search

benpye / wsl-ssh-pageant

A Pageant -> TCP bridge for use with WSL, allowing for Pageant to be used as an ssh-ageant within the WSL environment.
BSD 2-Clause "Simplified" License
612 stars 40 forks source link

Can't get authentication to work with WSL or Windows 10 SSH - What am I missing? #31

Closed avggeek closed 4 years ago

avggeek commented 4 years ago

Hello,

I've been trying to login to a server using keys loaded in pageant, but have had no luck with either WSL or Windows SSH. The steps I have done so far:

  1. Ensure pageant is running with various keys

  2. Run wsl-ssh-pageant with the following command wsl-ssh-pageant-amd64-gui.exe -force -systray -wsl C:\Users\avggeek\.wsl-ssh\ssh-agent.sock -winssh ssh-pageant

  3. Set SSH_AUTH_SOCK in cmd.exe using the following command set SSH_AUTH_SOCK=\\.\pipe\ssh-pageant

  4. Try to login to a server which has keys loaded in pageant using the following command ssh -vvvv -T avggeek@XX.XX.XXX.XXX -p 122

  5. SSH login does not find the loaded keys, and instead prompts me to enter a password:

OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug3: Failed to open file:C:/Users/avggeek/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname XX.XX.XXX.XXX is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to XX.XX.XXX.XXX [XX.XX.XXX.XXX] port 122.
debug1: Connection established.
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_rsa error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_rsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_rsa type -1
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_rsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_dsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_dsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_ecdsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_ecdsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_ed25519.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_ed25519-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_xmss.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/avggeek/.ssh/id_xmss-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\avggeek/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u7
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to XX.XX.XXX.XXX:122 as 'avggeek'
debug3: put_host_port: [XX.XX.XXX.XXX]:122
debug3: hostkeys_foreach: reading file "C:\\Users\\avggeek/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\avggeek/.ssh/known_hosts:6
debug3: load_hostkeys: loaded 1 keys from [XX.XX.XXX.XXX]:122
debug3: Failed to open file:C:/Users/avggeek/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: ssh-ed25519,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:ceW76IAd8FpgT/DAZIfwSXUa9xSwTljujF+JvKWXq1I
debug3: put_host_port: [XX.XX.XXX.XXX]:122
debug3: put_host_port: [XX.XX.XXX.XXX]:122
debug3: hostkeys_foreach: reading file "C:\\Users\\avggeek/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\avggeek/.ssh/known_hosts:6
debug3: load_hostkeys: loaded 1 keys from [XX.XX.XXX.XXX]:122
debug3: Failed to open file:C:/Users/avggeek/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: hostkeys_foreach: reading file "C:\\Users\\avggeek/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\avggeek/.ssh/known_hosts:6
debug3: load_hostkeys: loaded 1 keys from [XX.XX.XXX.XXX]:122
debug3: Failed to open file:C:/Users/avggeek/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: Host '[XX.XX.XXX.XXX]:122' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\avggeek/.ssh/known_hosts:6
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_fetch_identitylist: Invalid key length
debug2: key: C:\\Users\\avggeek/.ssh/id_rsa (0000000000000000)
debug2: key: C:\\Users\\avggeek/.ssh/id_dsa (0000000000000000)
debug2: key: C:\\Users\\avggeek/.ssh/id_ecdsa (0000000000000000)
debug2: key: C:\\Users\\avggeek/.ssh/id_ed25519 (0000000000000000)
debug2: key: C:\\Users\\avggeek/.ssh/id_xmss (0000000000000000)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
*****************************************************************
*This is a private SSH service.*
*Unless you know why you are here, Please leave immediately. *
*****************************************************************
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\avggeek/.ssh/id_rsa
debug3: no such identity: C:\\Users\\avggeek/.ssh/id_rsa: No such file or directory
debug1: Trying private key: C:\\Users\\avggeek/.ssh/id_dsa
debug3: no such identity: C:\\Users\\avggeek/.ssh/id_dsa: No such file or directory
debug1: Trying private key: C:\\Users\\avggeek/.ssh/id_ecdsa
debug3: no such identity: C:\\Users\\avggeek/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: C:\\Users\\avggeek/.ssh/id_ed25519
debug3: no such identity: C:\\Users\\avggeek/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: C:\\Users\\avggeek/.ssh/id_xmss
debug3: no such identity: C:\\Users\\avggeek/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
avggeek@XX.XX.XXX.XXX's password:

It seems like the SSH_AUTH_SOCK is not actually visible to SSH but apart from that I'm not able to determine what is going wrong. Would appreciate any help that I can get in figuring out what I'm doing wrong!

avggeek commented 4 years ago

@benpye May I know if you are still maintaining this tool? This is the only one I’ve seen so far that does both WSL and native SSH so it would be great to get it working.

benpye commented 4 years ago

Hey @avggeek - sorry I've taken so long to look at this. Looking at that SSH log it doesn't look like it's trying the agent at all. You should be able to verify that by running wsl-ssh-pageant with the verbose flag.

I've noticed the SSH build shipping in Windows is sometimes a little flakey, have you tried the newer build from https://github.com/PowerShell/Win32-OpenSSH/releases ?

And just to check, are you trying WSL 1 or WSL 2? Unfortuantely AF_UNIX sockets are not yet supported in WSL 2 though there is a way to get around this with socat and npiperelay if necessary.

avggeek commented 4 years ago

Hi @benpye. I will give a quick update first on the outcome of trying the various suggestions you mentioned:

You should be able to verify that by running wsl-ssh-pageant with the verbose flag.

Running wsl-ssh-pageant with the verbose flag did not throw any errors. BTW, the README does not mention the presence of a -verbose flag.

And just to check, are you trying WSL 1 or WSL 2?

I am running on WSL1

I've noticed the SSH build shipping in Windows is sometimes a little flakey, have you tried the newer build from https://github.com/PowerShell/Win32-OpenSSH/releases ?

There's a fairly long explanation below but TL;DR - RSA key lengths of <1024 keys which are supported by Putty but not by OpenSSH 7.6 and higher.

So interestingly, trying to run test everything again with the newest release of Win32-OpenSSH gave me my first clue on the source of this issue. If you look at the ssh debug log I had shared above, there is a very interesting line in there:

debug1: pubkey_prepare: ssh_fetch_identitylist: Invalid key length

The invalid key length message was something I had recently encountered when trying to push code to bitbucket.org repo's. I eventually noticed that my Bitbucket public key showed a key length of 1023 chars. If you are wondering how that oddly specific key-length came about the answer to that lies in the puttygen documentation: puttygen-strength.

By itself a key length of <1024 chars isn't a problem (well apart from an opsec perspective) but OpenSSH 7.6 release notes list a potential breaking change:

Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement.

OpenSSH 7.9 is the default in Debian 10 (compared to OpenSSH 7.4 in Debian 9) so I assume this change is relatively new.

Anyway once I saw that invalid key length message, I verified that this was the source of the issue by going to WSL and running ssh-add -l which showed the error error fetching identities: Invalid key length.

Once I removed the key with key-length of 1023 bits from Pageant, ssh-add -l started showing me a list of available keys and I was able to login using my SSH keys in Pageant both in WSL and the Windows 10 SSH client (both shipping build and pre-release versions).

Figured I would document my debugging process here for anyone else who uses this tool and finds themselves stuck on this problem.

benpye commented 4 years ago

I'm going to close this bug as the issue appears to be resolved.