Unable to use agent with OpenSSH on Windows 10

[youk]

Authentication doesn't work for me when using OpenSSH. The running nCryptAgent seems to be ignored. Nothing in nCryptAgent.log. Works with PuTTY though.

Is there any way to debug this?

config.json:

"namedpipe": true

Windows 10 22H2 OpenSSH_for_Windows_9.2p1

[unreality]

Have you made sure the OpenSSH Authentication Agent in Services is stopped and relaunched nCryptAgent? I cannot remember whether an error is thrown if the named pipe already exists, so it may be failing silently if thats the case,,

[youk]

It's stopped, yes. Otherwise there's an error message in the log:

Error result from listener Run(): open \\.\pipe\openssh-ssh-agent: Access is denied.

[AbsoluteWisp]

Wanted to pop in to get notifications on this. Same story here:

• Standard OpenSSH Agent was stopped before starting nCryptAgent

  PowerShell 7.3.6
  PS C:\Users\Ghostling> sc query ssh-agent
  
  SERVICE_NAME: ssh-agent
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
  PS C:\Users\Ghostling>

• nCryptAgent is running (tried normally and as administrator) with a key (namegoeshere) available.
• Log only says regular startup stuff. Notably, the named pipe listener (for OpenSSH) seems to have started correctly:

  2023/08/11 11:16:00 Loading key namegoeshere
  2023/08/11 11:16:00 Starting listener *listeners.NamedPipe
  2023/08/11 11:16:00 Got length 2048
  2023/08/11 11:16:00 Saving public key to C:\Users\Ghostling\AppData\Roaming\nCryptAgent\PublicKeys\29247bf882f7e4ccf2e342ccdb85ba89.pub

• To test if the agent works, I decided to try authenticating to GitHub. I cleared out all key files from ~/.ssh to avoid unwanted interference. The only thing in my SSH config is changing the User to git because that's what GitHub uses. I added the public key generated by nCryptAgent to my GitHub account, so if the agent works properly, I should be able to see the welcome message. Ran ssh -v to show verbose details - the client tries all the common key files (that aren't there) and fails, without using the agent.

  PowerShell 7.3.6
  PS C:\Users\Ghostling> ssh -v github.com
  OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
  debug1: Reading configuration data C:\\Users\\Ghostling/.ssh/config
  debug1: C:\\Users\\Ghostling/.ssh/config line 1: Applying options for github.com
  debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
  debug1: Connecting to github.com [140.82.121.4] port 22.
  debug1: Connection established.
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_rsa type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_rsa-cert type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_dsa type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_dsa-cert type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_ecdsa type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_ecdsa-cert type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_ecdsa_sk type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_ecdsa_sk-cert type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_ed25519 type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_ed25519-cert type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_ed25519_sk type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_ed25519_sk-cert type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_xmss type -1
  debug1: identity file C:\\Users\\Ghostling/.ssh/id_xmss-cert type -1
  debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6
  debug1: Remote protocol version 2.0, remote software version babeld-d815c248
  debug1: compat_banner: no match: babeld-d815c248
  debug1: Authenticating to github.com:22 as 'git'
  debug1: load_hostkeys: fopen C:\\Users\\Ghostling/.ssh/known_hosts2: No such file or directory
  debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
  debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha256
  debug1: kex: host key algorithm: ssh-ed25519
  debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
  debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: SSH2_MSG_KEX_ECDH_REPLY received
  debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
  debug1: load_hostkeys: fopen C:\\Users\\Ghostling/.ssh/known_hosts2: No such file or directory
  debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
  debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
  debug1: Host 'github.com' is known and matches the ED25519 host key.
  debug1: Found key in C:\\Users\\Ghostling/.ssh/known_hosts:1
  debug1: rekey out after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: rekey in after 134217728 blocks
  debug1: pubkey_prepare: ssh_get_authentication_socket: Permission denied
  debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_rsa
  debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_dsa
  debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_ecdsa
  debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_ecdsa_sk
  debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_ed25519
  debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_ed25519_sk
  debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_xmss
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey
  debug1: Next authentication method: publickey
  debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_rsa
  debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_dsa
  debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_ecdsa
  debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_ecdsa_sk
  debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_ed25519
  debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_ed25519_sk
  debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_xmss
  debug1: No more authentication methods to try.
  git@github.com: Permission denied (publickey).
  PS C:\Users\Ghostling>

Edit: Forgot to mention, just like OP, PuTTY works for me

[unreality]

When you run ssh-add -l does it give a connection error, or an empty list?

