+	ssh edgeworth2 mkdir -p /home/lach/.remowt
+	rsync -arv ./target/x86_64-unknown-linux-musl/release/remowt-agent edgeworth2:/home/lach/.remowt/remowt-agent
deletedcmds/polkit-backend/Cargo.tomldiffbeforeafterboth
--- a/cmds/polkit-backend/Cargo.toml
+++ /dev/null
@@ -1,17 +0,0 @@
-[package]
-name = "polkit-backend"
-version = "0.1.0"
-edition = "2021"
-
-[dependencies]
-anyhow = "1.0.86"
-clap = { version = "4.5.11", features = ["derive"] }
-nix = "0.29.0"
-pam-client = "0.5.0"
-polkit-shared = { version = "0.1.0", path = "../../crates/polkit-shared" }
-tokio = { version = "1.39.2", features = ["macros", "rt", "rt-multi-thread"] }
-tracing = "0.1.40"
-tracing-subscriber = "0.3.18"
-ui-prompt = { version = "0.1.0", path = "../../crates/ui-prompt" }
-zbus = { version = "4.4.0", features = ["tokio"] }
-zbus_polkit = { version = "4.0.0", features = ["tokio"] }
deletedcmds/polkit-backend/etc/systemd/system/remowt-polkit-helper.servicediffbeforeafterboth
--- a/cmds/polkit-backend/etc/systemd/system/remowt-polkit-helper.service
+++ /dev/null
@@ -1,12 +0,0 @@
-[Unit]
-Description=Remowt polkit helper service
-
-[Service]
-Type=dbus
-BusName=lach.polkit.helper1
-ExecStart=@libexecdir@/polkit-backend
-# TODO: Hardening
-
-[Install]
-WantedBy=multi-user.target
-Alias=dbus-lach.polkit.helper1.service
deletedcmds/polkit-backend/share/dbus-1/system-services/lach.polkit.helper1.confdiffbeforeafterboth
--- a/cmds/polkit-backend/share/dbus-1/system-services/lach.polkit.helper1.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-[D-BUS Service]
-Name=lach.polkit.helper1
-Exec=/bin/false
-User=root
-SystemdService=dbus-lach.polkit.helper1.service
deletedcmds/polkit-backend/share/dbus-1/system.d/lach.polkit.helper1.confdiffbeforeafterboth
--- a/cmds/polkit-backend/share/dbus-1/system.d/lach.polkit.helper1.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "https://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-	<policy user="root">
-		<allow own = "lach.polkit.helper1"/>
-		<allow send_interface="lach.PolkitInputHandler"/>
-	</policy>
-	<policy context="default">
-		<allow send_destination="lach.polkit.helper1"/>
-		<deny send_interface="lach.PolkitInputHandler"/>
-	</policy>
-</busconfig>
deletedcmds/polkit-backend/src/main.rsdiffbeforeafterboth
--- a/cmds/polkit-backend/src/main.rs
+++ /dev/null
@@ -1,238 +0,0 @@
-use std::collections::{HashMap, HashSet};
-use std::ffi::{CStr, CString};
-use std::future::pending;
-use std::sync::LazyLock;
-
-use anyhow::Context as _;
-use clap::Parser;
-use nix::unistd::{setuid, Uid, User};
-use pam_client::{Context, ConversationHandler, ErrorCode, Flag};
-use polkit_shared::BackendRequest;
-use tokio::runtime::Handle;
-use tokio::task::{block_in_place, spawn_blocking};
-use tracing::trace;
-use ui_prompt::dbus::DbusPrompterProxyBlocking;
-use ui_prompt::{BlockingPrompter, Prompter};
-use zbus::fdo;
-use zbus::message::Header;
-use zbus::zvariant::OwnedValue;
-use zbus::{blocking, interface, proxy, Connection};
-
-struct Helper {
-    connection: Connection,
-    blocking_connection: blocking::Connection,
-}
-
-static ALLOWED_ENVIRONMENT: LazyLock<HashSet<&str>> = LazyLock::new(|| {
-    [
-        // pam ssh agent auth
-        "SSH_AUTH_SOCK",
-        // ssh itself provides this when running PAM
-        "SSH_AUTH_INFO_0",
-        // contains user which ran sudo
-        "SUDO_USER",
-    ]
-    .into_iter()
-    .collect()
-});
-
-struct Conversation<P>(P);
-impl<P: BlockingPrompter> Conversation<P> {
-    fn prompt_inner(&self, echo: bool, prompt: &CStr) -> Result<CString, ErrorCode> {
-        trace!("do prompt");
-        let out = self
-            .0
-            .prompt_text(
-                echo,
-                &prompt.to_string_lossy(),
-                "PAM prompt request",
-                &[],
-            )
-            .map_err(|e| {
-                trace!("prompt error: {e}");
-                ErrorCode::CONV_ERR
-            })?;
-        CString::new(out).map_err(|_| ErrorCode::CONV_AGAIN)
-    }
-    fn text_inner(&self, error: bool, msg: &CStr) {
-        trace!("do text");
-        let msg = msg.to_string_lossy();
-        let _ = self.0.display_text(error, &msg, &[]);
-    }
-}
-impl<P: BlockingPrompter> ConversationHandler for Conversation<P> {
-    fn prompt_echo_on(&mut self, prompt: &CStr) -> Result<CString, ErrorCode> {
-        self.prompt_inner(true, prompt)
-    }
-
-    fn prompt_echo_off(&mut self, prompt: &CStr) -> Result<CString, ErrorCode> {
-        self.prompt_inner(false, prompt)
-    }
-
-    fn text_info(&mut self, msg: &CStr) {
-        self.text_inner(false, msg)
-    }
-
-    fn error_msg(&mut self, msg: &CStr) {
-        self.text_inner(true, msg)
-    }
-
-    fn radio_prompt(&mut self, prompt: &CStr) -> Result<bool, ErrorCode> {
-        let prompt = prompt.to_string_lossy();
-        let result = self
-            .0
-            .prompt_radio(&prompt, "PAM prompt request", &[])
-            .map_err(|_| ErrorCode::CONV_ERR)?;
-        Ok(result)
-    }
-}
-
-#[proxy(
-    default_service = "org.freedesktop.DBus",
-    default_path = "/org/freedesktop/DBus"
-)]
-trait DBus {
-    fn get_connection_credentials(&self, body: &str) -> zbus::Result<HashMap<String, OwnedValue>>;
-}
-
-#[interface(name = "lach.PolkitHelper")]
-impl Helper {
-    async fn init_conversation(
-        &self,
-        request: BackendRequest,
-        #[zbus(header)] hdr: Header<'_>,
-    ) -> fdo::Result<()> {
-        let Some(sender) = hdr.sender().map(|v| v.to_owned()) else {
-            trace!("missing sender");
-            return Err(fdo::Error::AuthFailed("missing sender".to_owned()));
-        };
-
-        let dbus = DBusProxy::new(&self.connection).await?;
-
-        // TOCTOU: sender might be already disconnected, and there might be another
-        // user with different user id here, but does it matters?
-        let reply = dbus.get_connection_credentials(&sender).await?;
-        let uid: u32 = (&reply["UnixUserID"]).try_into().unwrap();
-
-        let blocking_connection = self.blocking_connection.clone();
-        let thread_result: fdo::Result<()> = block_in_place(move || {
-            trace!("find user");
-            let user = User::from_uid(Uid::from_raw(uid))
-                .map_err(|_| fdo::Error::AuthFailed("error querying user".to_owned()))?
-                .ok_or_else(|| fdo::Error::AuthFailed("uid not found".to_owned()))?;
-
-            let responder = DbusPrompterProxyBlocking::new(
-                &blocking_connection,
-                sender,
-                request.prompter_path,
-            )?;
-            let conversation = Conversation(responder);
-            trace!("run context for {}", &user.name);
-            let mut ctx = Context::new(
-                // TODO: Should another scope be used?
-                "login",
-                Some(&user.name),
-                conversation,
-            )
-            .map_err(|_| fdo::Error::Failed("pam context init failed".to_owned()))?;
-
-            trace!("fill env");
-            for (k, v) in request.environment {
-                if k.contains('=') || !ALLOWED_ENVIRONMENT.contains(k.as_str()) {
-                    continue;
-                }
-                let _ = ctx.putenv(format!("{k}={v}"));
-            }
-
-            trace!("authenticate");
-            ctx.authenticate(Flag::NONE)
-                .map_err(|_| fdo::Error::AuthFailed("pam authentication failed".to_owned()))?;
-
-            trace!("acct mgmt");
-            ctx.acct_mgmt(Flag::NONE)
-                .map_err(|_| fdo::Error::AuthFailed("pam acct mgmt failed".to_owned()))?;
-
-            Ok(())
-        });
-
-        thread_result?;
-
-        trace!("respond");
-        let proxy = zbus_polkit::policykit1::AuthorityProxy::new(&self.connection).await?;
-
-        let identity_details = request
-            .identity
-            .details
-            .iter()
-            .map(|(k, v)| (k.as_str(), (**v).try_clone().expect("success")))
-            .collect::<HashMap<_, _>>();
-        proxy
-            .authentication_agent_response2(
-                uid,
-                &request.cookie,
-                &zbus_polkit::policykit1::Identity {
-                    identity_kind: &request.identity.kind,
-                    identity_details: &identity_details,
-                },
-            )
-            .await?;
-        Ok(())
-    }
-}
-
-const OBJ_PATH: &str = "/lach/PolkitHelper";
-
-#[derive(Parser)]
-struct Opts {
-    /// Not recommended: start as a session connection, then use escalation
-    /// to respond to polkit requests.
-    #[arg(long)]
-    session: bool,
-}
-
-#[tokio::main]
-async fn main() -> anyhow::Result<()> {
-    tracing_subscriber::fmt::init();
-    let opts = Opts::parse();
-    let connection = if opts.session {
-        Connection::session().await
-    } else {
-        Connection::system().await
-    }
-    .context("failed to open connection")?;
-
-    let session = opts.session;
-    let blocking_connection: anyhow::Result<blocking::Connection> = spawn_blocking(move || {
-        Ok(if session {
-            blocking::Connection::session()?
-        } else {
-            blocking::Connection::system()?
-        })
-    })
-    .await?;
-    let blocking_connection = blocking_connection.context("failed to open blocking connection")?;
-
-    if opts.session {
-        setuid(Uid::from_raw(0))
-            .context("polkit-backend needs to be suid if run in session mode")?;
-    }
-
-    connection
-        .object_server()
-        .at(
-            OBJ_PATH,
-            Helper {
-                connection: connection.clone(),
-                blocking_connection,
-            },
-        )
-        .await
-        .context("failed listen path")?;
-
-    connection
-        .request_name("lach.polkit.helper1")
-        .await
-        .context("failed to request name")?;
-
-    pending().await
-}
addedcmds/polkit-dbus-helper/Cargo.tomldiffbeforeafterboth
--- /dev/null
+++ b/cmds/polkit-dbus-helper/Cargo.toml
@@ -0,0 +1,17 @@
+[package]
+name = "polkit-backend"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+anyhow = "1.0.86"
+clap = { version = "4.5.11", features = ["derive"] }
