amurzeau
commented
2 years ago Workaround: Use something like https://github.com/tprasadtp/pipe-ssh-pageant or https://github.com/amurzeau/ssh-agent-bridge to redirect requests on \.\pipe\openssh-ssh-agent made by commands in the container through VSCode's own ssh agent bridge to either pageant or git bash' agent.
But I also successfully made VSCode forward ssh-agent requests to git bash' ssh-agent with this change. The following is a diff between:
- Original extension.js file reformated
- Modified extension.js file reformated
The extension.js file is here: %USERPROFILE%\.vscode\extensions\ms-vscode-remote.remote-containers-0.234.0\dist\extension\extension.js
The modification consists in changing existing code that trigger when
- on a win32 platform
- SSH_AUTH_SOCK doesn't start with
\\.\pipe\
I don't know what was the purpose of the original code, but it seemed close enough to the implementation of Git Bash' ssh-agent given what it does and when it is triggered.
I've changed the way the handshake is made based on what Git Bash' ssh-agent expect:
- Port parsing:
- Git Bash' unix sockets requires connecting to the port whose number is in the socket file
- The socket file contains something like
!<socket >63488 s 44693F4F-E2572CA5-537862AB-248DFDEF - The port here is
63488 - So I retrieve the port using a regex and convert it to a number. (The original code split on a 0x0A character instead).
- Handshake:
- The handshake consists in:
- the client must send the cookie as 16 bytes
- The cookie is formatted in the socket file as 4 32 bits hex integers. They must be send to the ssh-agent server in little endian as 16 raw bytes.
- the server send back the same 16 bytes if the cookie is valid, else closes the connection (so the client must skip these 16 bytes, as made in
skipUnixSocketHeader) - the client must send pid and user id and user effective id information in a 12 bytes packet
- I set the pid to a real value from process.pid, but ssh-agent ignores it
- user id and user effective id are both set to 0
- the server send back the same information, but about the server, I just ignore these 12 bytes too in
skipUnixSocketHeader; this is a function that just skip the handshake data).
As the server send back data in the handshake phase (16 + 12 bytes), I need to skip them through the use of skipUnixSocketHeader.
Then actual data transfer can take place.
See also: https://stackoverflow.com/questions/23086038/what-mechanism-is-used-by-msys-cygwin-to-emulate-unix-domain-sockets https://github.com/abourget/secrets-bridge/blob/094959a1553943e0727f6524289e12e8aab697bf/pkg/agentfwd/agentconn_windows.go#L15
--- orig.js 2022-05-24 23:26:59.410007100 +0200
+++ fixed.js 2022-05-24 23:28:30.064495500 +0200
@@ -41675,25 +41675,64 @@
connect: n
}
}
+function unixSocketCookieToBuffer(guid) {
+ var bytes = [];
+ guid.split('-').map((number, index) => {
+ var bytesInChar = number.match(/.{1,2}/g).reverse();
+ bytesInChar.map((byte) => {
+ bytes.push(parseInt(byte, 16));
+ });
+ });
+ return Buffer.from(bytes);
+}
+function skipUnixSocketHeader() {
+ var headerSize = 16 + 12;
+ var Through = fT();
+ return Through(function (buf) {
+ if (buf.length > headerSize) {
+ var removeSize = buf.length - headerSize;
+ buf.copy(buf, 0, removeSize);
+ headerSize = 0;
+ this.queue(buf);
+ } else {
+ headerSize = headerSize - buf.length;
+ }
+ })
+}
function Z9(t) {
if (process.platform !== "win32" || t.startsWith("\\\\.\\pipe\\"))
return kD.duplex(Kp.connect(t));
let e = new Kp.Socket;
- return (async() => {
- let r = await Oe(t),
- n = r.indexOf(10),
- i = parseInt(r.slice(0, n).toString(), 10),
- o = r.slice(n + 1);
- e.connect(i, "127.0.0.1", () => {
- e.write(o, s => {
- s && (console.error(s), e.destroy())
+ (async() => {
+ let unixDomainSocketFileData = await Oe(t),
+ str = unixDomainSocketFileData.toString(),
+ params = str.match(/!<socket >(\d+)( s)? ([A-Fa-f0-9-]+)/),
+ portStr = params[1],
+ unixDomainSocketCookie = unixSocketCookieToBuffer(params[3]),
+ port = parseInt(portStr, 10);
+ e.connect(port, "127.0.0.1", () => {
+ e.write(unixDomainSocketCookie, s => {
+ if (s) {
+ console.error(s);
+ e.destroy();
+ } else {
+ var buf = Buffer.alloc(12);
+ buf.writeUInt32LE(process.pid, 0);
+ e.write(buf, s => {
+ s && (console.error(s), e.destroy())
+ });
+ }
})
})
})().catch(r => {
console.error(r),
e.destroy()
- }),
- kD.duplex(e)
+ });
+ var connection = kD.duplex(e);
+ return {
+ source: skipUnixSocketHeader()(connection.source),
+ sink: connection.sink
+ }
}
function AD(t, e, r) {
return t === "linux" ? e === r : e.toLowerCase() === r.toLowerCase()
Start script in git bash:
ssh-agent sh -c 'ssh-add ~/.ssh/id_rsa; ./code.exe'Log of
ssh-add -lin powershell (local command to check that SSH_AUTH_SOCK and ssh are working, key content replaced with 0s):Starting a devcontainer using Docker Desktop give this message:
C:/Users/user/AppData/Local/Temp/ssh-EXqkeSdl9JlB/agent.2428match theSSH_AUTH_SOCKset by ssh-agent.When trying to
ssh-add -lin a terminal inside the devcontainer, I get this error:And at the same time, the devcontainer logs shows this:
Steps to Reproduce:
~/.ssh/id_rsain Git bash for Windowsssh-agent sh -c 'ssh-add ~/.ssh/id_rsa; ./code.exe'ssh-add -l, it shows the added keyssh-add -lI expect Git for Windows' ssh-agent to be forwarded inside the devcontainer as it is with Powershell OpenSSH Win32 ssh-agent. I can't use the later because the ssh-agent Windows' service is disabled by the enterprise and I don't have admin rights to change that.
Does this issue occur when you try this locally?: No Does this issue occur when you try this locally and all extensions are disabled?: No