Git: SSH error Permission denied in WSL2 + Remote Containers

[hastarin]

Issue Type: Bug

When using a remote container within WSL2 that has ssh-agent (in this case using keychain) setup to cache credentials I can use git fine from my terminal.

However trying to use the Source Control tools with Git results in an error:

git@my-redacted-host.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

There is plenty of advice/documentation prior to WSL2 but with this particular combination I can't find any documentation.

VS Code version: Code - Insiders 1.48.0-insider (15ada625f20086007e2c4aa0d760234360cd648f, 2020-07-30T14:43:12.691Z) OS version: Windows_NT x64 10.0.19041 Remote OS version: Linux x64 4.19.104-microsoft-standard

System Info

|Item|Value| |---|---| |CPUs|Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz (8 x 3408)| |GPU Status|2d_canvas: enabled
flash_3d: enabled
flash_stage3d: enabled
flash_stage3d_baseline: enabled
gpu_compositing: enabled
multiple_raster_threads: enabled_on
oop_rasterization: disabled_off
opengl: enabled_on
protected_video_decode: unavailable_off
rasterization: enabled
skia_renderer: disabled_off_ok
video_decode: enabled
vulkan: disabled_off
webgl: enabled
webgl2: enabled| |Load (avg)|undefined| |Memory (System)|15.91GB (2.73GB free)| |Process Argv|| |Screen Reader|no| |VM|0%| |Item|Value| |---|---| |Remote|Dev Container: vscode-dev-aws| |OS|Linux x64 4.19.104-microsoft-standard| |CPUs|Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz (8 x 3407)| |Memory (System)|7.77GB (0.21GB free)| |VM|0%|

Extensions (17)

Extension|Author (truncated)|Version ---|---|--- remote-containers|ms-|0.128.0 remote-ssh-edit-nightly|ms-|2020.7.38340 remote-ssh-explorer-nightly|ms-|2019.8.31680 remote-ssh-nightly|ms-|2020.7.38340 remote-wsl|ms-|0.44.4 aws-toolkit-vscode|ama|1.12.0 vscode-markdownlint|Dav|0.36.2 gitlens|eam|10.2.2 gitlab-workflow|Git|3.1.0 aws-cli-configure|mar|0.3.0 vsliveshare|ms-|1.0.2478 vsliveshare-audio|ms-|0.1.85 vsliveshare-pack|ms-|0.4.0 resourcemonitor|mut|1.0.7 trailing-spaces|sha|0.3.1 gitflow|vec|1.2.1 markdown-all-in-one|yzh|3.2.0

[hastarin]

Adding some additional info: I have confirmed that git is the version in the container, not WSL2, and not Windows.

[gundamkid]

i got same issue. Everrything is fine on wsl terminal, but didn't work on VSCode. My Environtment

Version: 1.50.1 (user setup) Commit: d2e414d9e4239a252d1ab117bd7067f125afd80a Date: 2020-10-13T15:06:15.712Z Electron: 9.2.1 Chrome: 83.0.4103.122 Node.js: 12.14.1 V8: 8.3.110.13-electron.0 OS: Windows_NT x64 10.0.18362

[hastarin]

@gundamkid I did get this working again for me in a more recent version.

It involved installing the socat package under the WSL2 container. I'm afraid I can't recall exactly where I learned I needed to do that.

[gundamkid]

Thank you @hastarin

I resolved this issue. My way is install zsh to my WSL2-Ubuntu and enable plugin ssh-agent and import my private key

zstyle :omz:plugins:ssh-agent identities id_rsa.

After all, boom! Everything is fine!

[raulbrennersc]

I'm having the same problem. In my case I'm running kubuntu 20.10 (no wsl). All git operations work fine in the terminal but nothing works inside the devcontainer. Here it says "the extension will automatically forward your local SSH agent if one is running" but it looks like that's not happening.

Edit: I checked echo $SSH_AUTH_SOCK inside the container and it is actually forwarded, but for some reason ssh-add is not using it. When I run ssh-add -l the response is 'The agent has no identities'.

[dave-500]

I also have this problem. Works fine in the terminal but in the container echo $SSH_AUTH_SOCK shows it is not being forwarded and ssh-add -l shows "Could not open a connection to your authentication agent."

