Git through SSH with passphrase-protected key when in WSL remote

[ivangretsky]

• VSCode Version: 1.42.1
• Local OS Version: Windows 10
• Remote OS Version: Ubuntu
• Remote Extension/Connection Type: WSL

I am trying to use git through SSH in a WSL remote. The SSH connection is protected with a key pair which is password-protected. I open WSL in terminal, I start an SSH agent there and add the key. Then I start VS Code with code . and try to use git But I can't do anything requiring SSH connection. No way to enter passphrase, no way to cancel - I have to restart VS Code.

The same happens when I start ssh-agent and add the key in the terminal window in the VS Code interface.

This is the same as #1774, which was closed as duplicate of microsoft/vscode#13680. But it is really not a duplicate, as the latter issue is said to be resolved with workaround explained here, but the former cannot.

VS Code does not "see" ssh-agent started in WSL.

[MathiasMagnus]

I stumbled across this issue today as well. Not WSL but using the SSH remoting extension. Browsing through the issues on VS Code and the remoting extensions it seems that there are few integrations missing. No extra windows can be presented to the user when using remoting, hence gpg prompts don't show for code signing. I'm not sure which integration is missing, but when cloning code from the UI using SSH auth to the Git server on a remote machine (also using SSH for remoting) VS fails to prompt for the password on the key required for Git server auth.

[rgroves]

I've also run into this. It seems like it's a known issue. In the Remote Development Tips and Tricks doc under the Sharing Git credentials between Windows and WSL section it states:

Resolving hangs when doing a Git push or sync from WSL

If you clone a Git repository using SSH and your SSH key has a passphrase, VS Code's pull and sync features may hang when running remotely.

Either use an SSH key without a passphrase, clone using HTTPS, or run git push from the command line to work around the issue.

Setting up sharing of Git credentials between Windows and WSL and cloning using HTTPS is not ideal, but it's something.

[ivangretsky]

Seen that. I hope it'll improve.

[MathiasMagnus]

Am I the only one that's surprised to see this issue standing so long? I thought cloning (SSH), committing (gpg sign) and pushing is a core functionality. I'm not saying that not knowing TypeScript relieves me of being a candidate to implement this, but I hoped someone with more relevant skills would've picked this up long ago. Or did I miss the memo?

[mverkerk-godaddy]

Same here - i've been happily using vscode with WSL and love it - except for this one annoyance. I keep falling into the trap of doing git actions from within vscode just to see the little progress bar going and going knowing that, in the background, git is asking for my passphrase ... i tried suggestions from here and here but still no luck :-\

[mverkerk-godaddy]

Well, what do you know - i think i got it working with the suggested changes to ~/.bashrc (or ~/.bash_profile) mentioned here ... give it a try!

[aeschli]

@Verkurkie I was wondering, did you see the problem occur with Git operations triggered by VSCode (e.g from the SCM viewlet). Or just with calling git from the integrated terminal?

[mverkerk-godaddy]

@Verkurkie I was wondering, did you see the problem occur with Git operations triggered by VSCode (e.g from the SCM viewlet). Or just with calling git from the integrated terminal?

@aeschli it was only when triggered by VSCode ... running git in the terminal was never a problem because it does ask for the passphrase...

[flying-sausages]

Not sure this helps but this might be the key issue here. I assume if this were possible to run, at least it would be a workaround that VSCode could properly implement later

╭─sausage@FATASS2 ~/Git/Fun/swizzin ‹formatting› 
╰─$ ssh-add ~/.ssh/id_rsa
Could not open a connection to your authentication agent.

[elsiehupp]

I got a similar error on a non-WSL Ubuntu remote, though in my case Git gave me a dismissable popup with the message Permission denied (publickey) rather than forcing me to restart VS Code, and entering git push in the VS Code terminal gave me the password prompt.

I haven't had issues connecting to the remote with a passphrase-protected key, but I'm using a Mac, and I have the Mac's ssh passphrase saved in the macOS Keychain. Perhaps if there's a way of doing the same on the Ubuntu remote it could be a workaround for this issue? This StackExchange thread looks promising, but I haven't had a chance to try it.

[elsiehupp]

I figured out a potential workaround: SSH Agent Forwarding. In your SSH config, for the remote VS Code host, add the following:

  ForwardAgent yes

(The indentation is important.)