+nix = "0.29.0"
+pam-client = "0.5.0"
+polkit-shared = { version = "0.1.0", path = "../../crates/polkit-shared" }
+tokio = { version = "1.39.2", features = ["macros", "rt", "rt-multi-thread"] }
+tracing = "0.1.40"
+tracing-subscriber = "0.3.18"
+ui-prompt = { version = "0.1.0", path = "../../crates/ui-prompt" }
+zbus = { version = "4.4.0", features = ["tokio"] }
+zbus_polkit = { version = "4.0.0", features = ["tokio"] }
addedcmds/polkit-dbus-helper/README.adocdiffbeforeafterboth
--- /dev/null
+++ b/cmds/polkit-dbus-helper/README.adoc
@@ -0,0 +1,8 @@
+== What is it?
+
+Usually, there is a `polkit-agent-helper-1` suid binary installed on the system with polkit package.
+
+This, however, an alternative to that approach, a system daemon listening for dbus requests, which works
+without using suid binaries.
+
+In future it will provide some additional features.
addedcmds/polkit-dbus-helper/etc/systemd/system/remowt-polkit-helper.servicediffbeforeafterboth
--- /dev/null
+++ b/cmds/polkit-dbus-helper/etc/systemd/system/remowt-polkit-helper.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Remowt polkit helper service
+
+[Service]
+Type=dbus
+BusName=lach.polkit.helper1
+ExecStart=@libexecdir@/polkit-backend
+# TODO: Hardening
+
+[Install]
+WantedBy=multi-user.target
+Alias=dbus-lach.polkit.helper1.service
addedcmds/polkit-dbus-helper/share/dbus-1/system-services/lach.polkit.helper1.confdiffbeforeafterboth
--- /dev/null
+++ b/cmds/polkit-dbus-helper/share/dbus-1/system-services/lach.polkit.helper1.conf
@@ -0,0 +1,5 @@
+[D-BUS Service]
+Name=lach.polkit.helper1
+Exec=/bin/false
+User=root
+SystemdService=dbus-lach.polkit.helper1.service
addedcmds/polkit-dbus-helper/share/dbus-1/system.d/lach.polkit.helper1.confdiffbeforeafterboth
--- /dev/null
+++ b/cmds/polkit-dbus-helper/share/dbus-1/system.d/lach.polkit.helper1.conf
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "https://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+	<policy user="root">
+		<allow own = "lach.polkit.helper1"/>
+		<allow send_interface="lach.PolkitInputHandler"/>
+	</policy>
+	<policy context="default">
+		<allow send_destination="lach.polkit.helper1"/>
+		<deny send_interface="lach.PolkitInputHandler"/>
+	</policy>
+</busconfig>
addedcmds/polkit-dbus-helper/src/main.rsdiffbeforeafterboth
--- /dev/null
+++ b/cmds/polkit-dbus-helper/src/main.rs
@@ -0,0 +1,236 @@
+use std::collections::{HashMap, HashSet};
+use std::ffi::{CStr, CString};
+use std::future::pending;
+use std::sync::LazyLock;
+
+use anyhow::Context as _;
+use clap::Parser;
+use nix::unistd::{setuid, Uid, User};
+use pam_client::{Context, ConversationHandler, ErrorCode, Flag};
+use polkit_shared::BackendRequest;
+use tokio::task::{block_in_place, spawn_blocking};
+use tracing::trace;
+use ui_prompt::dbus::DbusPrompterProxyBlocking;
+use ui_prompt::BlockingPrompter;
+use zbus::fdo;
+use zbus::message::Header;
+use zbus::zvariant::OwnedValue;
+use zbus::{blocking, interface, proxy, Connection};
+
+struct Helper {
+    connection: Connection,
+    blocking_connection: blocking::Connection,
+}
+
+static ALLOWED_ENVIRONMENT: LazyLock<HashSet<&str>> = LazyLock::new(|| {
+    [
+        // pam ssh agent auth
+        "SSH_AUTH_SOCK",
+        // ssh itself provides this when running PAM
+        "SSH_AUTH_INFO_0",
+        // contains user which ran sudo
+        "SUDO_USER",
+    ]
+    .into_iter()
+    .collect()
+});
+
+struct Conversation<P>(P);
+impl<P: BlockingPrompter> Conversation<P> {
+    fn prompt_inner(&self, echo: bool, prompt: &CStr) -> Result<CString, ErrorCode> {
+        trace!("do prompt");
+        let out = self
+            .0
+            .prompt_text(echo, &prompt.to_string_lossy(), "PAM prompt request", &[])
+            .map_err(|e| {
+                trace!("prompt error: {e}");
+                ErrorCode::CONV_ERR
+            })?;
+        CString::new(out).map_err(|_| ErrorCode::CONV_AGAIN)
+    }
+    fn text_inner(&self, error: bool, msg: &CStr) {
+        trace!("do text");
+        let msg = msg.to_string_lossy();
+        let _ = self.0.display_text(error, &msg, &[]);
+    }
+}
+impl<P: BlockingPrompter> ConversationHandler for Conversation<P> {
+    fn prompt_echo_on(&mut self, prompt: &CStr) -> Result<CString, ErrorCode> {
+        self.prompt_inner(true, prompt)
+    }
+
+    fn prompt_echo_off(&mut self, prompt: &CStr) -> Result<CString, ErrorCode> {
+        self.prompt_inner(false, prompt)
+    }
+
+    fn text_info(&mut self, msg: &CStr) {
+        self.text_inner(false, msg)
+    }
+
+    fn error_msg(&mut self, msg: &CStr) {
+        self.text_inner(true, msg)
+    }
+
+    fn radio_prompt(&mut self, prompt: &CStr) -> Result<bool, ErrorCode> {
+        let prompt = prompt.to_string_lossy();
+        let result = self
+            .0
+            .prompt_radio(&prompt, "PAM prompt request", &[])
+            .map_err(|_| ErrorCode::CONV_ERR)?;
+        Ok(result)
+    }
+}
+
+#[proxy(
+    default_service = "org.freedesktop.DBus",
+    default_path = "/org/freedesktop/DBus"
+)]
+trait DBus {
+    fn get_connection_credentials(&self, body: &str) -> zbus::Result<HashMap<String, OwnedValue>>;
+}
+
+#[interface(name = "lach.PolkitHelper")]
+impl Helper {
+    async fn init_conversation(
+        &self,
+        request: BackendRequest,
+        #[zbus(header)] hdr: Header<'_>,
+    ) -> fdo::Result<()> {
+        let Some(sender) = hdr.sender().map(|v| v.to_owned()) else {
+            trace!("missing sender");
+            return Err(fdo::Error::AuthFailed("missing sender".to_owned()));
+        };
+
+        let dbus = DBusProxy::new(&self.connection).await?;
+
+        // TOCTOU: sender might be already disconnected, and there might be another
+        // user with different user id here, but does it matters?
+        let reply = dbus.get_connection_credentials(&sender).await?;
+        let connection_uid: u32 = (&reply["UnixUserID"]).try_into().unwrap();
+
+        let identity = request.identity.clone();
+        let blocking_connection = self.blocking_connection.clone();
+        let thread_result: fdo::Result<()> = block_in_place(move || {
+            trace!("find user");
+            let Some(identity_uid) = identity.uid() else {
+                return Err(fdo::Error::AuthFailed("can't process identity".to_owned()));
+            };
+            let user = User::from_uid(identity_uid)
+                .map_err(|_| fdo::Error::AuthFailed("error querying user".to_owned()))?
+                .ok_or_else(|| fdo::Error::AuthFailed("uid not found".to_owned()))?;
+
+            let responder = DbusPrompterProxyBlocking::new(
+                &blocking_connection,
+                sender,
+                request.prompter_path,
+            )?;
+            let conversation = Conversation(responder);
+            trace!("run context for {}", &user.name);
+            let mut ctx = Context::new(
+                // TODO: Should another scope be used?
+                "login",
+                Some(&user.name),
+                conversation,
+            )
+            .map_err(|_| fdo::Error::Failed("pam context init failed".to_owned()))?;
+
+            trace!("fill env");
+            for (k, v) in request.environment {
+                if k.contains('=') || !ALLOWED_ENVIRONMENT.contains(k.as_str()) {
+                    continue;
+                }
+                let _ = ctx.putenv(format!("{k}={v}"));
+            }
+
+            trace!("authenticate");
+            ctx.authenticate(Flag::NONE)
+                .map_err(|_| fdo::Error::AuthFailed("pam authentication failed".to_owned()))?;
+
+            trace!("acct mgmt");
+            ctx.acct_mgmt(Flag::NONE)
+                .map_err(|_| fdo::Error::AuthFailed("pam acct mgmt failed".to_owned()))?;
+
+            Ok(())
+        });
+
+        thread_result?;
+
+        trace!("respond");
+        let proxy = zbus_polkit::policykit1::AuthorityProxy::new(&self.connection).await?;
+
+        let identity_details = request
+            .identity
+            .details
+            .iter()
+            .map(|(k, v)| (k.as_str(), (**v).try_clone().expect("success")))
+            .collect::<HashMap<_, _>>();
+        proxy
+            .authentication_agent_response2(
+                connection_uid,
+                &request.cookie,
+                &zbus_polkit::policykit1::Identity {
+                    identity_kind: &request.identity.kind,
+                    identity_details: &identity_details,
+                },
+            )
+            .await?;
+        Ok(())
+    }
+}
+
+const OBJ_PATH: &str = "/lach/PolkitHelper";
+
+#[derive(Parser)]
+struct Opts {
+    /// Not recommended: start as a session connection, then use escalation
+    /// to respond to polkit requests.
+    #[arg(long)]
+    session: bool,
+}
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    tracing_subscriber::fmt::init();
+    let opts = Opts::parse();
+    let connection = if opts.session {
+        Connection::session().await
+    } else {
+        Connection::system().await
+    }
+    .context("failed to open connection")?;
+
+    let session = opts.session;
+    let blocking_connection: anyhow::Result<blocking::Connection> = spawn_blocking(move || {
+        Ok(if session {
+            blocking::Connection::session()?
+        } else {
+            blocking::Connection::system()?
+        })
+    })
+    .await?;
+    let blocking_connection = blocking_connection.context("failed to open blocking connection")?;
+
+    if opts.session {
+        setuid(Uid::from_raw(0))
+            .context("polkit-backend needs to be suid if run in session mode")?;
+    }
+
+    connection
+        .object_server()
+        .at(
+            OBJ_PATH,
+            Helper {
+                connection: connection.clone(),
+                blocking_connection,
+            },
+        )
+        .await
+        .context("failed listen path")?;
+
+    connection
+        .request_name("lach.polkit.helper1")
+        .await
+        .context("failed to request name")?;
+
+    pending().await
+}
modifiedcmds/remowt-agent/Cargo.tomldiffbeforeafterboth
--- a/cmds/remowt-agent/Cargo.toml
+++ b/cmds/remowt-agent/Cargo.toml
@@ -5,12 +5,18 @@
 
