SSH Agent Forwarding With VS Code Remote-SSH

[timway]

ISSUE TYPE

• Bug Report

SUMMARY

Symbolic links are not followed when determining the volume mount paths for the SSH agent forwarding bits.

Running on Mac OS I add an SSH key with a passphrase into my SSH agent. Leveraging VS Code with the Remote-SSH plugin I forward the agent into remote host. This works fine, the remote host can run ssh-add -l and I see the key and am able to ssh into the managed node I want to use with ansible-navigator.

The VS Code Remote-SSH plugin sets up SSH_AUTH_SOCK to point to a file within the tmpdir configuration value in the plugin which seems to be /run/user/<uid-of-remote-host-user>. It essentially just creates a symbolic link to the normal file where the forwarded agent is placed by ssh.

ANSIBLE-NAVIGATOR VERSION

$ rpm -qi ansible-navigator
Name        : ansible-navigator
Version     : 3.4.1
Release     : 1.el8ap
Architecture: noarch
Install Date: Tue 08 Aug 2023 04:01:18 PM UTC
Group       : Unspecified
Size        : 1922971
License     : ASL 2.0
Signature   : RSA/SHA256, Thu 03 Aug 2023 05:49:14 PM UTC, Key ID 199e2f91fd431d51
Source RPM  : ansible-navigator-3.4.1-1.el8ap.src.rpm
Build Date  : Thu 03 Aug 2023 05:45:17 PM UTC
Build Host  : s390-064.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/ansible/ansible-navigator
Summary     : A text-based user interface (TUI) for the Red Hat Ansible Automation Platform
Description :
A text-based user interface (TUI) for the Red Hat Ansible Automation Platform

CONFIGURATION

LOG FILE

VS Code Remote-SSH Log

[20:16:06.380] Updating $SSH_AUTH_SOCK: ln -f -s "/tmp/ssh-xkYbL0MKH1/agent.14010" "/run/user/1000/vscode-ssh-auth-sock-114491209"

STEPS TO REPRODUCE

• Using MacOS, add an SSH key to the SSH agent with ssh-add -i ... command
• Install VS Code and the Remote-SSH plugin
• Use Remote-SSH to connect to a RHEL 8 system capable of running ansible-navigator (from the AAP 2.4 repos in my case)
• Run ansible-navigator exec bash and inspect the SSH agent with ssh-add -l and notice it fails to connect.

EXPECTED RESULTS

I'd expect the SSH agent is forwarded into the VM correctly.

ACTUAL RESULTS

It fails to connect to the SSH agent specified by SSH_AUTH_SOCK in the environment.

ADDITIONAL INFORMATION

I know this is a bit of an esoteric configuration but I keep trying different ways to use SSH keys particularly ones protected by passphrases with ansible-navigator starting from Mac OS and am just continuously coming up empty.

[timway]

This appears to be an issue with ansible-runner and not ansible-navigator directly. I'll file an issue and potentially try to write a PR for it over there.

https://github.com/ansible/ansible-runner/blob/aef73cf7265b807c877697e74585f74d58459366/src/ansible_runner/config/_base.py#L632-L652

[David-Igou]

As a quick fix, I was able to work around this by setting my SSH_AUTH_SOCK to the file vscode-ssh-auth-sock linked to. (eg, EXPORT SSH_AUTH_SOCKET=/tmp/ssh-xkYbL0MKH1/agent.14010)

[snapp]

As a quick fix, I was able to work around this by setting my SSH_AUTH_SOCK to the file vscode-ssh-auth-sock linked to. (eg, EXPORT SSH_AUTH_SOCKET=/tmp/ssh-xkYbL0MKH1/agent.14010)

@David-Igou, here's an alternative approach that doesn't require you to find out what the path is to your socket:

SSH_AUTH_SOCK=$( [[ -L "$SSH_AUTH_SOCK" ]] && readlink "$SSH_AUTH_SOCK" || echo "$SSH_AUTH_SOCK" ) ansible-navigator

I ended up setting an alias that included this approach so it didn't matter if I was ssh'ing directly into the host from a terminal or whether I was using VSCode Remote SSH. The above just checks to see if $SSH_AUTH_SOCK is a symlink and uses readlink to get the correct file path set if necessary.

[timway]

Thanks @David-Igou and @snapp I appreciate the work-arounds. Thanks @ssbarnea for dropping it on the board for a longer term fix.