For me, the host set up to SSH into with VS Code is called alpha, so the section of the file looks like this:

Host alpha
  ForwardAgent yes

If you want to do this with all remote hosts, you can add it to the Host * section (though this is apparently a marginal security risk):

Host *
  ForwardAgent yes

What this does is it uses the SSH agent that you're using to connect to the remote host and recycles the SSH keys for any SSH connections from the remote, such as connecting to Git. Because VS Code will happily prompt you for your SSH key's passphrase when you're connecting to a VS Code remote, you can enter the passphrase when initially connecting and not have to re-enter it when interacting with Git.

Apparently you can use more than one local SSH key when agent-forwarding, but I haven't been able to test this. I haven't been able to test this, in general, yet, but it seems promising.

[karlmacklin]

@elsiehupp Do you know if that's something that could work for a Windows WSL2 environment? I tried applying it to my scenario but get stuck on questions like:

What is the "remote VS Code host"? If it's the main Windows machine, does localhost work, since localhost is also localhost within WSL?

[elsiehupp]

@karlmacklin a remote VS Code host is this setup: https://code.visualstudio.com/docs/remote/ssh (Usually the remote host is another computer.)

I don't have any experience with VS Code on WSL, but in order to use your local WSL as a remote SSH host you'd need to set up port forwarding so that port 22 (the usual SSH port) on your Windows computer connects instead to the SSH server on WSL.

Here's an article on WSL port forwarding: https://dev.to/vishnumohanrk/wsl-port-forwarding-2e22

If for whatever reason you can't forward port 22 (or you otherwise need an SSH server running on Windows itself), you could configure the port forwarding from, say, port 2022 on Windows to port 22 on WSL, so you'd be connecting to localhost:2022 instead of just localhost (which is implicitly port 22).

Once you have the Remote Development extension installed and enabled:

• click on the new "Remote Explorer" button on the left-hand side of the VS Code window,
• click the "+" at the top of the list, enter <username>@localhost,
• select the SSH config file to save the configuration in (probably the one in your user folder, not the system-wide one; this may be a new file),
• then click "open config" in the popup or select localhost from the SSH Targets list and click the gear icon at the top of the list (and select the same config file)
• find the heading Host localhost and change the text to something like the following:

  Host "Local (WSL)"
  HostName localhost:2022
  ForwardAgent yes
  User <username>

  Note that you can use any string after Host (you don't need quotes if you aren't using spaces or special characters); the string is just the "pretty" name that will appear in the VS Code SSH Targets list. And if you're just using port 22 rather than port 2022, you can omit the :2022 after localhost.

FWIW it may also be possible to cache your SSH key passphrase on Windows or in VS Code if you're okay with the security ramifications of that, but I'm not 100% sure what's involved. (macOS has a UseKeychain yes SSH config option, and Seahorse can cache SSH passphrases on Linux, but I don't know about Windows.)

At this point you can save the config file, right click on "Local (WSL)" in your SSH Targets list, and connect either in either the current window or a new window. If it works you're ready to go!

Again, I haven't actually tried this myself. I use VS Code remote hosts that are physically separate computers, rather than WSL.

[r4ven1245]

I'm having the same issue with WSL2 -> GitLab setup. @elsiehupp I don't think @karlmacklin was asking how to use his WSL system as a remote host For some reason this just doesn't work on WSL, even with the workarounds from the documentation that tell you to enable the Prompt window for SSH, nothing shows up. I looked at all output channels, debug console, there is nothing. I don't understand how with this much time passed, this is still an issue.

[karlmacklin]

I'm having the same issue with WSL2 -> GitLab setup. @elsiehupp I don't think @karlmacklin was asking how to use his WSL system as a remote host For some reason this just doesn't work on WSL, even with the workarounds from the documentation that tell you to enable the Prompt window for SSH, nothing shows up. I looked at all output channels, debug console, there is nothing. I don't understand how with this much time passed, this is still an issue.

After a while you simply learn to live with it. You find ways to cope. I try talking to colleagues about this issue to process it. Talking to my wife doesn't help - she's not well versed in IT.

[gernot-t2p]

same issue here, giving up on the password is a no go and git doesn't ask for one

[EllipticEllipsis]

This needs to be fixed, especially now GitHub has deprecated HTTPS.

[elsiehupp]

This needs to be fixed, especially now GitHub has deprecated HTTPS.

