VS Code Connection To SAS Server Using Remote SSH Fails

[jandewitte]

Hi

I use a locally installed VS Code editor installed on a Windows 11 machine and try to connect to a remote SAS 9.4 M7 engine on a Windows 2019 server in AWS. I have v1.10.0 of the SAS Extension for VS Code installed. I set up an SSH connection with public and private key. I can connect to the SAS server from my workstation over SSH. I have configured a specific SSH connection profile as well. When I run my simple program I get an 'All configured authentication methods failed' message (see screenshot 2). I have the impression I am signed in (see screenshot 1), but I am not really sure. I would expect a pop up to provide username and password when I run the program as well.

Could you help to troubleshoot this issue?

Thanks Jan

[scnwwu]

are you following the steps in https://sassoftware.github.io/vscode-sas-extension/Configurations/Profiles/sas9ssh?

[jandewitte]

Yes, I followed these steps. Is there anything I can do to get more insight in what is going wrong? Thanks.

[scnwwu]

Is there any error/warning in the console? (Click Help > Toggle Developer Tools from the top menu bar.)

[jandewitte]

Yes, I enclosed them.

[scnwwu]

Hmm... it looks like a different error to your original 'All configured authentication methods failed' error? Are you saying you got 'All configured authentication methods failed' error on the UI, at the same time, this "Cannot read properties of null" error recieved in the console? Any other things in the console suspicious?

[jandewitte]

Sorry, the screenshot enclosed below came before the previous one in the console and the first error matches the popup in the GUI.

[scnwwu]

Would you also post a screen of the console above the 'All configured authentication methods failed' error? Thanks.

[jandewitte]

Yes, but it is a repetition of the same sequence.

[scnwwu]

Would you please try input vscode.process.env.SSH_AUTH_SOCK in the console and see if it replies the correct env variable you've set?

[jandewitte]

The command returns the value identical to the one in the setup documentation, see below.

[scnwwu]

@smorrisj for thoughts

[smorrisj]

A few things to look at:

1. Does ssh-agent have the private key file that was created? You can run ssh-add -L to list out the private key files that have been registered.

2. Are you able to successfully connect to the target server outside of the vscode/sas extension environment via password-less ssh using that same key file? Normally when we see the error mentioned above, this step will also fail, which means that something with the password-less setup isnt working correctly.

[jandewitte]

Hi As you can see in the screenshot below the key is present, and I can connect to the server over SSH in the terminal. I have to enter my password, though. Is there a way to revert to the state with the blue sign into SAS button as displayed in the 2nd screenshot? Thanks Jan

[smorrisj]

Thanks for the updates. A few answers below:

I have to enter my password, though

Can you double-check your ssh config and that the public key that was used has been copied over to the 94m7 server? Passwordless ssh will need to work for the ssh user being used, outside of vscode and the extension, in order to get rid of the auth error in the extension itself. Those items would be item 6 and item 9 in the ssh setup guide listed above.

Is there a way to revert to the state with the blue sign into SAS button as displayed in the 2nd screenshot?

This login method is mainly for SAS Viya connections. It's not really used for making the connection in this case, which is why you are seeing the "Your connection does not support...." messaging.

[jbreitman]

I am seeing the failure via macOS and Windows 10 when connecting to Linux. I ran the ssh server in debug mode and it looks like you are using ssh2js1.15.0 as the ssh client.

Once this client fails at user authentication, it does not try the other methods and disconnects. debug3: userauth_finish: failure partial=0 next methods="method1,method2,etc"

It would be great if you did not require people to use keys with the SSH_AUTH_SOCK variable and inherited their environment.

[scnwwu]

I am seeing the failure via macOS and Windows 10 when connecting to Linux. I ran the ssh server in debug mode and it looks like you are using ssh2js1.15.0 as the ssh client.

Once this client fails at user authentication, it does not try the other methods and disconnects. debug3: userauth_finish: failure partial=0 next methods="method1,method2,etc"

It would be great if you did not require people to use keys with the SSH_AUTH_SOCK variable and inherited their environment.

Feature request is tracked in #1059 separately.

[jandewitte]

Hi

Yes, the public key is on the SAS 9.4 server in the .ssh folder under my user. It is included in the authorized_keys file as well. The open SSH server is also 'running' on the SAS server. Thanks for clarifying the point about the SAS Sign In button.

[jandewitte]

I do have a further question, though: you indicated that this authentication method is passwordless and there is indeed no popup requesting SAS user credentials, but how does SAS authenticate the incoming SSH connection targeting the executable? I do not see any SAS specific item in the whole Remote SHH configuration setup. Thanks for your answer.

[smorrisj]

how does SAS authenticate the incoming SSH connection targeting the executable

In the ssh2 library that we use, we're delegating authentication to ssh-agent by setting the agent property of the config to the value that was set in SSH_AUTH_SOCK: https://github.com/sassoftware/vscode-sas-extension/blob/main/client/src/connection/ssh/index.ts#L75

The ssh-agent service will usually set this when the openssh service starts on windows.

The agent is looking at $HOME/.ssh/config entries to determine connection level details. The only thing we track in the extension's connection profile is the username itself. As @scnwwu mentioned, we do have some feature requests on the book to enhance the auth methods that we support when using the ssh connection method, through either using additional fallbacks, as well as supporting a more basic username/password authentication to ease friction.