[banditopazzo]

I have the same issue. Different version and different OS. Outside of vscode terminal git works fine.

The variable SSH_AUTH_SOCK is empy in vscode terminal. Instead is /run/user/<myusername>/keyring/ssh outside

Version: 1.56.2
Commit: 054a9295330880ed74ceaedda236253b4f39a335
Date: 2021-05-16T15:21:33.370Z
Electron: 12.0.9
Chrome: 89.0.4389.128
Node.js: 14.16.0
V8: 8.9.255.25-electron.0
OS: Linux x64 5.12.10-arch1-1

[banditopazzo]

I have checked today and the issue seems to be solved for me. Current version:

Version: 1.58.0
Commit: 2d23c42a936db1c7b3b06f918cde29561cc47cd6
Date: 2021-07-12T23:51:36.303Z
Electron: 12.0.14
Chrome: 89.0.4389.128
Node.js: 14.16.0
V8: 8.9.255.25-electron.0
OS: Linux x64 5.12.15-arch1-1

[gauravgola96]

I m getting ` [19:26:32.898] Log Level: 2 [19:26:32.898] remote-ssh@0.65.7 [19:26:32.899] darwin arm64 [19:26:32.899] SSH Resolver called for "ssh-remote+dev", attempt 1 [19:26:32.899] "remote.SSH.useLocalServer": true [19:26:32.899] "remote.SSH.path": undefined [19:26:32.899] "remote.SSH.configFile": undefined [19:26:32.899] "remote.SSH.useFlock": true [19:26:32.899] "remote.SSH.lockfilesInTmp": false [19:26:32.899] "remote.SSH.localServerDownload": auto [19:26:32.899] "remote.SSH.remoteServerListenOnSocket": false [19:26:32.899] "remote.SSH.showLoginTerminal": true [19:26:32.899] "remote.SSH.defaultExtensions": [] [19:26:32.900] "remote.SSH.loglevel": 2 [19:26:32.900] SSH Resolver called for host: dev [19:26:32.900] Setting up SSH remote "dev" [19:26:32.901] Acquiring local install lock: /var/folders/7s/hfywjlmx2_jddvfmrmbww2s40000gn/T/vscode-remote-ssh-cn-dev-ai-experiments-db.us-central1-a.conversenow-dev-install.lock [19:26:32.914] Looking for existing server data file at /Users/gaurav/Library/Application Support/Code/User/globalStorage/ms-vscode-remote.remote-ssh/vscode-ssh-host-dev-3866c3553be8b268c8a7f8c0482c0c0177aa8bfa-0.65.7/data.json [19:26:32.914] Using commit id "3866c3553be8b268c8a7f8c0482c0c0177aa8bfa" and quality "stable" for server [19:26:32.915] Install and start server if needed [19:26:32.918] PATH: /Users/gaurav/google-cloud-sdk/bin:/Users/gaurav/miniforge3/condabin:/opt/homebrew/bin:/Library/Frameworks/Python.framework/Versions/3.8/bin:/Library/Frameworks/Python.framework/Versions/3.9/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin [19:26:32.918] Checking ssh with "ssh -V" [19:26:32.923] > OpenSSH_8.1p1, LibreSSL 2.7.3

