search

eclipse-theia / theia

Eclipse Theia is a cloud & desktop IDE framework implemented in TypeScript.
http://theia-ide.org
Eclipse Public License 2.0
20.11k stars 2.5k forks source link

Git UI plugin only accepts passwordless SSH keys #9575

Closed anavarre closed 2 years ago

anavarre commented 3 years ago

Bug Description:

When a passphrase is added to an SSH key (confirmed by the encrypted key when reading the file), the Git UI fails to perform operations and returns the below message:

Request failed with message: Authentication failed. You may not have permission to access the repository or the repository may have been archived

https://user-images.githubusercontent.com/293478/121486724-b19aeb80-c9d1-11eb-8308-92a330ffbf12.mp4

However, when we have a passwordless key (confirmed by the lack of encryption in the key), operations work well.

https://user-images.githubusercontent.com/293478/121486714-ae9ffb00-c9d1-11eb-932f-e3cf58dd40a7.mp4

Steps to Reproduce:

  1. Create a passphrase for your SSH key
  2. Try to perform Git operations
  3. Observe you get a notification message with the error

Additional Information

vince-fugnitto commented 3 years ago

It would be good to confirm if this issue is also resolved by using the vscode-builtin-git extension as discussed in https://github.com/eclipse-theia/theia/issues/9574. We can keep it open as a tracker for @theia/git however.

anavarre commented 3 years ago

Will absolutely report back. Thanks!

anavarre commented 3 years ago

Installed the extension

git-openvsx

Confirmed the new menu items are there

git-openvsx-menu

...But sadly this is still happening. #9559 wouldn't be a big deal, but the passwordless SSH is more problematic because it weakens the security model.

vince-fugnitto commented 3 years ago

@anavarre does it work for you out-of-the-box in vscode? I see the following issue for example: https://github.com/microsoft/vscode/issues/13680.

anavarre commented 3 years ago

@vince-fugnitto I'm not sure I'm a good candidate for testing this because on Manjaro (KDE) I don't have ssh-askpass installed, which then gets VSCode running into:

> git fetch
ssh_askpass: exec(/usr/lib/ssh/ssh-askpass): No such file or directory
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
anavarre commented 3 years ago

ATM we are exploring whether https://www.npmjs.com/package/dugite has any support for passphrases. It seems if an upstream contribution had to be made it'd be in this package so Theia could inherit from the fix.

anavarre commented 3 years ago

@anavarre does it work for you out-of-the-box in vscode? I see the following issue for example: microsoft/vscode#13680.

I had a colleague test on a Mac and local VSCode with Git integration works with a local passphrase.

anavarre commented 3 years ago

We haven't yet looked in details but it might seem we would have to contribute a patch upstream in https://www.npmjs.com/package/dugite - We'll look into our options.

anavarre commented 3 years ago

We've been trying to understand and debug the code written for the Git plugin (https://github.com/eclipse-theia/theia/tree/master/packages/git) but didn't got any clue. So far we have identified files which are basically driving the frontend execution:

But no luck as to how to resolve the issue so the Git UI plugin accepts the SSH key passphrase.

Would you have any idea where to take it from here?

SamFoster commented 2 years ago

Has there been a fix for this issue yet?

vince-fugnitto commented 2 years ago

Has there been a fix for this issue yet?

@SamFoster I do not believe so, the framework supports consuming the builtin (included in vscode itself) git plugins from vscode (vscode-builtin-git, vscode-builtin-git-ui), and it does not look like they support it yet https://github.com/eclipse-theia/theia/issues/9575#issuecomment-859530721.

SamFoster commented 2 years ago

Vincent

Thanks for the reply. I've been having a play, and forgive me if this is stuff you guys are already aware of, but I have found that if I have my remote set as https and also I have used 'gh auth status' to view my connection info is set to use https and a token - which it now has to be - then I get a working set of tools in the GUI and can push/pull etc as required.

(also useful to know 'gh auth' to view list of useful gh auth commands such as those that run through the authentication wizard again etc)

Is there anything wrong​ with me doing this, and have I just discovered a legit way round the issue if connected to the remote via SSH?

