SSH Agent Forwarding not working with Remote SSH on MacOS

[yeswalrus]

• VSCode Version: 1.43.2
• Local OS Version: MacOS 10.13
• Remote OS Version: 0.51.0
• Remote Extension/Connection Type: SSH

Steps to Reproduce:

1. Enable SSH via launchctl
2. set up ssh config with a host you want to forward your ssh agent keys to and set 'ForwardAgent yes'
3. Connect via terminal ssh and perform an operation requiring your forwarded key
4. launch VSCode and validate that $SSH_AUTH_SOCK is set
5. Connect via Remote-SSH, then use the terminal or GitLens to attempt to perform git operations requiring your forwarded key

Does this issue occur when you try this locally?: N/A Does this issue occur when you try this locally and all extensions are disabled?: N/A

[yeswalrus]

SSH log (with some personal details scrubbed). It appears that sshAuthSock is not getting picked up somehow, despite echo $SSH_AUTH_SOCK being perfectly valid when I run it from the vs code terminal when not connected to a remote host

12:43:57.048] Log Level: 2
[12:43:57.049] remote-ssh@0.51.0
[12:43:57.049] darwin x64
[12:43:57.050] SSH Resolver called for "ssh-remote+7b22686f73744e616d65223a2277677261792d64742d3031222c2275736572223a227767726179227d", attempt 1
[12:43:57.051] SSH Resolver called for host: ...
[12:43:57.051] Setting up SSH remote "..."
[12:43:57.054] Acquiring local install lock: /var/folders/9y/wcdmvyw17jv4b72k6r1kc_sw0000gp/T/vscode-remote-ssh-...-install.lock
[12:43:57.073] Looking for existing server data file at /Users/.../Library/Application Support/Code/User/globalStorage/ms-vscode-remote.remote-ssh/vscode-ssh-host-...-0ba0ca52957102ca3527cf479571617f0de6ed50-0.51.0/data.json
[12:43:57.076] Using commit id "0ba0ca52957102ca3527cf479571617f0de6ed50" and quality "stable" for server
[12:43:57.078] Install and start server if needed
[12:43:57.088] Checking ssh with "ssh -V"
[12:43:57.140] > OpenSSH_7.8p1, LibreSSL 2.6.2
[12:43:57.148] askpass server listening on /var/folders/9y/wcdmvyw17jv4b72k6r1kc_sw0000gp/T/vscode-ssh-askpass-32556e9cc317d91a50ea4c827691aed44eb772fc.sock
[12:43:57.149] Spawning local server with {"ipcHandlePath":"/var/folders/9y/wcdmvyw17jv4b72k6r1kc_sw0000gp/T/vscode-ssh-askpass-dc6a9023f50b72e7c5d1c978adfb76eaa434fd1c.sock","sshCommand":"ssh","sshArgs":["-v","-T","-D","55029","-o","ConnectTimeout=15","..."],"dataFilePath":"/Users/.../Library/Application Support/Code/User/globalStorage/ms-vscode-remote.remote-ssh/vscode-ssh-host-...-0ba0ca52957102ca3527cf479571617f0de6ed50-0.51.0/data.json"}
[12:43:57.149] Local server env: {"DISPLAY":"1","ELECTRON_RUN_AS_NODE":"1","SSH_ASKPASS":"/Users/.../.vscode/extensions/ms-vscode-remote.remote-ssh-0.51.0/out/local-server/askpass.sh","VSCODE_SSH_ASKPASS_NODE":"/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)","VSCODE_SSH_ASKPASS_MAIN":"/Users/.../.vscode/extensions/ms-vscode-remote.remote-ssh-0.51.0/out/askpass-main.js","VSCODE_SSH_ASKPASS_HANDLE":"/var/folders/9y/wcdmvyw17jv4b72k6r1kc_sw0000gp/T/vscode-ssh-askpass-32556e9cc317d91a50ea4c827691aed44eb772fc.sock"}
[12:43:57.152] Spawned 12771
[12:43:57.284] > local-server> Spawned ssh: 12772
[12:43:57.322] stderr> OpenSSH_7.8p1, LibreSSL 2.6.2
[12:43:57.573] stderr> debug1: Server host key: ecdsa-sha2-nistp256 SHA256:6KiVuzJCMUwkgMvUhLiHPV/RpObp57PorOVr+/af67A
[12:43:57.788] stderr> Authenticated to ... ([...]:22).
[12:43:57.957] > Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-34-generic x86_64)
[12:43:57.970] > ready: df53bde681f3
[12:43:58.183] > Linux 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018
[12:43:58.183] Platform: linux
[12:43:58.360] > df53bde681f3: running
[12:43:58.361] > Acquiring lock on /home/.../.vscode-server/bin/0ba0ca52957102ca3527cf479571617f0de6ed50/vscode-remote-lock.....0ba0ca52957102ca3527cf479571617f0de6ed50
[12:43:58.361] > \ln /home/.../.vscode-server/bin/0ba0ca52957102ca3527cf479571617f0de6ed50/vscode-remote-lock.....0ba0ca52957102ca3527cf479571617f0de6ed50.target /home/.../.vscode-server/bin/0ba0ca52957102ca3527cf479571617f0de6ed50/vscode-remote-lock.....0ba0ca52957102ca3527cf479571617f0de6ed50
[12:43:58.364] > Found existing installation at /home/.../.vscode-server/bin/0ba0ca52957102ca3527cf479571617f0de6ed50...
[12:43:58.365] > SSH_CONNECTION=10.252.0.97 55031 10.74.33.164 22
> LANG=en_US.UTF-8
> OLDPWD=/home/...
> XDG_SESSION_ID=236
> USER=...
> PWD=/home/...
> HOME=/home/...
> SSH_CLIENT=10.252.0.97 55031 22
> MAIL=/var/mail/...
> SHELL=/usr/bin/zsh
> SHLVL=2
> VSCODE_AGENT_FOLDER=/home/.../.vscode-server
> LOGNAME=...
> DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
> XDG_RUNTIME_DIR=/run/user/1001
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
> _=/usr/bin/printenv
[12:43:58.368] > Starting server with command... /home/.../.vscode-server/bin/0ba0ca52957102ca3527cf479571617f0de6ed50/server.sh --host=127.0.0.1 --enable-remote-auto-shutdown  --port=0 &> "/home/.../.vscode-server/.0ba0ca52957102ca3527cf479571617f0de6ed50.log" < /dev/null
> Waiting for server log...
[12:43:58.854] >  
> *
> * Reminder: You may only use this software with Visual Studio family products,
> * as described in the license (https://go.microsoft.com/fwlink/?linkid=2077057)
> *
>  
[12:43:58.866] > df53bde681f3: start
> sshAuthSock====
> agentPort==44855==
> osReleaseId==ubuntu==
> arch==x86_64==
> webUiAccessToken====
[12:43:58.868] > tmpDir==/run/user/1001==
[12:43:58.868] > platform==linux==
> df53bde681f3: end
[12:43:58.868] Received install output: 
sshAuthSock====
agentPort==44855==
osReleaseId==ubuntu==
arch==x86_64==
webUiAccessToken====tmpDir==/run/user/1001==platform==linux==