[youk]

On my system, the fingerprint of the key added to nCryptAgent is shown.

[unreality]

If ssh-add is listing the nCryptAgent keys, im unsure why SSH itself is failing to enumerate and try them for authentication. Perhaps try connecting again with ssh -vvvv to get up to debug3 level and see if there are any hints?

[AbsoluteWisp]

I did some testing on my own (now that I got reminded that ssh-add -l exists) and I found an unrelated issue that might also be relevant.
When I create a key (tried RSA 2048 and ECDSA 256, both act the same), everything works fine. ssh-add -l shows it, and I can authenticate with it, with both PuTTY and the OpenSSH client.
However, after a restart of the agent (RMB->Exit on the tray icon and starting it back up again) all keys show up as "Missing". The "Public Key Location" field is blank, and the "Errors" field has this message:

NCryptOpenKey for container "C:\\Users\\Adam W�jcik\\AppData\\Local\\Microsoft\\Crypto\\PCPKSP\\3e04953c8be2157363dfbee0bda261ec10c012df\\1e9f96ccaaf251743bbdf936dab8f646afe517e8.PCPKEY" returned NTE_BAD_KEYSET: The operation completed successfully.

(One of the characters in my username shows up weird as it's a diacritic. I double checked on a fully ASCII user Ghostling and the same error occured, so it's only a visual error)

In this state, the key is still listed under ssh-add -l but authentication no longer works:

PS C:\Users\Adam Wójcik> ssh-add -l
256 SHA256:lGBm/tYUm8JP3UwiDprZ29D0vuw4gyaBa7dfQfF6QWM ec (ECDSA)
PS C:\Users\Adam Wójcik> ssh github.com
sign_and_send_pubkey: signing failed for ECDSA "ec" from agent: agent refused operation
git@github.com: Permission denied (publickey).
PS C:\Users\Adam Wójcik>

Checking manually I can confirm that the problematic PCPKEY file is still there.

I am not sure what caused this behaviour to be different from the error I was encountering earlier, where the SSH client didn't acknowledge the agent at all. I am unable to replicate that original problem at all now.

[youk]

@unreality The cause turned out to be the 384-bit ECDSA key which was created in nCryptAgent. For some reason it doesn't play well with OpenSSH server on Linux. I tried nCryptAgent with ECDSA-256 and RSA-2048 keys – both work fine. I also verified that ECDSA-384 key works in the same setup without nCryptAgent (ssh-keygen -t ecdsa -b 384).

The relevant part of OpenSSH client log when using ECDSA-384 key in nCryptAgent:

debug3: ssh_get_authentication_socket_path: path '\\\\.\\pipe\\openssh-ssh-agent'
debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: TEST ECDSA SHA256:<key_fingerprint> agent
debug1: Will attempt key: <user_profile>/.ssh/id_rsa
debug1: Will attempt key: <user_profile>/.ssh/id_ecdsa
debug1: Will attempt key: <user_profile>/.ssh/id_ecdsa_sk
debug1: Will attempt key: <user_profile>/.ssh/id_ed25519
debug1: Will attempt key: <user_profile>/.ssh/id_ed25519_sk
debug1: Will attempt key: <user_profile>/.ssh/id_xmss
debug1: Will attempt key: <user_profile>/.ssh/id_dsa
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password

[unreality]

@youk thanks for the investigation, i'll try to find some time to look into ECDSA-384 and see whats going on