 [dependencies]
 anyhow = "1.0.86"
+bifrostlink.workspace = true
+bifrostlink-ports.workspace = true
 clap = { version = "4.5.13", features = ["derive"] }
-pam-client = "0.5.0"
+futures = "0.3.30"
+futures-util = "0.3.30"
+nix = "0.29.0"
 polkit-shared = { version = "0.1.0", path = "../../crates/polkit-shared" }
 rand = "0.8.5"
+remowt-link-shared = { version = "0.1.0", path = "../../crates/remowt-link-shared" }
 serde = { version = "1.0.204", features = ["derive"] }
 tokio = { version = "1.39.2", features = ["rt-multi-thread", "fs", "macros"] }
+tokio-util = { version = "0.7.11", features = ["codec"] }
 tracing = "0.1.40"
 tracing-subscriber = "0.3.18"
 ui-prompt = { version = "0.1.0", path = "../../crates/ui-prompt" }
addedcmds/remowt-agent/src/helper/dbus.rsdiffbeforeafterboth
--- /dev/null
+++ b/cmds/remowt-agent/src/helper/dbus.rs
@@ -0,0 +1,79 @@
+use std::collections::HashMap;
+use std::marker::PhantomData;
+
+use polkit_shared::{BackendRequest, Identity};
+use tokio::runtime::Handle;
+use ui_prompt::dbus::DbusPrompterInterface;
+use ui_prompt::Prompter;
+use zbus::Connection;
+
+use crate::PolkitHelperProxy;
+
+use super::Helper;
+
+
+struct TemporaryPrompterInterface<P: Prompter + 'static> {
+    connection: Connection,
+    path: String,
+    _marker: PhantomData<P>,
+}
+impl<P: Prompter + 'static> TemporaryPrompterInterface<P> {
+    async fn new(connection: Connection, prompter: P) -> Self {
+        let path = format!(
+            "/remowt/prompters/{}",
+            uuid::Uuid::new_v4().to_string().replace("-", "_")
+        );
+        let _ = connection
+            .object_server()
+            .at(path.clone(), DbusPrompterInterface(prompter))
+            .await;
+        Self {
+            connection,
+            path,
+            _marker: PhantomData,
+        }
+    }
+}
+impl<P: Prompter + Send + Sync + 'static> Drop for TemporaryPrompterInterface<P> {
+    fn drop(&mut self) {
+        // FIXME: block_in_place prevents to moving to current_thread runtime
+        // There should be a blocking way to remove ObjectServer listener.
+        // As far as I can see, it is only async because of async RwLock, shouldn't it be
+        // just a sync lock?
+        tokio::task::block_in_place(move || {
+            Handle::current().block_on(async {
+                let _ = self
+                    .connection
+                    .object_server()
+                    .remove::<DbusPrompterInterface<P>, String>(self.path.clone())
+                    .await;
+            });
+        });
+    }
+}
+
+pub struct DbusHelper {
+    connection: Connection,
+    helper: PolkitHelperProxy<'static>,
+}
+impl Helper for DbusHelper {
+    async fn help_me<P: Prompter + Send + Sync + 'static>(
+        &self,
+        cookie: &str,
+        prompter: P,
+        identity: Identity,
+    ) -> anyhow::Result<()> {
+        let prompter = TemporaryPrompterInterface::new(self.connection.clone(), prompter).await;
+        self.helper
+            .init_conversation(
+                BackendRequest {
+                    cookie: cookie.to_owned(),
+                    environment: HashMap::new(),
+                    prompter_path: prompter.path.clone(),
+                    identity,
+                }, // cookie.to_owned(), HashMap::new(), prompter.path.clone()
+            )
+            .await?;
+        Ok(())
+    }
+}
addedcmds/remowt-agent/src/helper/mod.rsdiffbeforeafterboth
--- /dev/null
+++ b/cmds/remowt-agent/src/helper/mod.rs
@@ -0,0 +1,18 @@
+use futures::Future;
+use polkit_shared::Identity;
+use ui_prompt::Prompter;
+
+mod suid;
+mod dbus;
+
+pub use suid::SuidHelper;
+pub use dbus::DbusHelper;
+
+pub trait Helper {
+    fn help_me<P: Prompter + Send + Sync + 'static>(
+        &self,
+        cookie: &str,
+        prompt: P,
+        identity: Identity,
+    ) -> impl Future<Output = anyhow::Result<()>> + Send;
+}
addedcmds/remowt-agent/src/helper/suid.rsdiffbeforeafterboth
--- /dev/null
+++ b/cmds/remowt-agent/src/helper/suid.rs
@@ -0,0 +1,83 @@
+use std::pin::pin;
+use std::process::Stdio;
+
+use anyhow::{bail, anyhow};
+use futures::stream::Peekable;
+use futures::StreamExt as _;
+use nix::unistd::User;
+use polkit_shared::Identity;
+use tokio::io::AsyncWriteExt as _;
+use tokio::process::Command;
+use tokio::select;
+use tokio_util::codec::{FramedRead, LinesCodec};
+use ui_prompt::Prompter;
+
+use super::Helper;
+
+#[derive(Clone)]
+pub struct SuidHelper;
+impl Helper for SuidHelper {
+    async fn help_me<P: Prompter + 'static>(
+        &self,
+        cookie: &str,
+        prompt: P,
+        identity: Identity,
+    ) -> anyhow::Result<()> {
+        let Some(uid) = dbg!(identity.uid()) else {
+            bail!("can't process identity");
+        };
+        let user = User::from_uid(dbg!(uid))
+            .map_err(|e| anyhow!("error querying user: {e}"))?
+            .ok_or_else(|| anyhow!("user not found"))?;
+
+        let mut cmd = Command::new("polkit-agent-helper-1");
+        cmd.arg(user.name);
+        cmd.stdin(Stdio::piped());
+        cmd.stdout(Stdio::piped());
+        cmd.kill_on_drop(true);
+        let mut child = cmd.spawn()?;
+        let mut stdin = child.stdin.take().expect("piped");
+        let mut stdout =
+            pin!(
+                FramedRead::new(child.stdout.take().expect("piped"), LinesCodec::new()).peekable()
+            );
+
+        assert!(!cookie.contains("\n"));
+        stdin.write_all(cookie.as_bytes()).await?;
+        stdin.write_all(b"\n").await?;
+
+        while let Some(line) = stdout.next().await {
+            let line = dbg!(line?);
+            // TODO: Dedicated codec?
+            let res = if let Some(prompt_text) = line.strip_prefix("PAM_PROMPT_ECHO_OFF ") {
+                prompt.prompt_text(false, prompt_text, "", &[]).await?
+            } else if let Some(prompt_text) = line.strip_prefix("PAM_PROMPT_ECHO_ON ") {
+                prompt.prompt_text(true, prompt_text, "", &[]).await?
+            } else if let Some(msg_text) = line.strip_prefix("PAM_ERROR_MSG ") {
+                prompt.display_text(true, msg_text, &[]).await?;
+                String::new()
+            } else if let Some(msg_text) = line.strip_prefix("PAM_TEXT_INFO ") {
+                select! {
+                    _ = Peekable::peek(stdout.as_mut()) => {},
+                    r = prompt.display_text(false, msg_text, &[]) => {r?}
+                }
+                String::new()
+            } else if line == "SUCCESS" {
+                return Ok(());
+            } else if line == "FAILURE" {
+                bail!("helper binary reported failure")
+            } else {
+                // TODO: Success/failure handling
+                bail!("unknown agent request");
+            };
+
+            if res.contains("\n") {
+                bail!("response should not include newline")
+            }
+
+            stdin.write_all(res.as_bytes()).await?;
+            stdin.write_all(b"\n").await?;
+        }
+        bail!("agent finished unexpectedly")
+    }
+}
modifiedcmds/remowt-agent/src/main.rsdiffbeforeafterboth
--- a/cmds/remowt-agent/src/main.rs
+++ b/cmds/remowt-agent/src/main.rs
@@ -1,281 +1,269 @@
 use std::borrow::Cow;
 use std::collections::{BTreeMap, HashMap};
+use std::future;
 use std::io::{stdout, Write};
-use std::marker::PhantomData;
+use std::path::PathBuf;
 use std::sync::{Arc, Mutex, OnceLock};
-use std::{future, process};
 
