Agent Forwarding Windows client to Windows host not working?

[monil-patel]

Originally posted here: https://github.com/PowerShell/openssh-portable/issues/540 , but was asked to open an issue here

"OpenSSH for Windows" version 8.1.0.1

Server OperatingSystem Windows 10 Enterprise

Client OperatingSystem Windows 10 Pro

What is failing Unable to forward ssh keys through agent forwarding from windows client -> windows server

Is agent forwarding supported when connecting from a windows client to a windows host machine ?

I tried all of the things below, but had no luck and stumbled across this comment https://github.com/PowerShell/Win32-OpenSSH/issues/1136#issuecomment-500549297 which says Agent forwarding is not supported on the server yet, but you should be able to use the client to forward agent to a non-Windows target.

Was following these instructions from github : https://docs.github.com/en/developers/overview/using-ssh-agent-forwarding

1) used keygen to generate public/private keys and added public to github.com 2) ssh-add "location of private key". Can see them on client machine through ssh-add -l 3) Test using agent

PS C:\Users\monil> ssh -T git@github.com
Hi monil-patel! You've successfully authenticated, but GitHub does not provide shell access.

4) Specified ForwardAgent in the ssh config

Host my-pc
  HostName host...
  User username
  IdentityFile C:\Users\user\.ssh\id_rsa
  ForwardAgent yes

5) ssh to my-pc, and run ssh -T git@github.com again

Expected output

# ssh session
PS C:\Users\monil> ssh -T git@github.com
Hi monil-patel! You've successfully authenticated, but GitHub does not provide shell access.

Actual output

# ssh session
git@github.com: Permission denied (publickey).

Cant list any keys under the ssh session

# ssh session
C:\Users\monil>ssh-add -l
Error connecting to agent: No such file or directory

[dmikushin]

Dear @bagajjal , could you please consider elevating the priority of this issue? We all know Windows is not about security, but using private keys instead of passwords is so much of a common practice nowadays, that all Microsoft's efforts on OpenSSH become useless without this feature.

[nem8]

Been trying to use a windows jump for ssh jump but no bueno.. ssh works fine for the intial linux->windowsjump connection, but not able to forward agent for authentication with the next linux server. (chain looks like this: linux->windows->linux)

Having a working openssh server in windows would solve a lot of issues for me as we already have windows jump hosts established for reaching other segments of the network.

[ddnomad]

Have the same issue trying to go Windows 10 -> Windows Server 2022 -> git clone from GitLab instance, forwarding seems to be broken.

[davidkhess]

It appears the issue is that the OpenSSH server hasn't been modified to setup a windows pipe instead of a unix socket. Seeing these error messages in the sshd service log when agent forwarding is attempted:

6536 2023-02-23 21:31:57.977 debug1: session_input_channel_req: session 0 req auth-agent-req@openssh.com
6536 2023-02-23 21:31:57.977 Unix domain server sockets are not supported
6536 2023-02-23 21:31:57.977 error: unix_listener: cannot bind to path /tmp/ssh-xiQjI8Be4b/agent.5160: Operation not supported

[globi84]

Hi Together I have the same issue from Windows 11 (OpenSSH_for_Windows_8.6p1) -> Windows Server 2022 (OpenSSH_for_Windows_8.1p1) -> git clone from a GlitLab instance

[the-working-rene]

The bug also affects the latest Version OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2

[mrtumnus]

This is quite disappointing. This prevents using git + public key auth within a Windows VM, connected from VSCode and Remote SSH.

[plashenkov]

For those looking for agent forwarding working. Beta versions already allow this. Just download the latest msi from GitHub releases, install it, and you've got it.

Thank you, devs! You're the best!

[florisvdg]

@plashenkov Could you elaborate on that? Are you SSH forwarding to a Windows machine that runs the OpenSSH server and you can use your local keys? Does that create a new named pipe and set SSH_AUTH_SOCK like when forwarding to a Linux server?

[plashenkov]

@florisvdg

I have OpenSSH auth agent running on Windows and local SSH keys with a passphrase. Now I can connect to VMs (running locally) with Linux as well as to my real cloud servers. I can connect to my cloud servers from VMs now as well.

My VMs run Docker services as well, and if I pass SSH_AUTH_SOCK there (from the VM to a Docker container), I can connect to my cloud servers even from the Docker container as well.

I can confirm that my SSH keys are only on my Windows host.

P.S. Ah you are asking about a Windows host and a Windows server. I didn't tried that. I have a Windows host and everything other is Linux. Stable Windows OpenSSH versions didn't allow that while the beta now allows.

[florisvdg]

Right, that makes sense now. Thanks for the clarification.

So yeah, people looking to SSH into a Windows box with agent forwarding enabled will still have to wait :(

I'll be watching this PR in the mean time. 👀

[nocanstillbb]

i had set ssh_shell to wn32 version bash, but still can't foward ssh socket