PuTTY Pageant

[lars18th]

Hi,

We need to support PuTTY pageant too instead of only plain certificate files. It will be added soon?

Regards.

[lars18th]

Hi,

Until native support will be implement, here is some tool as a workaround (test & working): https://github.com/benpye/wsl-ssh-pageant

Regards.

[powerpbx]

+1 for this feature. We tried that workaround tool above on Win10 build 1903 but it didn't seem to work. Maybe we did something wrong. Would be nice if it just worked like it does with PuTTy and WinSCP.

[lars18th]

+1 for this feature. We tried that workaround tool above on Win10 build 1903 but it didn't seem to work. Maybe we did something wrong. Would be nice if it just worked like it does with PuTTy and WinSCP.

Hi @powerpbx ,

I'm sure you did something wrong, as I'm using it for months and it works like a charm! I recommend to read the Documention of the tool, as it requires parameters to work: https://github.com/benpye/wsl-ssh-pageant#how-to-use-with-windows-10-native-openssh-client

That's the content of the .BAT that I use to launch it:

@ECHO OFF
SETX SSH_AUTH_SOCK \\.\pipe\ssh-pageant
START /B "" "C:\SSH\wsl-ssh-pageant-amd64-gui.exe" --systray --winssh ssh-pageant

If you execute it before any other binary, and after you open the Pageant and load your key, then all OpenSSH sessions will use the key.

I hope this helps you!

[randallpittman]

I wrote a short how-to on getting wsl-ssh-pageant to run on startup, followed by pageant. Now I finally get hassle-free public-key auth on VS Code Remote SSH!

https://github.com/benpye/wsl-ssh-pageant/issues/16#issuecomment-520962345

[rcdailey]

I cannot get this working. I followed the instructions and I still do not see Remote SSH trying to use the agent to authenticate with a private key:

Install terminal quit with output: The process tried to write to a nonexistent pipe.

I'm not sure why it's giving these errors. I verified that the SSH_AUTH_SOCK env var is set as well. Which ssh.exe is VS Code using?

To complicate things, I actually prefer gpg-agent.exe because of its support for Yubikeys. However, I did test with pure pageant and it didn't work either.

[lars18th]

Hi @rcdailey

I cannot get this working. I followed the instructions and I still do not see Remote SSH trying to use the agent to authenticate with a private key:

Install terminal quit with output: The process tried to write to a nonexistent pipe.

I'm not sure why it's giving these errors. I verified that the SSH_AUTH_SOCK env var is set as well. Which ssh.exe is VS Code using?

Instead of trying with VSCode, first try to logging using the SSH client. Please try this:

• Configure your environment (load the wsl-ssh-pageant tool, run the pageant, read the key, set the SSH_AUTH_SOCK env var, configure the '.ssh/config' file, etc.).
• Using your Windows Commnad (CMD or PS) use the Native SSH Client (Windows 10) or the OpenSSH Client (Windows 7, manual install) connect to the server.

If this works, then the problem is in your VSCode-SSH configuration. If this doens't work, then the problem is in your environment configuration.

I hope it helps! :wink:

[comphilip]

wsl-ssh-pageant does not work for me neither. ssh with -v option, it shows wsl-ssh-pageant not correct respond signature type:

debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:1YCSVQTu+76ieXXnbwKDf97dMkLFJRZb/6h6Shb3Ebs cardno:000607309868
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
debug1: Authentications that can continue: publickey
debug1: Trying private key: C:\\Users\\comph/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\comph/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\comph/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\comph/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\comph/.ssh/id_xmss
debug1: No more authentication methods to try.

[lars18th]

Hi @comphilip ,

wsl-ssh-pageant does not work for me neither. ssh with -v option, it shows wsl-ssh-pageant not correct respond signature type:

OK, so the problem isn't the VSCode SSH extension.

Please, try this:

• Inside the same Windows Shell window (CMD or PS) execute all the commands:
  • Set the environment var of SSH_AUTH_SOCK.
  • Start the wsl-ssh-pageant with the corresponding parameters --systray --winssh ssh-pageant.
  • Execute the pageant and load the key (I recommend too to check the login with the key with PuTTY).
  • Finally execute the OpenSSH Client.

Futhermore:

• Which version of the OpenSSH Client you use? Try last version.
• Ensure that the "ssh-agent" service of the OpenSSH is disabled, as it can interfere.

I hope it helps!