[12:43:58.870] Remote server is listening on port 44855
[12:43:58.870] Parsed server configuration: {"agentPort":44855,"osReleaseId":"ubuntu","arch":"x86_64","webUiAccessToken":"","sshAuthSock":"","tmpDir":"/run/user/1001","platform":"linux"}
[12:43:58.871] Persisting server connection details to /Users/...
[12:43:58.873] Starting forwarding server. localPort 55037 -> socksPort 55029 -> remotePort 44855
[12:43:58.873] Forwarding server listening on 55037
[12:43:58.874] Waiting for ssh tunnel to be ready
[12:43:58.875] [Forwarding server 55037] Got connection 0
[12:43:58.876] Tunneled remote port 44855 to local port 55037
[12:43:58.876] Resolved "ssh-remote+7b22686f73744e616d65223a2277677261792d64742d3031222c2275736572223a227767726179227d" to "127.0.0.1:55037"
[12:43:58.888] ------

[roblourens]

Can you run this and check the result? echo 'echo $SSH_AUTH_SOCK' | ssh yourhost bash

[andyljones]

I'm having the same problem.

Versions

• VSCode Version: 1.43.2
• Local OS version: macOS 10.15.2
• Remote OS version: Ubuntu 18.04.3 LTS
• Remote extension type: Docker

Steps to reproduce:

• I have the following ~/.ssh/config on my client:

  Host aj-server.local
  HostName aj-server.local
  User ajones
  ForwardAgent yes

• I have a .vscode/settings.json pointing at that host:

  {
  "docker.host": "ssh://ajones@aj-server"
  }

• I have a .devcontainer.json like this:

  {
  "image": "$SOME_UBUNTU_IMAGE",
  "workspaceFolder": "/code",
  "workspaceMount": "source=/home/ajones/code/bbfmm,target=/code,type=bind,consistency=cached",
  "forwardPorts": [5000],
  }

  • I launch VS Code with code . and use the integrated terminal to echo $SSH_AUTH_SOCK. It responds with /private/tmp/com.apple.launchd.lOsNzXWeME/Listeners.
  • I use Open folder in container from the command menu to launch the remote instance.
  • I echo $SSH_AUTH_SOCK again and this time it's blank.