+use bifrostlink::{AddressT, Rpc};
+use bifrostlink_ports::unix_socket::from_socket;
 use clap::Parser;
 use polkit_shared::{emphasize, BackendRequest, Identity, PidDisplay};
-use tokio::runtime::Handle;
-use tokio::task::{AbortHandle, JoinHandle, LocalSet};
+use remowt_link_shared::Address;
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::UnixStream;
+use tokio::runtime::Runtime;
+use tokio::task::AbortHandle;
 use tracing::{info, trace};
-use ui_prompt::dbus::DbusPrompterInterface;
 use ui_prompt::rofi::RofiPrompter;
 use ui_prompt::{PrependSourcePrompter, Prompter, Source};
+use zbus::fdo;
 use zbus::zvariant::{OwnedValue, Str};
-use zbus::{fdo, ObjectServer};
 use zbus::{interface, proxy, Connection};
 use zbus_polkit::policykit1::Subject;
 
-struct TemporaryPrompterInterface<P: Prompter + Send + Sync + 'static> {
-    connection: Connection,
-    path: String,
-    _marker: PhantomData<P>,
-}
-impl<P: Prompter + Send + Sync + 'static> TemporaryPrompterInterface<P> {
-    async fn new(connection: Connection, prompter: P) -> Self {
-        let path = format!(
-            "/remowt/prompters/{}",
-            uuid::Uuid::new_v4().to_string().replace("-", "_")
-        );
-        let _ = connection
-            .object_server()
-            .at(path.clone(), DbusPrompterInterface(prompter))
-            .await;
-        Self {
-            connection,
-            path,
-            _marker: PhantomData,
-        }
-    }
-}
-impl<P: Prompter + Send + Sync + 'static> Drop for TemporaryPrompterInterface<P> {
-    fn drop(&mut self) {
-        // FIXME: block_in_place prevents to moving to current_thread runtime
-        // There should be a blocking way to remove ObjectServer listener.
-        // As far as I can see, it is only async because of async RwLock, shouldn't it be
-        // just a sync lock?
-        tokio::task::block_in_place(move || {
-            Handle::current().block_on(async {
-                let _ = self
-                    .connection
-                    .object_server()
-                    .remove::<DbusPrompterInterface<P>, String>(self.path.clone())
-                    .await;
-            });
-        });
-    }
-}
+use self::helper::{Helper, SuidHelper};
 