[comphilip]

Hi @lars18th, OpenSSH Client: OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5 I tried your suggestion and find a strange situation.

It works with Ubuntu 18.04.3 LTS with OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017. This ubuntu is hosted in VirtualBox.

Another 3 remote machines not work:

• raspberry pi, Raspbian GNU/Linux 10 (buster), OpenSSH_7.9p1 Raspbian-10, OpenSSL 1.1.1c 28 May 2019
• laptop, Debian GNU/Linux 10 (buster), OpenSSH_7.9p1 Debian-10, OpenSSL 1.1.1c 28 May 2019
• server, Container Linux by CoreOS, OpenSSH_7.9p1, OpenSSL 1.0.2r 26 Feb 2019

After turn on DEBUG3 log level of raspberry pi, and found ssh server reject my public key: debug3: mm_answer_keyverify: publickey 0xbf5288 signature unverified

I had not idea why. My public key is stored at a Yubikey via OpenPGP protocol. The key works well with gpg-agent alone with ssh-agent in mobxterm.

I believe this is a compatible issue of wsl-ssh-pageant.

[lars18th]

I believe this is a compatible issue of wsl-ssh-pageant.

I don't think so!

Which Pageant version are you using? Try last version (0.72).

And if you have troubles with the Yubikey, then first try using regular PuTTY keys with wsl-ssh-pageant.

Regards.

[comphilip]

@lars18th Fixed after upgrade gpg to latest version (2.2.17)

[lars18th]

@lars18th Fixed after upgrade gpg to latest version (2.2.17)

Great! :smile:

The use of the wsl-ssh-pageant tool with any Pageant server is very robust. :wink:

[Tremolo4]

TL;DR: If you're using the ssh and ssh-pageant bundled with Git for Windows instead of Windows-native OpenSSH, you just need to add the environment variable below via Windows settings.

wsl-ssh-pageant did not work for me, either.

I'm not using the Windows-native OpenSSH client (Win-SSH) at all, instead I use the one bundled with Git for Windows (GfW-SSH). VS Code will fallback to that one if Win-SSH is not installed: IIRC I removed it via power shell, because I needed the JumpHost support from GfW-SSH.

GfW also includes the ssh-pageant tool which makes PuTTY pageant available in Git Bash and GfW-SSH. In essence the same thing as wsl-ssh-pageant, only for GfW-SSH and not for WSL or Win-SSH. To use it, add the following to your .bashrc: eval $(/usr/bin/ssh-pageant -r -a "/tmp/.ssh-pageant-$USERNAME")

However: VS Code still calls the Git for Windows ssh from the cmd.exe, not from Git Bash, hence the SSH_AUTH_SOCK is missing, because it is only in Git Bashs env from your .bashrc. Furthermore, the /tmp path is mapped to your Temp folder in AppData. In order to use it from cmd.exe, i.e. with VS Code Remote, you have to add the following env variable via Windows settings:

SSH_AUTH_SOCK=C:\Users\<your username>\AppData\Local\Temp\.ssh-pageant-<your username>"

Using variables like %TEMP% and %USERNAME% here did not work for me for some reason...

Remember to start PuTTY pageant and open Git Bash at least once, so that ssh-pageant starts as well (no need to keep Git Bash open).

[lars18th]

Hi @Tremolo4 ,

wsl-ssh-pageant did not work for me, either.

I can't understand why. The only tool that works for me in any Windows PC (7.0 & 10), without complex configurations is with the wsl-ssh-pageant tool + any pageant agent (even with smartcard certificates). So for this reason I recommend it.

[Tremolo4]

@lars18th It's probably because I am not using the Windows OpenSSH client, but the Git for Windows one.

You can see which one your VS Code uses by looking at the Output tab when connecting to a Remote:

[15:52:32.575] Checking ssh with "ssh -V"
[15:52:32.578] Got error from ssh: spawn ssh ENOENT
[15:52:32.579] Checking ssh with "C:\WINDOWS\System32\OpenSSH\ssh.exe -V"
[15:52:32.580] Got error from ssh: spawn C:\WINDOWS\System32\OpenSSH\ssh.exe ENOENT
[15:52:32.580] Checking ssh with "C:\Program Files\Git\usr\bin\ssh.exe -V"
[15:52:32.633] > OpenSSH_8.2p1, OpenSSL 1.1.1d  10 Sep 2019

[lars18th]

@lars18th It's probably because I am not using the Windows OpenSSH client, but the Git for Windows one.