Notes

Running @roblourens command locally gives me

echo 'echo $SSH_AUTH_SOCK' | ssh aj-server.local bash
/tmp/ssh-xknA6TMy7w/agent.49372

Also my /tmp on the remote is full of vscode-related files, four for each launch it seems:

srwxr-xr-x 1 root root    0 Apr  4 08:22 /tmp/vscode-git-ipc-d611c4adcbc37371b065ac6ec07a80fd67649c88.sock
srwxr-xr-x 1 root root    0 Apr  4 08:22 /tmp/vscode-ipc-64538d81-7445-4b69-8cf0-97a31c641cf7.sock
srwxr-xr-x 1 root root    0 Apr  4 08:21 /tmp/vscode-remote-containers-ipc-7b12f37410576f49c0480725f717f994c66b2085.sock
srwxr-xr-x 1 root root    0 Apr  4 08:21 /tmp/vscode-ssh-auth-7b12f37410576f49c0480725f717f994c66b2085.sock
-rw-r--r-- 1 root root 2342 Apr  4 08:21 /tmp/vscode-remote-containers-7b12f37410576f49c0480725f717f994c66b2085.js
srwxr-xr-x 1 root root    0 Apr  4 08:10 /tmp/vscode-ipc-879b4be1-d468-42d6-b826-9d1161b66aa8.sock
srwxr-xr-x 1 root root    0 Apr  4 08:10 /tmp/vscode-remote-containers-ipc-3406ee3322f37dce7a65debb49f379d7ca991310.sock
srwxr-xr-x 1 root root    0 Apr  4 08:10 /tmp/vscode-ssh-auth-3406ee3322f37dce7a65debb49f379d7ca991310.sock
-rw-r--r-- 1 root root 2342 Apr  4 08:10 /tmp/vscode-remote-containers-3406ee3322f37dce7a65debb49f379d7ca991310.js
srwxr-xr-x 1 root root    0 Apr  4 08:07 /tmp/vscode-ipc-4a78b115-981c-4a6c-b1c7-8f519c3fc831.sock
srwxr-xr-x 1 root root    0 Apr  4 08:07 /tmp/vscode-remote-containers-ipc-a8c9df28587b2fe8ea8095f8fd0496800b08006a.sock
srwxr-xr-x 1 root root    0 Apr  4 08:07 /tmp/vscode-ssh-auth-a8c9df28587b2fe8ea8095f8fd0496800b08006a.sock
-rw-r--r-- 1 root root 2342 Apr  4 08:07 /tmp/vscode-remote-containers-a8c9df28587b2fe8ea8095f8fd0496800b08006a.js 

Workaround

If I use

export SSH_AUTH_SOCK=$(ls -t /tmp/vscode-ssh-auth* | head -1)

to set SSH_AUTH_SOCK to the most recent vscode-ssh-auth file, I can use git fine!

[odyslam]

I have the same issue when trying to establish SSH connection with a remote server to dev. I am using Secretive which requires to add an export $SSH_AUTH_SOCK="" to my .zshrc. I can use ssh without problem through both my terminal and the vs studio integrated terminal, but whenever I try to use the SSH add-on it fails.

System: MacOS Catalina 10.15.5 Visual studio code: latest [19:56:12.358] Resolver error: Permission denied (publickey). ssh config file:

Host x
  HostName x
  Port y
  User z
  ForwardAgent yes

[roblourens]

Do you know how ssh interfaces with Secretive, if not through the ssh agent?

[odyslam]

If I understand your question correctly, I think it functions as an SSH forward agent.

I was reading through the sekey documentation, the project on top of which secretive has been built, and I tried something new. In the ~/.ssh/config , I added: IdentityAgent /Users/odys/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh and it worked!

So I guess, in order to specify an identity agent for ssh, you either export the env variable in the terminal session before you run ssh, or you specify that in the ssh config. Interesting. I will create an issue in secretive so that they add the ssh config option in their helper.

Irrelevant to VS question: What's the difference of IdentityAgent and ForwardAgent?

[roblourens]

ForwardAgent makes the agent accessible from the remote ssh session.