search

microsoft / vscode-remote-release

Visual Studio Code Remote Development: Open any folder in WSL, in a Docker container, or on a remote machine using SSH and take advantage of VS Code's full feature set.
https://aka.ms/vscode-remote
Other
3.69k stars 296 forks source link

key passphrase periodically removed from keyring #6404

Open moredanphysics opened 2 years ago

moredanphysics commented 2 years ago

I use vscode on ArchLinux with remote-ssh which uses my GPG authentication subkey to access my remote machine via my local gpg-agent. Connection works well: vscode connects to my gpg-agent and pinentry asks me for the key passphrase and saves it in my local keyring. However, some time later (few seconds or up to an hour; no obvious trigger such as git pull or push etc) vscode removes the passphrase from the keyring and i'm then obviously prompted again for the passphrase. Has anyone encountered this?

I stopped using the gnome-keyring and tried a dedicated keepassxc database using the secret services functionality in keepassxc. That's nice because now I get a prompt before deletion of the passphrase and I just refuse deletion. After the refusal, everything carries on working fine! But I don't understand why vscode tries to remove the passphrase in the first place. Is there a timeout (clear the passphrase for security reasons?) that I can configure somewhere?

Steps to Reproduce:

  1. I run vscode with the following command: GPG_AGENT_INFO=(gpgconf --list-dirs agent-socket):0:1 /usr/bin/code
  2. Connect with key via gpg-agent and save key passphrase in local keyring
  3. Watch the keyring like a hawk and eventually vscode seems to delete the passphrase

Does this issue occur when you try this locally?: N/A Does this issue occur when you try this locally and all extensions are disabled?: N/A

tanhakabir commented 2 years ago

This sounds like a duplicate of https://github.com/microsoft/vscode-remote-release/issues/6314?

moredanphysics commented 2 years ago

I see what you mean, but from what I understood of that issue, the focus was on disconnection. I never saw any evidence of being disconnected, and if I refuse to re-enter the passphrase then there is no problem in vscode and it all works as if there had never been a prompt.

What's weird here, that I didn't see described there, is that vscode is actively manipulating the keyring and removing a passphrase!

CrfzdPQM6 commented 2 years ago

Just to update this issue, I'm still seeing the problem with Visual Studio Code - Insiders 1.65.0-insider

roblourens commented 1 year ago

Sorry, I'm not sure what the issue is, but I'm sure that vscode is not deleting keys from your gpg agent.

CrfzdPQM6 commented 1 year ago

Hi @roblourens thanks for commenting, but you were a bit dismissive. How do you know? That's exactly what seems to have been happening.

CrfzdPQM6 commented 1 year ago

Related: vscode intermittently pings me for my GPG key passphrase when it's open - I guess it's something to do with editing a folder that contains a git repository, for which permissions depend on my key being accessible. But I don't know what operations vscode is attempting in the background that would lead to that.

I ended up moving my keyring inside another password manager which would prompt me before allowing any edits. Using this setup I can deny vscode access to my keyring unless I know why it's asking for it. How can I understand vscode's behaviour better, @roblourens ?

roblourens commented 1 year ago

I know that Remote-SSH isn't doing that. @lszomoru, can you think of any reason that the git gpg support would cause a passphrase to be removed from the keyring?

I ended up moving my keyring inside another password manager which would prompt me before allowing any edits. Using this setup I can deny vscode access to my keyring unless I know why it's asking for it.

@CrfzdPQM6 If this setup enables you to prove that vscode is attempting to delete the passphrase, I'd be interested to hear more

CrfzdPQM6 commented 1 year ago

This is happening a lot to me at the moment (multiple times today) with a particular set of repositories in one vscode window. Is there a way to debug queries to the keychain so that I can identify the calls that delete the key? It seems to delete my ssh key when stored within my keychain.

