microsoft / vscode-remote-release

Visual Studio Code Remote Development: Open any folder in WSL, in a Docker container, or on a remote machine using SSH and take advantage of VS Code's full feature set.
https://aka.ms/vscode-remote
Other
3.67k stars 293 forks source link

sshd_config "Banner" prevents public key authentication to remote host #3699

Closed synapse-overload closed 4 years ago

synapse-overload commented 4 years ago

Extension version: 0.55.0 VS Code version: Code 1.49.1 (58bb7b2331731bf72587010e943852e13e6fd3cf, 2020-09-16T23:27:51.792Z) OS version: Windows_NT x64 10.0.19041 Remote OS version: Linux x64 4.15.0-117-generic

System Info |Item|Value| |---|---| |CPUs|Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz (8 x 3408)| |GPU Status|2d_canvas: enabled
flash_3d: enabled
flash_stage3d: enabled
flash_stage3d_baseline: enabled
gpu_compositing: enabled
multiple_raster_threads: enabled_on
oop_rasterization: disabled_off
opengl: enabled_on
protected_video_decode: unavailable_off
rasterization: enabled
skia_renderer: disabled_off_ok
video_decode: enabled
vulkan: disabled_off
webgl: enabled
webgl2: enabled| |Load (avg)|undefined| |Memory (System)|15.93GB (7.00GB free)| |Process Argv|| |Screen Reader|no| |VM|67%| |Item|Value| |---|---| |Remote|SSH: 192.168.119.128| |OS|Linux x64 4.15.0-117-generic| |CPUs|Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz (8 x 3407)| |Memory (System)|3.83GB (2.44GB free)| |VM|100%|

Steps to Reproduce:

  1. [On Host Win10 Machine] Download an install vmware player 15 + https://www.linuxvmimages.com/images/ubuntu-1604 vmware image

  2. [On Host Win10 Machine] Setup key files in %UserProfile%/.ssh/ (I used id_rsa and id_rsa.pub as generated by ssh keygen)

    • ssh-keygen to generate the keys
    • add new entry in %UserProfile%/.ssh/config in order to have the remote setup
      • E.g.
        Host 192.168.119.128
        HostName 192.168.119.128
        IdentityFile "C:\\Users\\Razvan\\.ssh\\id_rsa"
        User ubuntu
  3. [On Remote VM Ubuntu] Add public key generated at previous step (id_rsa.pub) to the client virtual machine running ubuntu 16.04

  4. [On Remote VM Ubuntu] Check if /etc/ssh/sshd_config contains Banner value set (by default the vmware machine specified at step1 does have this banner message

  5. [On Host Win10 Machine] Check that the connection to the ubuntu machine works with local command line ssh (for me it worked fine even with the OpenSSH installed with windows, but to be safe I checked with the ssh installed in Git Bash as well

  6. [On Host Win10 Machine] Try to connect with Remote-ssh plugin you will get the following errors in the output panel (on the Remote-SSH tab): Remote-SSH.log

Note: Once I removed the Banner config parameter from /etc/sshd_config everything works fine.

Does this issue occur when all extensions are disabled?: No

subr3v commented 4 years ago

+1 On this one, I have a similar problem. I'm trying to use this at work and our "security banner" is preventing vs code from setting up the connection in a proper way.

Is there any workaround? I have no way to disable the banner on my end.

synapse-overload commented 4 years ago

+1 On this one, I have a similar problem. I'm trying to use this at work and our "security banner" is preventing vs code from setting up the connection in a proper way.

Is there any workaround? I have no way to disable the banner on my end.

I saw there is an option in ssh_config (for configuring the ssh client on the Windows machine in my example) named "LogLevel QUIET" which may solve this, I haven't tried yet, maybe you can give it a try if you're not able to modify server params.

subr3v commented 4 years ago

I have also tried that with no successful results. I think that the extension should be able to handle these cases gracefully

subr3v commented 4 years ago

Is there any update on the status of this issue?

roblourens commented 4 years ago

We misinterpreted the banner as a password prompt. I think it will work if you type something into the password prompt, or, if you enable "useLocalServer" in your settings.json

synapse-overload commented 4 years ago

This is not a fix. Why is the bug closed? The functionality is used for automatic login, that's why I'm using an ssh key, to avoid typing in the password. Was there a fix planned for this problem? Is there a commit with the fix?

roblourens commented 4 years ago

Can you confirm whether that setting fixes it? It will be the default someday but it causes issues for some people on windows.

If that doesn't work for you, setting "remote.SSH.showLoginTerminal": true may also work around it.

Without these, we can only detect password prompts with dumb text matching in the output from the ssh server, which is destined to fail in some cases.

synapse-overload commented 4 years ago

The issue persists without "remote.ssh.showLoginTerminal": true. But this persistence is only visible if you do a restart after re-enabling the banner in /etc/ssh/sshd_config, otherwise it will work with the last session, so just to be safe when testing it's best to restart the whole virtual machine for every test. It would be good to have this in some documentation, however for now the issue is rightfully closed as the above described case is solved by the combination of these two settings. To sum up my settings.json file on windows contains the following remote ssh settings:

"remote.SSH.enableAgentForwarding": false,
"remote.SSH.enableDynamicForwarding": false,
"remote.SSH.remoteServerListenOnSocket": true,
"remote.SSH.lockfilesInTmp": true,
"remote.SSH.showLoginTerminal": true

I don't know why my setting file doesn't also contain "remote.SSH.useLocalServer": true since the setting is saved in the UI config file, but that's just nitpicking.

roblourens commented 4 years ago

Unfortunately that useLocalServer setting is only really applied if set explicitly by the user in json, because the default is different per OS, and the UI can't show this.