Then I suggest this: install a recent version of the Windows OpenSSH and remove (it's sufficient to rename the ssh.exe file) the GIT version. I'm sure this will fix 99% of the troubles.

I hope it helps.

[Tremolo4]

Thanks, but I prefer my solution, because I need ProxyJump, which was not working last time I tried Windows OpenSSH (see here).

I'm sure wsl-ssh-pageant would work for me if I was using Windows OpenSSH. Just wanted to show a workaround for people like me who can't use Windows OpenSSH for some reason.

[lars18th]

Hi @Tremolo4 ,

I use, not ProxyJump but ProxyCommand with Windows OpenSSH and it works like a charm. So I feel ProxyJump will work too. In fact, Windows OpenSSH is OpenSSH, only compiled by Microsoft.

Regards.

[Tremolo4]

Yes, I thought it should work, too. But it didn't when I tried, so I tried something else. ¯\(ツ)/¯

[niklasholm]

Hi @Tremolo4 ,

I use, not ProxyJump but ProxyCommand with Windows OpenSSH and it works like a charm. So I feel ProxyJump will work too. In fact, Windows OpenSSH is OpenSSH, only compiled by Microsoft.

Regards.

Except full of bugs that OpenSSH on other platforms doesn't have.

[sdwru]

This discussion was about and still is about making VSC work natively with Pageant. A super simple solution that just works for just about everything except VSC. I don't want to have to re-invent the wheel just for VSC.

This discussion is over a year old now and still no proper solution in sight.

[lars18th]

Hi,

A super simple solution that just works for just about everything except VSC.

It works for VSC, as I'm using it for years.

This discussion is over a year old now and still no proper solution in sight.

A proper solution exist over a lot of time: https://github.com/benpye/wsl-ssh-pageant

Regards.

[sdwru]

Hi,

A super simple solution that just works for just about everything except VSC.

It works for VSC, as I'm using it for years.

This discussion is over a year old now and still no proper solution in sight.

A proper solution exist over a lot of time: https://github.com/benpye/wsl-ssh-pageant

Regards.

That is a workaround (that many have trouble getting to work). A proper solution is native support with no fuss.

[lars18th]

Hi @sdwru ,

That is a workaround (that many have trouble getting to work). A proper solution is native support with no fuss.

That's depend on your point of view. It's ssh.exe from GIT a workaround?

Please, think on this: any pageant.exe is an tool to use certificates. A lot of implementations of it exists. This is a common tool for a lot of Windows tools that use certificates. However, it's not officially used by Microsoft. However, a simple proxy tool exist to connect the standard OpenSSH client in Windows to this the facto standard for Windows (I speak about pageant). Then the use of a proxy is not a workaround? Is not using VSC a proxy when it call to some ssh.exe ?

Please, check the opening of this issue: it's opened by me. And the second post is a working solution, but working. No tricks or complex implementations. A simple tool that connects between two executables: the ssh.exe and the pageant. Everything is open, free and well tested.

I hope it helps. Regards.

[Kadeluxe]

For future readers who may try to find how to use VS Code Remote and keys from Pageant:

1. Create .bat file somewhere with the following content:

   echo OpenSSH
   "C:\YOUR_PATH_HERE\PLINK.EXE" -ssh %*

2. Open VS Code settings, type remote ssh path in search and find Remote.SSH: Path settings
3. Past here path to your .bat file
4. Now VS Code Remote will use Pageant correctly.

[sdwru]

For future readers who may try to find how to use VS Code Remote and keys from Pageant:

1. Create .bat file somewhere with the following content:

echo OpenSSH
"C:\YOUR_PATH_HERE\PLINK.EXE" -ssh %*

1. Open VS Code settings, type remote ssh path in search and find Remote.SSH: Path settings
2. Past here path to your .bat file
3. Now VS Code Remote will use Pageant correctly.

Thanks for the info. I still do not have Pageant working with VSC on Win10 after months of trying but I will try your suggestion. I basically just gave up and use user/pass for all my development. Every time there is a new VSC update I anxiously read the changelog to see if they added native support but still nothing.