+pub mod helper;
+
 struct CancelTaskOnDrop {
-    tasks: Arc<Mutex<HashMap<String, AbortHandle>>>,
-    handle: String,
+	tasks: Arc<Mutex<HashMap<String, AbortHandle>>>,
+	handle: String,
 }
 impl Drop for CancelTaskOnDrop {
-    fn drop(&mut self) {
-        info!("cancel on drop");
-        if let Some(task) = self
-            .tasks
-            .lock()
-            .expect("not poisoned")
-            .remove(&self.handle)
-        {
-            task.abort();
-        }
-    }
+	fn drop(&mut self) {
+		info!("cancel on drop");
+		if let Some(task) = self
+			.tasks
+			.lock()
+			.expect("not poisoned")
+			.remove(&self.handle)
+		{
+			task.abort();
+		}
+	}
 }
 
-struct Agent {
-    helper: PolkitHelperProxy<'static>,
-    tasks: Arc<Mutex<HashMap<String, AbortHandle>>>,
-    connection: Connection,
+struct Agent<H> {
+	tasks: Arc<Mutex<HashMap<String, AbortHandle>>>,
+	helper: H,
 }
-impl Agent {
-    async fn new(connection: Connection) -> anyhow::Result<Self> {
-        Ok(Self {
-            helper: PolkitHelperProxy::new(&connection).await?,
-            tasks: Arc::new(Mutex::new(HashMap::new())),
-            connection,
-        })
-    }
+impl<H> Agent<H> {
+	fn new(helper: H) -> Self {
+		Agent {
+			tasks: Arc::new(Mutex::new(HashMap::new())),
+			helper,
+		}
+	}
 }
 
 #[interface(name = "org.freedesktop.PolicyKit1.AuthenticationAgent")]
-impl Agent {
-    /// BeginAuthentication method
-    #[allow(clippy::too_many_arguments)]
-    async fn begin_authentication(
-        &self,
-        action_id: String,
-        message: String,
-        icon_name: String,
-        mut details: BTreeMap<String, String>,
-        cookie: String,
-        identities: Vec<Identity>,
-    ) -> zbus::fdo::Result<()> {
-        use std::fmt::Write;
-        info!("begin auth");
-        let _cancel_guard = Arc::new(OnceLock::new());
-        let task = {
-            let connection = self.connection.clone();
-            let helper = self.helper.clone();
-            let cookie = cookie.clone();
-            let _cancel_guard = _cancel_guard.clone();
-            tokio::task::spawn(async move {
-                let _cancel_guard = _cancel_guard.clone();
-                trace!("conversation task");
-                let mut description = format!("{message}\n\n<b>Action id:</b> {action_id}",);
-                if let Some(subject) = details.remove("polkit.caller-pid") {
-                    let _ = write!(description, "\n<b>Caller:</b> ");
-                    if let Ok(pid) = subject.parse::<u32>() {
-                        let _ = write!(description, "{}", PidDisplay(pid));
-                    } else {
-                        let _ = write!(description, "{}", emphasize("invalid pid"));
-                    }
-                }
-                if let Some(subject) = details.remove("polkit.subject-pid") {
-                    let _ = write!(description, "\n<b>Subject:</b> ");
-                    if let Ok(pid) = subject.parse::<u32>() {
-                        let _ = write!(description, "{}", PidDisplay(pid));
-                    } else {
-                        let _ = write!(description, "{}", emphasize("invalid pid"));
-                    }
-                }
-                let mut prompter = PrependSourcePrompter {
-                    source: vec![Source(Cow::Borrowed("polkit agent"))],
-                    description: description.clone(),
-                    prompter: RofiPrompter,
-                };
+impl<H> Agent<H>
+where
+	H: Helper + Clone + Send + Sync + 'static,
+{
+	/// BeginAuthentication method
+	#[allow(clippy::too_many_arguments)]
+	async fn begin_authentication(
+		&self,
+		action_id: String,
+		message: String,
+		icon_name: String,
+		mut details: BTreeMap<String, String>,
+		cookie: String,
+		identities: Vec<Identity>,
+	) -> zbus::fdo::Result<()> {
+		use std::fmt::Write;
+		info!("begin auth");
+		let _cancel_guard = Arc::new(OnceLock::new());
+		let task = {
+			let helper = self.helper.clone();
+			let cookie = cookie.clone();
+			let _cancel_guard = _cancel_guard.clone();
+			tokio::task::spawn(async move {
+				let _cancel_guard = _cancel_guard.clone();
+				trace!("conversation task");
+				let mut description = format!("{message}\n\n<b>Action id:</b> {action_id}",);
+				if let Some(subject) = details.remove("polkit.caller-pid") {
+					let _ = write!(description, "\n<b>Caller:</b> ");
+					if let Ok(pid) = subject.parse::<u32>() {
+						let _ = write!(description, "{}", PidDisplay(pid));
+					} else {
+						let _ = write!(description, "{}", emphasize("invalid pid"));
+					}
+				}
+				if let Some(subject) = details.remove("polkit.subject-pid") {
+					let _ = write!(description, "\n<b>Subject:</b> ");
+					if let Ok(pid) = subject.parse::<u32>() {
+						let _ = write!(description, "{}", PidDisplay(pid));
+					} else {
+						let _ = write!(description, "{}", emphasize("invalid pid"));
+					}
+				}
+				let mut prompter = PrependSourcePrompter {
+					source: vec![Source(Cow::Borrowed("polkit agent"))],
+					description: description.clone(),
+					prompter: RofiPrompter,
+				};
 
-                let identity_displays: Vec<String> =
-                    identities.iter().map(|v| v.to_string()).collect();
-                let identity_displays: Vec<&str> =
-                    identity_displays.iter().map(|v| v.as_str()).collect();
-                info!("choose identity");
-                let choosen_identity = match identity_displays.len() {
-                    0 => {
-                        return Err(fdo::Error::AuthFailed(
-                            "no identity to authenticate as".to_owned(),
-                        ))
-                    }
-                    1 => 0,
-                    _ => {
-                        prompter
-                            .prompt_enum(
-                                "Identity",
-                                "Select identity to use for polkit authorization",
-                                &identity_displays,
-                                &[],
-                            )
-                            .await?
-                    }
-                };
-                info!("identity chosen");
+				let identity_displays: Vec<String> =
+					identities.iter().map(|v| v.to_string()).collect();
+				let identity_displays: Vec<&str> =
+					identity_displays.iter().map(|v| v.as_str()).collect();
+				info!("choose identity");
+				let choosen_identity = match identity_displays.len() {
+					0 => {
+						return Err(fdo::Error::AuthFailed(
+							"no identity to authenticate as".to_owned(),
+						))
+					}
+					1 => 0,
+					_ => {
+						prompter
+							.prompt_enum(
+								"Identity",
+								"Select identity to use for polkit authorization",
+								&identity_displays,
+								&[],
+							)
+							.await?
+					}
+				};
+				info!("identity chosen");
+
+				let _ = write!(
+					description,
+					"\n<b>Identity:</b> {}",
+					identities[choosen_identity as usize]
+				);
+				prompter.description = description;
 