Once ssh server authentication succeeds, we're interacting with SAS over the ssh session via interactive line mode: https://documentation.sas.com/doc/en/vdmmlcdc/8.1/pgmcli/n16ui9f6dacn8pn1t0y2hgxgi7wa.htm

[smorrisj]

We also support connecting to a SAS 9 Remote installation using IOM if that's an option for you?

https://sassoftware.github.io/vscode-sas-extension/Configurations/Profiles/sas9iom

It uses a traditional SAS username/password auth method and is generally easier to setup. The password gets entered once and then stored in the extension's secret storage area. It requires the ITC free download to work however, since we rely on the COM objects that it lays down to interact with the IOM apis.

[jandewitte]

Okay, thanks for clarifying that. We agree that the user name of the client (my PC on which I run VS Code) and the user name on the server (user name of my privileged account for server admin, without access to SAS) do not HAVE to match to make a successful SSH connection, as long as the public key is correctly set on the server (in the user directory of my privileged account)?

[jandewitte]

IOM and the SAS Integration Technology Client would be an awkward possible solution since we try to minimize the installation of additional components as it increases the maintenance and admin activities. Moreover, the ultimate solution for our business users would be to have the VS Code web app connecting to SAS 9.4 from our Linux Workbench server on code server. I have tried to setup the SSH connection in that environment as well but from your documentation I deduced that it is not a supported use case, correct?

[jbreitman]

FYI. I was able to get the remote SSH connection to the SAS Linux Server to work from a Windows Client. We leverage Kerberos for file system access and SSH Authentication, which is why this will be difficult for us to deploy, but I recognize that appears to be a limitation of the ssh2js library. My issue was not prioritizing the private / public key authentication and thinking that the client would continue through the authHandlers. Thanks for your help.

I followed the instructions below. https://sassoftware.github.io/vscode-sas-extension/Configurations/Profiles/sas9ssh/

[smorrisj]

I'm glad that it's working for you now!

@snlwih I think that as we discuss enhancements to the remote/ssh connection type, we should also have a spike to look into how we might add fallback support for the different ssh auth modes.

The ssh library we use supports an authHandler property on the config object that we might leverage to handle some of this.

[jandewitte]

Sorry, for us neither the SSH connection from VS Code on a Windows 11 PC to the SAS 9.4 M7 Windows 2019 server, nor the SSH connection from VS Code on code-server Workbench (as a web app, see screenshot) to the same SAS 9.4 M7 Windows 2019 server works correctly.

[smorrisj]

Okay, thanks for clarifying that. We agree that the user name of the client (my PC on which I run VS Code) and the user name on the server (user name of my privileged account for server admin, without access to SAS) do not HAVE to match to make a successful SSH connection, as long as the public key is correctly set on the server (in the user directory of my privileged account)?

The ssh user does not have to be the same, that would be the user that you use to connect to the ssh server itself.

[smorrisj]

as long as the public key is correctly set on the server (in the user directory of my privileged account)?

The private key needs to also be setup in ssh-agent by using ssh-add. In order for that to happen, you will also need the relevant entry in %USERPROFILE%/.ssh/config that specifies the identity file for the host in question.

[smorrisj]

the ultimate solution for our business users would be to have the VS Code web app connecting to SAS 9.4 from our Linux Workbench server on code server

Would that be a single hosted code-server deployment that multiple users would connect to, and then use the sas extension from there? If so, then Microsoft doesn't support code-server running in that manner:

https://code.visualstudio.com/docs/remote/vscode-server#_is-the-vs-code-server-designed-for-multiple-users-to-access-the-same-remote-instance

[YvesMarieLeDrogoff]

Hi @smorrisj, Thanks for your input. I've tried to follow what @jandewitte has done, but I haven't gone that far yet. I went through https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell But now that I am in VS Code and have installed the extension, I am stuck at the json.settings part which is beyond my understanding. Jan will be back from holiday next Monday and I am sure he will get back to you on this and catch the train.

[ShuguangSun]

If I understand correctly, you cann't use the SSH profile for a SAS(-server) on a windows box. The SSH profile currently is only for linux as it use the command line interactive SAS.

[jandewitte]

Could anyone confirm that we cannot use the SAS extension for VS Code to connect the SAS 9.4. exe installed on a remote Windows server? According to @ShuguangSun it is mandatory that the remote SAS 9.4 is installed on Linux server. Thanks.

[smorrisj]

Could anyone confirm that we cannot use the SAS extension for VS Code to connect the SAS 9.4. exe installed on a remote Windows server? According to @ShuguangSun it is mandatory that the remote SAS 9.4 is installed on Linux server. Thanks.

There are a few remote connection types that are supported. The 9.4 remote (ssh) connection type can only connect to SAS installed in a linux environment. This is because underneath, the integration is built on top of interactive line mode, which is only offered for linux environments. Apologies @jandewitte, I see that you were trying to target a windows server installation. I got my wires crossed with the different user issues that were reported above.

Would the remote IOM option work for you? See the capabilities matrix and capabilities by connection type here.

[jandewitte]

Thanks @smorrisj for confirming. If remote IOM works for creating a connection from the SAS VS Code Extension installed on a Windows PC to the SAS 9.4 executable sitting on a Windows servers, than this is indeed the only available option for us. The disadvantage of this approach is that we then need to install the SAS Integration Technologies Client on the PC of every user that want to use the SAS Extension in VS Code and connect to SAS 9.4 for running programs. This obviously creates some system management overhead. Is this the correct picture?

[jandewitte]

I installed the SAS IT client on my Windows machine and created an IOM connection profile. This setup works as expected. We can close this issue. Thanks for your help.

[smorrisj]

@jandewitte glad you were able to get the ITC method to work. I'm going to close this out. Subsequent issues can be addressed on separate github issues.