Maybe tagging the @GitHub team or the GitHub @desktop team might help, since GitHub is owned by Microsoft, so, you know, you’d expect some degree of coordination around the deprecation of HTTPS by GitHub and the related implementation of SSH in Microsoft’s own Git client in VS Code.

[niezgoda-heineken]

same issue here. Is there some way we can up vote this ??

[masiorama]

Same here!

[elsiehupp]

Maybe we could pester the folks at vscode-pull-request-github to take a look at this…?

[benhovinga]

I have the same problem. Here are my observations if they will help the devs solve the problem.

My environment

• Host OS: Windows 11
• Remote Connection: WSL2
• WSL OS: Ubuntu 20.04.3

VS Code:

Version: 1.62.3 (user setup)
Commit: ccbaa2d27e38e5afa3e5c21c1c7bef4657064247
Date: 2021-11-17T08:11:14.551Z
Electron: 13.5.2
Chrome: 91.0.4472.164
Node.js: 14.16.0
V8: 9.1.269.39-electron.0
OS: Windows_NT x64 10.0.22000

Sync Changes

When I try to push a branch to github using the Sync Changes button in Source Control (sidebar). It does nothing. The sync wheel spins on the status bar like it's thinking about it, but nothing ever happens. It doesn't even timeout and just go until I close VS Code.

Git Log shows the following

> git log --oneline --cherry constra-theme...constra-theme@{upstream} --
> git pull --tags origin constra-theme
> git ls-files --stage -- /home/ben/philscontracting/test.njk
> git show --textconv :test.njk

I should be getting prompted to enter my ssh key password.

Commit Signing

I know this tread is about ssh keys but I think these are related because both should be prompting for a password but don't.

I use signing on all of my commits (setup with git config). I cannot do this inside vs code using the gui with my current environment. I have to use the terminal every time.

When I use the Source Control (sidebar), I get the following error box when I commit.

Git: gpg failed to sign the data

Clicking command output shows the following:

> git -c user.useConfigOnly=true commit --quiet --allow-empty-message --file -
error: gpg failed to sign the data
fatal: failed to write commit object

Not very specific 🙄. Again I should be getting prompted to enter my password for my gpg key.

Conclusion

I am sure if I change both of these keys to be passwordless, then they may work inside VS Code as is. I am not doing that because I value security over convenience.

Perhaps there needs to be a universal authentication prompt built into VS Code that could pass these passwords safely to the requesting programs (gpg, git, ssh) on the local host or remote server.

I hope this was helpful to the devs. 😊

[jamiematrix]

Adding a not-so-helpful comment of having the same issue but we (work) use BitBucket. VSCode when trying to push to any repo and quickest fix is to close and re-open Code.

Trying to move away from SourceTree as it keeps screwing up file permissions between pulls, pushes, and general usage.

[Kile-Asmussen]

I do believe this issue can cause other git-related problems, but I am not sure. It would be nice with a fix.

[elsiehupp]

I came across the Gist "How to use ssh-agent to cache your SSH credentials?" when trying to Remote Container support to start working again, and the instructions there might help as a workaround for the problem here, too.

A quick, quick summary of the Gist is to run the following command in the terminal (within your WSL remote, assuming it has its own Bash environment) and then enter the passphrase for your SSH key at the prompt.

eval $(ssh-agent) && ssh-add .ssh/id_rsa

Note that if you have cleverly used something other than .ssh/id_rsa for your SSH keys you'll need to change the command accordingly. (I use the filename <hostname>_rsa in order to avoid mixing up SSH keys from different computers.)

[elsiehupp]

I do believe this issue can cause other git-related problems, but I am not sure. It would be nice with a fix.

Not just Git problems: pretty much anything that uses SSH keys within the VS Code GUI will break if you try to use passphrase-protected SSH keys. (I found my way back to this thread when Development Containers stopped working for me.)

[bdotsamir]

Having a similar issue. vscode does prompt me to enter my ssh passphrase, but it does it every time I git push/pull. Very annoying, and it does not occur in the terminal.

[alexisbg]

To get around this issue, I’ve created a wrapper for ssh-add that I'd like to share: ssh-agent-add-id.

Rather than prompting for the passphrase every time, it checks whether the key has already been added to the SSH agent.

It can be integrated with a VS Code task that is triggered when the workspace is opened, using the "runOn": "folderOpen" property. If needed, it will prompt for the passphrase in a new terminal panel. If not, the panel will automatically close.

I hope that this tool will enhance your workflow.