It's a really annoying problem because I access everything else using Pageant and SSH keys. VSC is the only thing that doesn't work with it and trying to do it the VSC suggested way using OpenSSH is too awkward. VSC also does silly things with user/pass. I have to enter it twice which makes no sense but VSC is so nice to work with for development I tolerate these shortcomings

[Kadeluxe]

I was in the same boat as you, I store my keys in KeePass and use its extension KeeAgent. This method worked for me and now it works flawlessly.

Still, it's probably better to switch to native Windows SSH and key agent but there is no matching functionality as my current setup so I don't care for now.

[DonEstefan]

For future readers who may try to find how to use VS Code Remote and keys from Pageant:

Create .bat file somewhere with the following content:

echo OpenSSH "C:\YOUR_PATH_HERE\PLINK.EXE" -ssh %*

Open VS Code settings, type remote ssh path in search and find Remote.SSH: Path settings
Past here path to your .bat file
Now VS Code Remote will use Pageant correctly.

When using this workaround with stored ssh sessions, make sure you use the following syntax in the ssh config file:

Host username1@host1.example.com
Host username2@host2.example.com

[edit:] or alternatively add ForwardAgent yes to all Hosts and make sure "Host" is exactly the same as "Hostname".

Host host1.example.com
    HostName host1.example.com
    User username1
    ForwardAgent yes
Host host2.example.com
    HostName host2.example.com
    User username2
    ForwardAgent yes

After these changes the workaround was fine for me :)

[lars18th]

Hi,

As commented in the second post of this issue using a very simple external tool you can do it without troubles: https://github.com/microsoft/vscode-remote-release/issues/61#issuecomment-489307939 . That solution is more simple than touching the ssh config file.

Regards.

[Kadeluxe]

One bat file is simpler.

[lars18th]

One bat file is simpler.

But it requires some configuration for every project. The alternative is a simple daemon tool that runs in parallel to the pageant daemon and it's transparent. So you can crate a bat file to launch booth with one click and forget!

Anyway, any solution is useful. :wink:

[Kadeluxe]

Honestly for me it works without any configuration... Moreover, I think ssh config file supports wildcard so you can use

Host *
  ForwardAgent yes

if you need to use that for all hosts.

[sdwru]

Using the *.bat file and after changing to Host root@somehost1.example.com I get the following error in VSC console output

If you trust this host, enter "y" to add the key to
> PuTTY's cache and carry on connecting.
> If you want to carry on connecting just once, without
> adding the key to the cache, enter "n".
> If you do not trust this host, press Return to abandon the
> connection.
> Store key in cache? (y/n) Connection abandoned.
> The process tried to write to a nonexistent pipe.

So I have to run the command I see further up in the output manually in a Windows Command Prompt the first time on a new server so that I can manually answer y to the question.

C:\User\Someuser>"c:\plink.exe" -ssh -T -D 55499 root@host1.example.com bash

After I do that it works in VSC. So this still feels like a hacky workaround to me.

[Kadeluxe]

You need to connect once using PuTTY to save the key since it stores them separately from Windows' native SSH, VS Code or whatever.

[sdwru]

You need to connect once using PuTTY to save the key since it stores them separately from Windows' native SSH, VS Code or whatever.

I am constantly setting up and tearing down new servers so having to do that separately is not really a great solution for me.

Compare that to my current workflow with WinSCP. WinSCP asks me this question in the GUI the first time I connect and I just hit the spacebar (defaults to yes) without even thinking about it. So at a minimum, this is something I would expect VSC to do, which it probably would if Pageant was supported natively on VSC, unless there is some way to configure this to always automatically answer y.

[Kadeluxe]

Well, you can do echo y | plink -ssh root@REMOTE_IP_HERE "exit" in bat file before actual plink connection. I mean, it's still a workaround so I don't know how to do it better.

[sdwru]

Well, you can do echo y | plink -ssh root@REMOTE_IP_HERE "exit" in bat file before actual plink connection. I mean, it's still a workaround so I don't know how to do it better.

Thanks for the info. I was actually just trying to do that. :)

[sdwru]

So now the other problem I have run into is that I cannot use ports other than 22. That's kind of a deal breaker for me because I run all my servers on non-standard SSH ports and they are not all the same so changing that globally is not an option either.

Adding Port to the config file as per the documentation doesn't work. It's ignored for some reason. Adding it to the end of Host (ie. Host root@host1.example.com:XXXX) doesn't work because VSC converts that to -p XXXX in the command line which is what ssh.exe expects but plink.exe expects capital -P XXXX.