[19:26:32.925] askpass server listening on /var/folders/7s/hfywjlmx2_jddvfmrmbww2s40000gn/T/vscode-ssh-askpass-36ae1727120b25a47fa961db09e6b3d4a263f5cf.sock [19:26:32.925] Spawning local server with {"serverId":1,"ipcHandlePath":"/var/folders/7s/hfywjlmx2_jddvfmrmbww2s40000gn/T/vscode-ssh-askpass-2f880d6c105d1bf376d5815921d14ce323d80964.sock","sshCommand":"ssh","sshArgs":["-v","-T","-D","57739","-o","ConnectTimeout=60","cn-dev-ai-experiments-db.us-central1-a.conversenow-dev"],"dataFilePath":"/Users/gaurav/Library/Application Support/Code/User/globalStorage/ms-vscode-remote.remote-ssh/vscode-ssh-host-cn-dev-ai-experiments-db.us-central1-a.conversenow-dev-3866c3553be8b268c8a7f8c0482c0c0177aa8bfa-0.65.7/data.json"} [19:26:32.925] Local server env: {"DISPLAY":"1","ELECTRON_RUN_AS_NODE":"1","SSH_ASKPASS":"/Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/local-server/askpass.sh","VSCODE_SSH_ASKPASS_NODE":"/private/var/folders/7s/hfywjlmx2_jddvfmrmbww2s40000gn/T/AppTranslocation/8F48C16F-7B3D-44CC-BE62-23642FFC8EB0/d/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)","VSCODE_SSH_ASKPASS_MAIN":"/Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/askpass-main.js","VSCODE_SSH_ASKPASS_HANDLE":"/var/folders/7s/hfywjlmx2_jddvfmrmbww2s40000gn/T/vscode-ssh-askpass-36ae1727120b25a47fa961db09e6b3d4a263f5cf.sock"} [19:26:32.926] Spawned 16150 [19:26:33.080] > local-server-1> Spawned ssh, pid=16157 [19:26:33.082] stderr> OpenSSH_8.1p1, LibreSSL 2.7.3 [19:26:34.940] stderr> debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kgSsdVVN0cWnwUnkoXdsWYrYBEj670i36R/v1s9A5xw [19:26:38.688] stderr> gaurav@**.***.23.91: Permission denied (publickey). [19:26:38.689] > local-server-1> ssh child died, shutting down [19:26:38.692] Local server exit: 0 [19:26:38.692] Received install output: local-server-1> Spawned ssh, pid=16157 OpenSSH_8.1p1, LibreSSL 2.7.3 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kgSsdVVN0cWnwUnkoXdsWYrYBEj670i36R/v1s9A5xw gaurav@35.239.23.91: Permission denied (publickey). local-server-1> ssh child died, shutting down

[19:26:38.694] Resolver error: Error: Permission denied (publickey). at Function.Create (/Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:64659) at /Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:62853 at Object.t.handleInstallOutput (/Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:63238) at Object.e [as tryInstallWithLocalServer] (/Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:387573) at processTicksAndRejections (internal/process/task_queues.js:93:5) at async /Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:294473 at async Object.t.withShowDetailsEvent (/Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:406463) at async /Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:386112 at async E (/Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:382710) at async Object.t.resolveWithLocalServer (/Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:385728) at async Object.t.resolve (/Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:1:295870) at async /Users/gaurav/.vscode/extensions/ms-vscode-remote.remote-ssh-0.65.7/out/extension.js:127:110656 [19:26:38.697] ------

`

[lukasz-karolewski]

Underlying error is this:

Host server: (node:2340) UnhandledPromiseRejectionWarning: Error: spawn socat EACCES at Process.ChildProcess._handle.onexit (internal/child_process.js:269:19) at onErrorNT (internal/child_process.js:465:16) at processTicksAndRejections (internal/process/task_queues.js:80:21) (node:2340) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 32) [2022-01-11T07:15:31.579Z] Stop (34 ms): Run in Host: socat - UNIX-CONNECT:/tmp/ssh-Wh05TwSHiWXz/agent.77 [2022-01-11T07:15:31.579Z] socat did not launch: Error: spawn socat EACCES

[hastarin]

After setting up a new PC and having the same issue I've managed to further isolate the problem after a few hours of wasted productivity. 😢

NOTE: Installing socat, and otherwise trying to follow the existing documentation, did NOT help.

The problem

When code is launched from within WSL2 the socket that's getting forwarded is to the OpenSSH Agent running under Windows, and NOT the ssh-agent running under WSL2!

Workaround

For now my workaround was to add my Windows SSH key to my Gitlab profile to allow it access.

[erhant]

I also ran into this problem while trying to connect to a few repos using deploy keys. The solution above by @gundamkid worked for me:

# within your .zshrc
plugins=(git ssh-agent) # ... your plugins 
zstyle :omz:plugins:ssh-agent identities your_key_1 your_key_2 # ...

[mosesoak]

Also resolved the error on WSL2 + ZSH using @gundamkid 's solution, thanks! (Had to restart then it worked)

One caveat still:

Signed commits don't work out the box. VS Code fails to prompt for the id_rsa password, it just errors with

error: gpg failed to sign the data
fatal: failed to write commit object

I have my ~/.gnupg/gpg-agent.conf file set up with a pin entry program, so the workaround currently is to make a commit in the built-in terminal, enter the password once, then Source Control will be able to commit after that.