search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
24.04k stars 2.43k forks source link

podman remote not using ssh-agent on Windows #24144

Open jtognazzi opened 2 months ago

jtognazzi commented 2 months ago

Issue Description

I was following the Podman remote-client tutorial and couldn't make it use the ssh agent.

In the tutorial it is using an identity when creating the new remote connection, but this leads to be asked for the key passphrase. I read somewhere that I should not set an identity so the connection would use my ssh agent, but it does not seem to be working on windows.

Steps to reproduce the issue

Prerequsite: You should have a linux box with podman installed and running as rootless

Steps to reproduce the issue

  1. Add a new connection podman --remote system connection add remote ssh://myuser@mylinuxbox/run/user/1000/podman/podman.sock
  2. List the existing connections 
    > podman --remote system connection list 
Name                         URI                                                                 Identity                                                          Default     ReadWrite
podman-machine-default       ssh://user@127.0.0.1:62876/run/user/1000/podman/podman.sock         C:\Users\MyUser\.local\share\containers\podman\machine\machine  true        true
podman-machine-default-root  ssh://root@127.0.0.1:62876/run/podman/podman.sock                   C:\Users\MyUser\.local\share\containers\podman\machine\machine  false       true
remote                       ssh://myuser@mylinuxbox:22/run/user/1000/podman/podman.sock                                                                                  false       true
  3. Check the remote connection 
    > podman --remote -c remote info --log-level=debug                                                                                                            
time="2024-10-03T14:14:59+02:00" level=info msg="C:\\Program Files\\RedHat\\Podman\\podman.exe filtering at log level debug"
time="2024-10-03T14:14:59+02:00" level=debug msg="Called info.PersistentPreRunE(C:\\Program Files\\RedHat\\Podman\\podman.exe -c tognjul1 info --log-level=debug)"
myuser's login password:
time="2024-10-03T14:15:03+02:00" level=debug msg="DoRequest Method: GET URI: http://d/v5.2.3/libpod/_ping"
time="2024-10-03T14:15:03+02:00" level=debug msg="DoRequest Method: GET URI: http://d/v5.2.3/libpod/info"
host:
arch: amd64
buildahVersion: 1.37.3
cgroupControllers:
- cpuset
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
...

Describe the results you received

podman is asking for the user password

Describe the results you expected

podman can connect without interaction

podman info output

> podman version                                                                                                                                      
Client:       Podman Engine
Version:      5.2.3
API Version:  5.2.3
Go Version:   go1.23.1
Git Commit:   c5366a308e89edd9636b66faf79bd5cb18ed0905
Built:        Tue Sep 24 17:22:39 2024
OS/Arch:      windows/amd64

Server:       Podman Engine
Version:      5.1.1
API Version:  5.1.1
Go Version:   go1.22.3
Built:        Tue Jun  4 02:00:00 2024
OS/Arch:      linux/amd64

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

If I set an identity when creating the connection, then it asks for the key passphrase.

I also tried to explicit set $env:SSH_AUTH_SOCK="\.\pipe\openssh-ssh-agent", but then I have this error

> podman -c remote info --log-level=debug                                                                                                            
time="2024-10-03T14:21:30+02:00" level=info msg="C:\\Program Files\\RedHat\\Podman\\podman.exe filtering at log level debug"
time="2024-10-03T14:21:30+02:00" level=debug msg="Called info.PersistentPreRunE(C:\\Program Files\\RedHat\\Podman\\podman.exe -c remote info --log-level=debug)"
time="2024-10-03T14:21:30+02:00" level=debug msg="Found SSH_AUTH_SOCK \"\\\\\\\\.\\\\pipe\\\\openssh-ssh-agent\", ssh-agent signer enabled"
time="2024-10-03T14:21:30+02:00" level=debug msg="Using Podman machine with `wsl` virtualization provider"
OS: windows/amd64
provider: wsl
version: 5.2.3

Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: dial unix \\.\pipe\openssh-ssh-agent: connect: No connection could be made because the target machine actively refused it.
time="2024-10-03T14:21:30+02:00" level=debug msg="Shutting down engines"

But this was just a guess and I'm not sure it is relevant

jtognazzi commented 2 months ago

The issue mentioning the identity should not be set is https://github.com/containers/podman/issues/7806 and https://github.com/containers/podman/issues/15121 is kind of related but trying to connect to a WSL instance and not a remote, but I think this is relevant.

jtognazzi commented 2 months ago

Of course, a workaround would be to use a key with an empty passphrase.

asclepiadae commented 1 month ago

Running headfirst into this issue myself. I have a remote Fedora machine running podman as the host, and a Windows 11 desktop I would like to use as the remote client.

I have a Ed25519 key generated on the client machine, then added to the authorized_keys on the host. The key on the Windows machine is encrypted at rest with a passphrase.

I generated the connection using podman --remote system connection add remotehost --identity C:\Users\username\.ssh\id_ed25519 ssh://username@192.168.5.254/run/user/1000/podman/podman.sock

Running podman system connection list I get:

Name        URI                                                             Identity                        Default     ReadWrite
remotehost     ssh://username@192.168.5.254:22/run/user/1000/podman/podman.sock  C:\Users\username\.ssh\id_ed25519  true        true

Then after running podman info I get an input request for the Key Passphrase, which I enter and the remote host information is displayed correctly in full.

If I run podman info again seconds later, within the same PowerShell window, it asks me for the passphrase again.

Now, if I create the connection without an identity I get a different error, as the host is configured to ONLY accept key authentication.

PS C:\Users\username> podman --remote system connection add remotehost ssh://usernamep@192.168.5.254/run/user/1000/podman/podman.sock
PS C:\Users\username> podman system connection list
Name        URI                                                             Identity    Default     ReadWrite
remotehost     ssh://usernamep@192.168.5.254:22/run/user/1000/podman/podman.sock              true        true
PS C:\Users\username> podman -c remotehost ps
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: failed to connect: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain

I wonder if perhaps the work on the ssh interface from containers/podman/pull/15094 could hold an answer, and forcing --ssh native could help as my cursory look suggests it might. In that PR, @cdoern said they will

go back and abstract the idea of podman --remote from golang's dialed clients, as it should not be so intrinsically connected. Overall, this is a v1 of a long process of offering native ssh

But they appear to be on a different project now, and haven't made a PR since Dec 2022 so I'm unsure if the native ssh project stalled when they moved within Red Hat.

github-actions[bot] commented 2 weeks ago

A friendly reminder that this issue had no activity for 30 days.