[Kadeluxe]

I guess you can't get away with simple bat file then. Proper wrapper needed at this point to parse args and convert them to whatever plink wants.

I mean, of course this should be resolved in VS Code directly but for now I'm out of ideas sadly apart from creating a proper program wrapper or patching Plink.

[sdwru]

I think I finally managed to get it working the original way as described at the top of this discussion.

The supposed improved way using plink.exe in a bat file as described near the bottom of this discussion is a non-starter as far as I'm concerned because it requires manually running the command outside of VSC the first time and doesn't work with SSH ports other than 22.

[benliddicott]

A similar batch file workaround works for me provided

• I have an identical session already configured in PuTTY.
• I have Pageant running and the key loaded
• I have already connected to it once and saved the key

Here is the contents of my batch file

@echo off
set SCRIPTDIR=%~dp0
if ARG%1==ARG-V goto :VERSION
plink %1 %2 %3 %4 %5 %6 %7 %8 %9

goto :EOF
:VERSION
echo "OpenSSH wrapper for plink"
:EOF

And. if I have a .ssh/config entry like this:

Host foo-server1
    HostName 192.35.46.57
    User foouser
    ForwardAgent yes
    ForwardX11 yes
    TCPKeepAlive yes

Then I have to set up an identical configuration in PuTTY with the same name, and connect to it once.

That done, VS code can connect.

[Benargee]

I just keep getting the remote host may not meet vscode server prerequisites for glibc and libstdc++ everytime I try either of these bash files. I'm on Win 7. I can get it working with password authentication with the regular G4W ssh.exe but would really like to get it working with Pageant/KeePass/KeeAgent for automatic key auth. KeeAgent works with PuTTY without issue.

[Tremolo4]

@Benargee If you can get it working with G4W, then maybe the bundled ssh-pageant will work for you?

In order to make VS Code use G4W ssh.exe, you need to uninstall the Windows-bundled OpenSSH (via "Add or remove programs", "Optional features").

Then, to make it use your PuTTY Pageant keys, you need to set-up ssh-pageant in your .bashrc and add an env var to make it visible to VS Code. See my previous comment for details.

[sdwru]

This is still a far cry from having native support in VSC. I've managed to get this working on a couple computers but it was a struggle each time. I keep checking the change logs every time there is a VSC update hoping one day they put it in there.

[Tremolo4]

Yeah it's a hassle to set up. But it's also a complicated problem for VS Code to solve completely, since it depends on which ssh.exe is used for example. Hard to make sure it doesn't break in some corner case.

[CoryXie]

Below 2 steps worked for me:

1) Created a VSC.bat with content and set the Remote.SSH: Path settings, both exactly as @Kadeluxe originally wrote.

echo OpenSSH
"C:\Program Files\PuTTY\plink.exe" -ssh %*

2) Update the ssh config file with below format:

Host *
  ForwardAgent yes

Host username@remote.host

[I-am-not-a-number]

Host * ForwardAgent yes

Host username@remote.host

I can't get this to work, ssh is used instead ...

[15:32:59.263] Checking ssh with ""C:\test\VSC_SSH.bat" -V"
[15:32:59.265] Got error from ssh: spawn "C:\test\VSC_SSH.bat" ENOENT
[15:32:59.265] The specified path "C:\test\VSC_SSH.bat" is not a valid SSH binary
[15:32:59.265] Checking ssh with "ssh -V"
[15:32:59.281] > OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5

I even added a "-V" switch to the batch file, duplicating the "ssh -V" reply.

Cheers and Thanks :-)

[benliddicott]

@I-am-not-a-number check out the batch file in my comment https://github.com/microsoft/vscode-remote-release/issues/61#issuecomment-645950231

[sergey-somkov]

This note is important: https://github.com/microsoft/vscode-remote-release/issues/61#issuecomment-645950231

Then I have to set up an identical configuration in PuTTY with the same name, and connect to it once.

plink treats host parameter as a PuTTY saved session name:

"C:\Program Files\PuTTY\plink.exe" --help
Plink: command-line connection utility
Release 0.70
Usage: plink [options] [user@]host [command]
       ("host" can also be a PuTTY saved session name)

So you just create and save PuTTY session, run pageant and use saved session from VSC.

[bersbersbers]

Related: https://github.com/billziss-gh/sshfs-win/issues/267#issuecomment-780765181 and below (still WIP), in particular, https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pageant-named-pipe.html