-                let _ = write!(
-                    description,
-                    "\n<b>Identity:</b> {}",
-                    identities[choosen_identity as usize]
-                );
-                prompter.description = description;
+				prompter.source.push(Source(Cow::Borrowed("polkit daemon")));
 
-                prompter.source.push(Source(Cow::Borrowed("polkit daemon")));
-                // let connection = Connection::system().await?;
-                // let helper = PolkitHelperProxy::new(&connection).await?;
-                let prompter = TemporaryPrompterInterface::new(connection, prompter).await;
-                info!("init conv");
-                helper
-                    .init_conversation(
-                        BackendRequest {
-                            cookie: cookie.to_owned(),
-                            environment: HashMap::new(),
-                            prompter_path: prompter.path.clone(),
-                            // TODO: Let user choose
-                            identity: identities[choosen_identity as usize].clone(),
-                        }, // cookie.to_owned(), HashMap::new(), prompter.path.clone()
-                    )
-                    .await?;
-                println!("ASKED");
-                dbg!(action_id, message, icon_name, details, cookie, identities);
+				helper
+					.help_me(
+						&cookie,
+						prompter,
+						identities[choosen_identity as usize].clone(),
+					)
+					.await
+					.map_err(|e| fdo::Error::Failed(e.to_string()))?;
+				// let connection = Connection::system().await?;
+				// let helper = PolkitHelperProxy::new(&connection).await?;
 
-                Ok(())
-            })
-        };
-        self.tasks
-            .lock()
-            .unwrap()
-            .insert(cookie.clone(), task.abort_handle());
-        info!("abort handle stored");
-        let _ = _cancel_guard.set(CancelTaskOnDrop {
-            tasks: self.tasks.clone(),
-            handle: cookie.clone(),
-        });
+				Ok(())
+			})
+		};
+		self.tasks
+			.lock()
+			.unwrap()
+			.insert(cookie.clone(), task.abort_handle());
+		info!("abort handle stored");
+		let _ = _cancel_guard.set(CancelTaskOnDrop {
+			tasks: self.tasks.clone(),
+			handle: cookie.clone(),
+		});
 
-        let _ = task.await;
+		let _ = task.await;
 
-        Ok(())
-    }
+		Ok(())
+	}
 
-    /// CancelAuthentication method
-    async fn cancel_authentication(&self, cookie: &str) -> zbus::fdo::Result<()> {
-        info!("auth cancelled");
-        if let Some(abort) = self.tasks.lock().unwrap().remove(cookie) {
-            info!("abort handle found");
-            abort.abort();
-        }
-        // debug!("Authentication cancled ! {cookie}");
-        Ok(())
-    }
+	/// CancelAuthentication method
+	async fn cancel_authentication(&self, cookie: &str) -> zbus::fdo::Result<()> {
+		info!("auth cancelled");
+		if let Some(abort) = self.tasks.lock().unwrap().remove(cookie) {
+			info!("abort handle found");
+			abort.abort();
+		}
+		// debug!("Authentication cancled ! {cookie}");
+		Ok(())
+	}
 }
 
 const OBJ_PATH: &str = "/org/freedesktop/PolicyKit1/AuthenticationAgent";
 
 #[proxy(
-    interface = "lach.PolkitHelper",
-    default_service = "lach.polkit.helper1",
-    default_path = "/lach/PolkitHelper"
+	interface = "lach.PolkitHelper",
+	default_service = "lach.polkit.helper1",
+	default_path = "/lach/PolkitHelper"
 )]
 trait PolkitHelper {
-    fn init_conversation(&self, request: BackendRequest) -> zbus::Result<()>;
+	fn init_conversation(&self, request: BackendRequest) -> zbus::Result<()>;
 }
 
 #[derive(Parser)]
 enum Opts {
-    Agent,
-    AskPass { description: String },
+	Agent,
+	AskPass {
+		description: String,
+	},
+	RealAgent {
+		#[arg(long)]
+		path: PathBuf,
+	},
 }
 
-#[tokio::main]
-async fn main() -> anyhow::Result<()> {
-    tracing_subscriber::fmt::init();
-    let opts = Opts::parse();
+fn main() -> anyhow::Result<()> {
+	tracing_subscriber::fmt::init();
+	let opts = Opts::parse();
 
-    match opts {
-        Opts::Agent => {
-            trace!("started");
-            let conn = Connection::system().await?;
+	let runtime = Runtime::new()?;
 
-            let proxy = zbus_polkit::policykit1::AuthorityProxy::new(&conn).await?;
-            conn.object_server()
-                .at(OBJ_PATH, Agent::new(conn.clone()).await?)
-                .await?;
+	match opts {
+		Opts::Agent => {
+			// TODO: Setup env, directories with various things...
+			runtime.block_on(main_agent())
+		}
+		Opts::AskPass { description } => runtime.block_on(main_askpass(description)),
+		Opts::RealAgent { path } => runtime.block_on(main_real_agent(path)),
+	}
+}
+async fn main_real_agent(path: PathBuf) -> anyhow::Result<()> {
+    let mut stream = UnixStream::connect(path).await?;
+    stream.write_all(b"REMOWT_HELLO\0").await?;
+    let mut buf = [0u8; 12];
+    stream.read_exact(&mut buf).await?;
+    assert_eq!(&buf, b"REMOWT_EHLO\0");
+    let port = from_socket(stream);
+    let rpc = Rpc::<Address, remowt_link_shared::Error>::new(Address::Agent);
+    rpc.add_direct(Address::User, port, bifrostlink::Rtt(0));
+    Ok(())
+}
 
-            let session_id = std::env::var("XDG_SESSION_ID")?;
-            let mut details = HashMap::new();
-            let val: OwnedValue = {
-                let wrapped: Str<'_> = session_id.into();
-                wrapped.into()
-            };
-            details.insert("session-id".to_string(), val);
-            proxy
-                .register_authentication_agent(
-                    &Subject {
-                        subject_kind: "unix-session".to_string(),
-                        subject_details: details,
-                    },
-                    "C",
-                    OBJ_PATH,
-                )
-                .await?;
-        }
-        Opts::AskPass { description } => {
-            let password = RofiPrompter
-                .prompt_text(false, &description, "SSH password request", &[])
-                .await?;
-            stdout().lock().write_all(password.as_bytes())?;
-        }
-    }
+async fn main_agent() -> anyhow::Result<()> {
+	trace!("started");
+	let conn = Connection::system().await?;
+
+	let proxy = zbus_polkit::policykit1::AuthorityProxy::new(&conn).await?;
+	conn.object_server()
+		.at(OBJ_PATH, Agent::new(SuidHelper))
+		.await?;
+
+	let session_id = std::env::var("XDG_SESSION_ID")?;
+	let mut details = HashMap::new();
+	let val: OwnedValue = {
+		let wrapped: Str<'_> = session_id.into();
+		wrapped.into()
+	};
+	details.insert("session-id".to_string(), val);
+	proxy
+		.register_authentication_agent(
+			&Subject {
+				subject_kind: "unix-session".to_string(),
+				subject_details: details,
+			},
+			"C",
+			OBJ_PATH,
+		)
+		.await?;
+	future::pending().await
+}
 