I'm not 100% sure that it's not another rogue application, but the problem only seems to be present when I have a particular vscode window open.

roblourens commented 1 year ago

I wonder what extensions you have installed and whether this still happens if you disable them all? I don't even see anywhere that we use GPG_AGENT_INFO in the vscode codebase

CrfzdPQM6 commented 1 year ago

Interesting thought. My money's on the remote/SSH development extensions. I've removed them; let's see how it goes.

roblourens commented 1 year ago

I don't think Remote-SSH is doing this either, but it might still be an issue that only happens in a remote window. Either from another extension or something about your ssh and gpg configuration itself.

CrfzdPQM6 commented 1 year ago

It's happening in a non-remote window, though... (in fact none of my open windows are remote)

roblourens commented 1 year ago

Optimistically assigning to @lszomoru since I think the git extension is the most likely candidate?

CrfzdPQM6 commented 1 year ago

Interesting. I set dbus-monitor running and immediately navigated to my vscode window that I suspect. After 1 second on that window, I went back to keepassxc and saw that the gpg key had been removed from my keepassxc keyring. There's 1500 lines of text in the log, and I can't identify vscode amongst them, but the timing was too close for it to be anything else. And amongst those lines I do see what looks like a deletion request: method call time=1671483368.434655 sender=:1.704 -> destination=org.freedesktop.secrets serial=9 path=/org/freedesktop/secrets/collection/KP_<redacted>; interface=org.freedesktop. Secret.Item; member=Delete

CrfzdPQM6 commented 1 year ago

Optimistically assigning to @lszomoru since I think the git extension is the most likely candidate?

My instinct is that it's connected to git. The behaviour happens in a window to a folder containing maybe 10 different git repositories in it, and authentication to the gitlab server happens with my GPG authentication subkey.

CrfzdPQM6 commented 1 year ago

(and, of course, the missing subkey in the keyring at the end of this process is the authentication one). Not sure how I can prove that this is vscode, though.

roblourens commented 1 year ago

Do you know how to interpret this? sender=:1.704

lszomoru commented 1 year ago

@TylerLeonhardt, is it fair to assume that VS Code can only interact with the keyring though keytar? As far as I know, the vscode.git extension does not have any dependencies on keytar so I am not sure whether the vscode.git extension can remove a key from the keyring. I believe that the only "component" that uses keytar are the two authentication extensions (GitHub, Microsoft).

TylerLeonhardt commented 1 year ago

is it fair to assume that VS Code can only interact with the keyring though keytar?

Yes that's correct. VS Code core only interacts with the keychain through keytar.

Obviously, an extension being an open playing field... could use:

CrfzdPQM6 commented 1 year ago

I've continued to have problems with keys being removed from the system keyring, though I've been struggling to prove to myself that this is actually vscode! However, following a recent vscode update, I got this message as soon as I opened a big repository:

An OS keyring couldn't be identified for storing the encryption related data in your current desktop environment. Open the troubleshooting guide to address this or you can use weaker encryption that doesn't use the OS keyring

Here's a screenshot of the dialog that contained this message: (https://ibb.co/LQ4CKdT)

Any ideas for ways I can trace down what aspect of vscode (or my extensions to it) is interacting with my system to want to play with the keyring when certain repositories are open? I certainly use ssh keys (through my keyring) to authenticate repository access, but I'm not aware of what would be using this authentication in the background or attempting to manipulate the keyring.

CrfzdPQM6 commented 1 year ago

For what it's worth, the link it points me to is https://code.visualstudio.com/docs/editor/settings-sync#_troubleshooting-keychain-issues

TylerLeonhardt commented 1 year ago

Any ideas for ways I can trace down what aspect of vscode (or my extensions to it) is interacting with my system to want to play with the keyring when certain repositories are open?

At this point, there is no code in VS Code or built-in extensions that directly interacts with your keyring. We now use a feature of electron (which really turns around and calls Chromium) to encrypt & decrypt strings using a key stored in your keyring. In other words, VS Code no longer has the ability to arbitrarily write/delete keys in your keyring.

That message that you see is a result of the switch away from keytar, to using this Electron API. In the next version of VS Code, 1.83, we will no longer even ship a shim for keytar... https://github.com/microsoft/vscode/pull/192224

With that said, if you still think it's something in the VS Code realm, then it must be an extension that you installed, in which case, you can try disabling the ones you're suspicious of and see if the issue remains.