Thanks,

Sam

From: Vincent Fugnitto @.> Sent: 18 March 2022 11:45 To: eclipse-theia/theia @.> Cc: Sam Foster @.>; Mention @.> Subject: Re: [eclipse-theia/theia] Git UI plugin only accepts passwordless SSH keys (#9575)

Has there been a fix for this issue yet?

@SamFosterhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSamFoster&data=04%7C01%7Cs.foster%40bangor.ac.uk%7Cc1bb0d33e95a41a09d9508da08d4de35%7Cc6474c55a9234d2a9bd4ece37148dbb2%7C0%7C0%7C637832007628997922%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=uVTPDNQJ%2BqreiO%2BeO1LxRjvcx92m%2FJPGMrU%2F4ZxNbSA%3D&reserved=0 I do not believe so, the framework supports consuming the builtin (included in vscode itself) git plugins from vscode (vscode-builtin-githttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopen-vsx.org%2Fextension%2Fvscode%2Fgit&data=04%7C01%7Cs.foster%40bangor.ac.uk%7Cc1bb0d33e95a41a09d9508da08d4de35%7Cc6474c55a9234d2a9bd4ece37148dbb2%7C0%7C0%7C637832007628997922%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2vvtI%2BtOIXRJjwrIfHQAIjLic27LdelAJSbTUElURqg%3D&reserved=0, vscode-builtin-git-uihttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopen-vsx.org%2Fextension%2Fvscode%2Fgit-ui&data=04%7C01%7Cs.foster%40bangor.ac.uk%7Cc1bb0d33e95a41a09d9508da08d4de35%7Cc6474c55a9234d2a9bd4ece37148dbb2%7C0%7C0%7C637832007628997922%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0%2FzWnuAue0gjeHy3t3B6LUpHoQiT%2FmPv%2FiDbhOGYsyA%3D&reserved=0), and it does not look like they support it yet #9575 (comment)https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feclipse-theia%2Ftheia%2Fissues%2F9575%23issuecomment-859530721&data=04%7C01%7Cs.foster%40bangor.ac.uk%7Cc1bb0d33e95a41a09d9508da08d4de35%7Cc6474c55a9234d2a9bd4ece37148dbb2%7C0%7C0%7C637832007628997922%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=O2ttOT3TzXBUPI9qwbUDk5t95BhQQYAPmfj%2BhfrK7k4%3D&reserved=0.

— Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feclipse-theia%2Ftheia%2Fissues%2F9575%23issuecomment-1072333573&data=04%7C01%7Cs.foster%40bangor.ac.uk%7Cc1bb0d33e95a41a09d9508da08d4de35%7Cc6474c55a9234d2a9bd4ece37148dbb2%7C0%7C0%7C637832007628997922%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rB5glhgpn4GYkn%2FmXjfx08u9%2BcT5QGMGaiX8lC2SOzM%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAE3GUDUDWXZMTHOAO6Z7IDVARUHJANCNFSM46NRXVUQ&data=04%7C01%7Cs.foster%40bangor.ac.uk%7Cc1bb0d33e95a41a09d9508da08d4de35%7Cc6474c55a9234d2a9bd4ece37148dbb2%7C0%7C0%7C637832007628997922%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2y5kD7Ar84IRX7v%2FaLP9NF9clyxRAXO7Kf7%2B026XzgI%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Cs.foster%40bangor.ac.uk%7Cc1bb0d33e95a41a09d9508da08d4de35%7Cc6474c55a9234d2a9bd4ece37148dbb2%7C0%7C0%7C637832007628997922%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wvSdzLFlKHDDrfLF%2FcxvGyvXZCqDmHRMNZQALaEExWg%3D&reserved=0 or Androidhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Cs.foster%40bangor.ac.uk%7Cc1bb0d33e95a41a09d9508da08d4de35%7Cc6474c55a9234d2a9bd4ece37148dbb2%7C0%7C0%7C637832007628997922%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FnL5ERR0hWr%2B4GAzhfo3%2FwsggqvVBnclyB5NWhnvasg%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>