-    future::pending().await
+async fn main_askpass(description: String) -> anyhow::Result<()> {
+	let password = RofiPrompter
+		.prompt_text(false, &description, "SSH password request", &[])
+		.await?;
+	stdout().lock().write_all(password.as_bytes())?;
+	future::pending().await
 }
modifiedcmds/remowt-ssh/Cargo.tomldiffbeforeafterboth
--- a/cmds/remowt-ssh/Cargo.toml
+++ b/cmds/remowt-ssh/Cargo.toml
@@ -4,3 +4,17 @@
 edition = "2021"
 
 [dependencies]
+clap = { version = "4.5.16", features = ["derive"] }
+openssh = { version = "0.11.0", features = ["native-mux"] }
+tracing-subscriber = "0.3.18"
+bifrostlink.workspace = true
+remowt-link-shared = { version = "0.1.0", path = "../../crates/remowt-link-shared" }
+tokio = { version = "1.39.3", features = ["macros"] }
+anyhow = "1.0.86"
+bifrostlink-ports.workspace = true
+uuid = { version = "1.10.0", features = ["v4"] }
+tempdir = "0.3.7"
+russh = { git = "https://github.com/Eugeny/russh/" }
+russh-config = { git = "https://github.com/Eugeny/russh/" }
+russh-keys = { git = "https://github.com/Eugeny/russh/" }
+async-trait = "0.1.81"
modifiedcmds/remowt-ssh/src/main.rsdiffbeforeafterboth
--- a/cmds/remowt-ssh/src/main.rs
+++ b/cmds/remowt-ssh/src/main.rs
@@ -1,3 +1,140 @@
-fn main() {
-    println!("Hello, world!");
+use std::borrow::Cow;
+use std::ffi::OsString;
+use std::os::unix::ffi::OsStringExt;
+use std::path::PathBuf;
+use std::sync::Arc;
+
+use anyhow::{bail, ensure};
+use async_trait::async_trait;
+use bifrostlink::Rpc;
+use clap::Parser;
+use remowt_link_shared::Address;
+use russh::client::{connect, Config, Handler, Session};
+use tempdir::TempDir;
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::UnixSocket;
+
+#[derive(Parser)]
+struct Opts {
+	host: String,
+}
+
+struct MyHandler {
+	host: String,
+	port: u16,
+}
+#[async_trait]
+impl Handler for MyHandler {
+	type Error = russh::Error;
+	async fn check_server_key(
+		&mut self,
+		server_public_key: &russh_keys::key::PublicKey,
+	) -> Result<bool, Self::Error> {
+		Ok(russh_keys::check_known_hosts(
+			&self.host,
+			self.port,
+			&server_public_key,
+		)?)
+	}
+}
+
+#[tokio::main(flavor = "current_thread")]
+async fn main() -> anyhow::Result<()> {
+	let rpc = Rpc::<Address, remowt_link_shared::Error>::new(Address::User);
+	tracing_subscriber::fmt::init();
+	let opts = Opts::parse();
+
+	let conf = dbg!(russh_config::parse_home(&opts.host)?);
+	println!("connect");
+	let mut sess = connect(
+		Arc::new(Config {
+			..Default::default()
+		}),
+		dbg!((conf.host_name.clone(), conf.port)),
+		MyHandler {
+			host: conf.host_name,
+			port: conf.port,
+		},
+	)
+	.await?;
+	println!("agent");
+	let mut agent = russh_keys::agent::client::AgentClient::connect_env().await?;
+	for ele in agent.request_identities().await? {
+		let (_agent, res) = sess.authenticate_future(conf.user.clone(), ele, agent).await;
+		agent = _agent;
+		if res? {
+			break;
+		}
+	}
+	// let sess = Session::connect(opts.host, openssh::KnownHosts::Strict).await?;
+
+	let socket = UnixSocket::new_stream()?;
+
+	println!("mktemp");
+	let mut cmd_chan = sess.channel_open_session().await?;
+	cmd_chan
+		.exec(true, "mktemp -d remowt.XXXXXXXXXXXX --tmpdir")
+		.await?;
+	let mut stdout = vec![];
+	loop {
+		let Some(msg) = cmd_chan.wait().await else {
+			bail!("unexpected channel end");
+		};
+		match msg {
+			russh::ChannelMsg::Data { data } => stdout.extend(data.as_ref()),
+			russh::ChannelMsg::ExitStatus { exit_status } => {
+				if exit_status != 0 {
+					bail!("mktemp failed");
+				}
+				break;
+			}
+			_ => {}
+		}
+	}
+
+	ensure!(stdout.ends_with(b"\n"));
+	stdout.pop();
+
+	// Remote host is not neccessary linux, openssh crate makes incorrect assumptions here.
+	// TODO: Remove on local close.
+	let remote_dir = PathBuf::from(OsString::from_vec(stdout));
+	let remote_socket = remote_dir.join("primary.sock");
+
+	let local_dir = TempDir::new("remowt")?;
+	let local_socket = local_dir.path().join("primary.sock");
+
+	println!("listen");
+	socket.bind(&local_socket)?;
+	let listener = socket.listen(1)?;
+
+	eprintln!("forward socket");
+
+	let mut sock = sess
+		.channel_open_direct_streamlocal(dbg!(remote_socket.to_str().expect("path is utf-8")))
+		.await?;
+
+	eprintln!("wait");
+	while let Some(v) = sock.wait().await {
+		dbg!(v);
+	}
+
+	eprintln!("spawn agent");
+
+	// let _agent = sess
+	// 	.command("/home/lach/.remowt/remowt-agent")
+	// 	.arg("agent-real")
+	// 	.arg("--path")
+	// 	.arg(remote_socket.to_str().expect("path is utf-8"))
+	// 	.spawn()
+	// 	.await?;
+	//
+	// let (mut conn, _) = listener.accept().await?;
+	// let mut buf = [0u8; 13];
+	// conn.read_exact(&mut buf).await?;
+	// assert_eq!(&buf, b"REMOWT_HELLO\0");
+	// conn.write_all(b"REMOWT_EHLO\0").await?;
+	//
+	// println!("handshake complete!");
+
+	Ok(())
 }
modifiedcrates/polkit-shared/src/lib.rsdiffbeforeafterboth
--- a/crates/polkit-shared/src/lib.rs
+++ b/crates/polkit-shared/src/lib.rs
@@ -47,6 +47,19 @@
     pub details: HashMap<String, OwnedValue>,
 }
 
+impl Identity {
+    pub fn uid(&self) -> Option<Uid> {
+        if self.kind != "unix-user" {
+            return None;
+        }
+        let uid = self.details.get("uid")?;
+        let Value::U32(uid) = &**uid else {
+            return None;
+        };
+        Some(Uid::from_raw(*uid))
+    }
+}
+
 impl fmt::Display for Identity {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         match self.kind.as_str() {
addedcrates/remowt-link-shared/Cargo.tomldiffbeforeafterboth
--- /dev/null
+++ b/crates/remowt-link-shared/Cargo.toml
@@ -0,0 +1,11 @@
+[package]
+name = "remowt-link-shared"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+bifrostlink.workspace = true
+serde = { version = "1.0.208", features = ["derive"] }
+serde_json = "1.0.125"
+thiserror = "1.0.63"
+tokio = "1.39.3"
addedcrates/remowt-link-shared/src/lib.rsdiffbeforeafterboth
--- /dev/null
+++ b/crates/remowt-link-shared/src/lib.rs
@@ -0,0 +1,39 @@
+use bifrostlink::error::{ErrorT, ListenerForYourRequestHasBeenDeadError, ResponseError};
+use bifrostlink::AddressT;
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Serialize, Hash, Eq, Debug, PartialEq, Deserialize)]
+pub enum Address {
+	User,
+    Agent,
+}
+impl AddressT for Address {}
+
+#[derive(thiserror::Error, Debug)]
+pub enum Error {
+    #[error("listener is dead")]
+    ListenerDead,
+    #[error("response: {0}")]
+    Response(String),
+}
+impl From<ListenerForYourRequestHasBeenDeadError> for Error {
+    fn from(_value: ListenerForYourRequestHasBeenDeadError) -> Self {
+        Self::ListenerDead
+    }
+}
+impl From<serde_json::Error> for Error {
+    fn from(_value: serde_json::Error) -> Self {
+        Self::ListenerDead
+    }
+}
+impl From<Error> for ResponseError {
+    fn from(val: Error) -> Self {
+        ResponseError(val.to_string())
+    }
+}
+impl From<ResponseError> for Error {
+    fn from(value: ResponseError) -> Self {
+        Self::Response(value.0)
+    }
+}
+impl ErrorT for Error {}
modifiedcrates/ui-prompt/Cargo.tomldiffbeforeafterboth
--- a/crates/ui-prompt/Cargo.toml
+++ b/crates/ui-prompt/Cargo.toml
@@ -4,6 +4,7 @@
 edition = "2021"
 
 [dependencies]
+bifrostlink.workspace = true
 serde = "1.0.204"
 thiserror = "1.0.63"
 tokio = { version = "1.39.2", features = ["io-util", "macros", "process", "rt"] }
addedcrates/ui-prompt/src/bifrost.rsdiffbeforeafterboth
--- /dev/null
+++ b/crates/ui-prompt/src/bifrost.rs
@@ -0,0 +1,166 @@
+use bifrostlink::error::ErrorT;
+use bifrostlink::{request, AddressT, Rpc};
+use serde::{Deserialize, Serialize};
+
+use crate::{Error, Prompter, Source};
+
+pub struct BifrostPrompter<A: AddressT, E: ErrorT> {
+	pub address: A,
+	pub rpc: Rpc<A, E>,
+}
+
+#[derive(Serialize, Deserialize)]
+struct EnumRequest {
+	prompt: String,
+	description: String,
+	variants: Vec<String>,
+	source: Vec<Source>,
+}
+#[derive(Serialize, Deserialize)]
+struct EnumResponse {
+	value: u32,
+}
+request!(EnumRequest => EnumResponse);
+
+#[derive(Serialize, Deserialize)]
+struct TextRequest {
+	echo: bool,
+	prompt: String,
+	description: String,
+	source: Vec<Source>,
+}
+#[derive(Serialize, Deserialize)]
+struct TextResponse {
+	value: String,
+}
+request!(TextRequest => TextResponse);
+
+#[derive(Serialize, Deserialize)]
+struct DisplayRequest {
+	error: bool,
+	description: String,
+	source: Vec<Source>,
+}
+request!(DisplayRequest => ());
+
+impl<A: AddressT, E: ErrorT> Prompter for BifrostPrompter<A, E>
+where
+	crate::Error: From<E>,
+{
+	async fn prompt_enum(
+		&self,
+		prompt: &str,
+		description: &str,
+		variants: &[&str],
+		source: &[crate::Source],
+	) -> crate::Result<u32> {
+		let res = self
+			.rpc
+			.request(
+				self.address.clone(),
+				&EnumRequest {
+					prompt: prompt.to_owned(),
+					description: description.to_owned(),
+					variants: variants.into_iter().map(|v| (*v).to_owned()).collect(),
+					source: source.to_vec(),
+				},
+			)
+			.await?;
+		Ok(res.value)
+	}
+
+	async fn prompt_text(
+		&self,
+		echo: bool,
+		prompt: &str,
+		description: &str,
+		source: &[crate::Source],
+	) -> crate::Result<String> {
+		let res = self
+			.rpc
+			.request(
+				self.address.clone(),
+				&TextRequest {
+					echo,
+					prompt: prompt.to_owned(),
+					description: description.to_owned(),
+					source: source.to_vec(),
+				},
+			)
+			.await?;
+		Ok(res.value)
+	}
+
+	async fn display_text(
+		&self,
+		error: bool,
+		description: &str,
+		source: &[crate::Source],
+	) -> crate::Result<()> {
+		self.rpc
+			.request(
+				self.address.clone(),
+				&DisplayRequest {
+					error,
+					description: description.to_owned(),
+					source: source.to_vec(),
+				},
+			)
+			.await?;
+		Ok(())
+	}
+}
+
+pub fn handle_bifrost_prompts<
+	P: Prompter + Clone + 'static,
+	A: AddressT,
+	E: ErrorT + From<Error>,
+>(
+	rpc: &Rpc<A, E>,
+	prompt: P,
+) {
+	rpc.register_request_handler(true, {
+		let prompt = prompt.clone();
+		move |_addr, req: EnumRequest| {
+			let prompt = prompt.clone();
+			async move {
+				let i = prompt
+					.prompt_enum(
+						&req.prompt,
+						&req.description,
+						&req.variants.iter().map(|v| v.as_str()).collect::<Vec<_>>(),
+						&req.source,
+					)
+					.await?;
+
+				Ok(EnumResponse { value: i })
+			}
+		}
+	});
+	rpc.register_request_handler(true, {
+		let prompt = prompt.clone();
+		move |_addr, req: TextRequest| {
+			let prompt = prompt.clone();
+			async move {
+				let i = prompt
+					.prompt_text(req.echo, &req.prompt, &req.description, &req.source)
+					.await?;
+
+				Ok(TextResponse { value: i })
+			}
+		}
+	});
+	rpc.register_request_handler(true, {
+		let prompt = prompt.clone();
+		move |_addr, req: DisplayRequest| {
+			let prompt = prompt.clone();
+			async move {
+				prompt
+					.display_text(req.error, &req.description, &req.source)
+					.await?;
+
+				Ok(())
+			}
+		}
+	});
+}
modifiedcrates/ui-prompt/src/lib.rsdiffbeforeafterboth
--- a/crates/ui-prompt/src/lib.rs
+++ b/crates/ui-prompt/src/lib.rs
@@ -5,6 +5,7 @@
 
 pub mod dbus;
 pub mod rofi;
+pub mod bifrost;
 
 #[derive(thiserror::Error, Debug)]
 pub enum Error {
@@ -25,7 +26,7 @@
     }
 }
 
-pub trait Prompter {
+pub trait Prompter: Send + Sync {
     fn prompt_radio(
         &self,
         prompt: &str,
@@ -77,6 +78,48 @@
     ) -> Result<String>;
     fn display_text(&self, error: bool, description: &str, source: &[Source]) -> Result<()>;
 }
+impl<P> Prompter for &P
+where
+    P: Prompter,
+{
+    fn prompt_radio(
+        &self,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> impl Future<Output = Result<bool>> + Send {
+        (*self).prompt_radio(prompt, description, source)
+    }
+
+    fn prompt_enum(
+        &self,
+        prompt: &str,
+        description: &str,
+        variants: &[&str],
+        source: &[Source],
+    ) -> impl Future<Output = Result<u32>> + Send {
+        (*self).prompt_enum(prompt, description, variants, source)
+    }
+
+    fn prompt_text(
+        &self,
+        echo: bool,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> impl Future<Output = Result<String>> + Send {
+        (*self).prompt_text(echo, prompt, description, source)
+    }
+
+    fn display_text(
+        &self,
+        error: bool,
+        description: &str,
+        source: &[Source],
+    ) -> impl Future<Output = Result<()>> + Send {
+        (*self).display_text(error, description, source)
+    }
+}
 
 pub struct PrependSourcePrompter<P> {
     pub prompter: P,
modifiedflake.nixdiffbeforeafterboth
--- a/flake.nix
+++ b/flake.nix
@@ -62,6 +62,7 @@
             cargo-release
             rustPlatform.bindgenHook
             pam
+              just
           ];
         };
         formatter = pkgs.alejandra;
modifiedrust-toolchain.tomldiffbeforeafterboth
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -1,3 +1,4 @@
 [toolchain]
 channel = "nightly-2024-07-20"
 components = ["rustfmt", "clippy", "rust-analyzer", "rust-src"]
+targets = ["x86_64-unknown-linux-musl"]