Mae croeso i chi gysylltu gyda'r Brifysgol yn Gymraeg neu Saesneg

You are welcome to contact the University in Welsh or English

Rhif Elusen Gofrestredig 1141565 - Registered Charity No. 1141565

Gall y neges e-bost hon, ac unrhyw atodiadau a anfonwyd gyda hi, gynnwys deunydd cyfrinachol ac wedi eu bwriadu i'w defnyddio'n unig gan y sawl y cawsant eu cyfeirio ato (atynt). Os ydych wedi derbyn y neges e-bost hon trwy gamgymeriad, rhowch wybod i'r anfonwr ar unwaith a dilewch y neges. Os na fwriadwyd anfon y neges atoch chi, rhaid i chi beidio a defnyddio, cadw neu ddatgelu unrhyw wybodaeth a gynhwysir ynddi. Mae unrhyw farn neu safbwynt yn eiddo i'r sawl a'i hanfonodd yn unig ac nid yw o anghenraid yn cynrychioli barn Prifysgol Bangor. Nid yw Prifysgol Bangor yn gwarantu bod y neges e-bost hon neu unrhyw atodiadau yn rhydd rhag firysau neu 100% yn ddiogel. Oni bai fod hyn wedi ei ddatgan yn uniongyrchol yn nhestun yr e-bost, nid bwriad y neges e-bost hon yw ffurfio contract rhwymol - mae rhestr o lofnodwyr awdurdodedig ar gael o Swyddfa Cyllid Prifysgol Bangor.

This email and any attachments may contain confidential material and is solely for the use of the intended recipient(s). If you have received this email in error, please notify the sender immediately and delete this email. If you are not the intended recipient(s), you must not use, retain or disclose any information contained in this email. Any views or opinions are solely those of the sender and do not necessarily represent those of Bangor University. Bangor University does not guarantee that this email or any attachments are free from viruses or 100% secure. Unless expressly stated in the body of the text of the email, this email is not intended to form a binding contract - a list of authorised signatories is available from the Bangor University Finance Office.

anavarre commented 2 years ago

Question you asked a while ago https://github.com/eclipse-theia/theia/issues/9575#issuecomment-859530721

@anavarre does it work for you out-of-the-box in vscode? I see the following issue for example: https://github.com/microsoft/vscode/issues/13680.

Was finally able to test with a Mac and it works immediately, or at least doesn't seem to fail.

vscode-git-ui

Can also confirm the issue is still occurring with Theia 1.21. Tried the vscode-builtin-git OpenVSX extension again and it fails there too. New error window and new way to check the associated log file though.

Screen Shot 2022-03-24 at 13 18 12 
Looking for git in: git
Using git 2.35.1 from git
> git rev-parse --git-dir
Open repository: /home/ide/project
> git status -z -u
> git symbolic-ref --short HEAD
> git for-each-ref --format=%(refname)%00%(upstream:short)%00%(upstream:track)%00%(objectname) refs/heads/pipelines-build-master refs/remotes/pipelines-build-master
> git for-each-ref --sort -committerdate --format %(refname) %(objectname) %(*objectname)
> git remote --verbose
Warning: Failed to watch ref '/home/ide/project/.git/refs/remotes/origin/pipelines-build-master', is most likely packed.
> git config --get commit.template
> git fetch
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Still the same stubborn issue with passphrases. I don't fully comprehend whether there's any chance it ever works without getting https://github.com/microsoft/vscode/issues/13680 fixed first.

SamFoster commented 2 years ago

So I have found that it fails when I use an ssh remote, but if I switch to https for the remote, and I use 'gh auth login' at cmd prompt to authenticate and use a personal access token it works using the gui buttons as one would expect. It is however sometimes a bit slow, and if I push/pull via the git cmdline the gui itself doesn't update that fast and leads u to think the push/pull may not have worked - but it has and after some seconds the gui does update to reflect this.

anavarre commented 2 years ago

Interesting. Unfortunately we don't have the option to use https for Git remotes so I can't try out your workaround. Nice find though!

anavarre commented 2 years ago

For whatever reason we cannot yet explain, with Theia 1.26 this is no longer happening. Closing.