blackreloaded / wsl2-ssh-pageant Goto Github PK

View Code? Open in Web Editor NEW

362.0 362.0 67.0 31 KB

bridge between windows pageant and wsl2

License: MIT License

Makefile 3.10% Go 96.90%

gpg hacktoberfest ssh wsl2

wsl2-ssh-pageant's People

Contributors

Stargazers

Watchers

wsl2-ssh-pageant's Issues

error fetching identities: communication with agent failed

output for ssh-add -l
error fetching identities: communication with agent failed

have done a rm of sock
rm .ssh/agent.sock
sourced .bashrc_pagent
and sock was not created
outuput of ssh-add -l
Error connecting to agent: No such file or directory

elif ss -a | grep -q "$SSH_AUTH_SOCK" && [[ ! -f "$SSH_AUTH_SOCK" ]] ; then
killall socat
wsl2_ssh_pageant_bin="$HOME/.ssh/wsl2-ssh-pageant.exe"
if test -x "$wsl2_ssh_pageant_bin"; then
(setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin" >/dev/null 2>&1 &)
else
echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
fi
unset wsl2_ssh_pageant_bin
fi

actually this was created back

Does not work with latest Gpg4win version (4.0.0)

Describe the bug
Seems not to be compatible with the version 4.0.0 of Gpg4win anymore. The YubiKey is not accessible in WSL and gpg --card-status fails with no scdaemon.

After downgrading to the previous version 3.1.16 it is working again as before.

To Reproduce
Steps to reproduce the behavior:

Update Gpg4win to the lastet version (4.0.0)
In WSL Run gpg --card-status

Additional context
It seems that the version 4 of Gpg4Win does change how smart cards are accessed as stated in the release notes:

"New smartcard handling with better support for multiple smartcards.
https://gpg4win.org/version4.html

wsl2-ssh-pageant.exe is blocked by Crowdstrike

this version of wsl2-ssh-pageant.exe is blocked by Crowdstrike for "Machine Learning via Sensor-based ML".
So sadly I can not use it on my work computer.
Can you somehow fix this ?

No longer works in the preview version of WSL from Microsoft Store on Windows 11

Describe the bug
I tried the new preview version of WSL from the Microsoft Store that was just released, the only thing that no longer seems to be working is wsl2-ssh-pageant.

SSH no longer authorizes me with the key in my Yubikey but asks me for my password.

Uninstalling the preview version of WSL makes it work again.

To Reproduce
Steps to reproduce the behavior:

Setup wsl2-ssh-pageant
Install WSL from Microsoft Store on Windows 11
Try to use wsl2-ssh-pageant

Expected behavior
SSH connections should work like before.

Additional context
I reported the issue to WSL as it is the only thing that has changed, but they suggested I report it here too.

Blog post: A preview of WSL in the Microsoft Store is now available!

Improve doc with installation of `iproute` for `ss` command

Adding the snippet for .bashrc in a Fedora basic image, ss command does not exist.
After an internet search (and confirmed using yum provides), it is provided by the iproute package, so would be good to confirm that new users has this command available on its computer.

Note: By the way, the command ss in my environment always output,

RTNETLINK answers: Invalid argument

so I added 2&> /dev/null to the command.

Add support for GPG installed by scoop

Scoop is a command line installation manager for Windows.

If I install GPG by scoop, the home directory of GPG will be placed in %USERPROFILE%\scoop\apps\GnuPG\current\home instead of %APPDATA%\gnupg.
However, in this project, the GPG home is hard-coded (FYI: here) and cannot support the GPG installed in scoop.

We would like to manage the version of GPG using scoop, can you support it?

wsl2-ssh-pageant.exe missing?

Seems the socat target file is no longer attached to this project?

Not working on Windows 11, Fedora 35 and Ubuntu 20.04.3

Describe the bug

Followed all the steps, get this when running gpg --card-status after wsl --shutdown

Fedora

codebam gpg --card-status
gpg: can't connect to the gpg-agent: End of file
gpg: OpenPGP card not available: No agent running
codebam gpg --card-status
gpg: selecting card failed: Service is not running
gpg: OpenPGP card not available: Service is not running

Ubuntu

codebam gpg --card-status
gpg: can't connect to the agent: End of file
gpg: OpenPGP card not available: No agent running
codebam gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Cards are visible outside of WSL2

To Reproduce
Steps to reproduce the behavior:

Install Fedora 35 or Ubuntu 20.04.3 in WSL
Install dependencies
Modify .bashrc
wsl --shutdown
See error

Expected behavior
gpg --card-status would show cards.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

OS: W11
GPG (Windows): gpg (GnuPG) 2.3.4
GPG (Fedora): gpg (GnuPG) 2.3.4
GPG (Ubuntu): gpg (GnuPG) 2.2.19

Additional context

/c/Users/myuser/AppData/Roaming/gnupg/gpg-agent.conf

enable-putty-support
enable-ssh-support

PuTTY, Gpg4Win, and Git installed with winget

Relevant `.bashrc` lines

export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
if ! ss -a | grep -q "$SSH_AUTH_SOCK"; then
  rm -f "$SSH_AUTH_SOCK"
  wsl2_ssh_pageant_bin="$HOME/.ssh/wsl2-ssh-pageant.exe"
  config_path="C:\Users\swb19\AppData\Roaming\gnupg"
  if test -x "$wsl2_ssh_pageant_bin"; then
    (setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin -gpgConfigBasepath ${config_path}" >/dev/null 2>&1 &)
  else
    echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
  fi
  unset wsl2_ssh_pageant_bin
fi

export GPG_AGENT_SOCK="$HOME/.gnupg/S.gpg-agent"
if ! ss -a | grep -q "$GPG_AGENT_SOCK"; then
  rm -rf "$GPG_AGENT_SOCK"
  wsl2_ssh_pageant_bin="$HOME/.ssh/wsl2-ssh-pageant.exe"
  config_path="C:\Users\swb19\AppData\Roaming\gnupg"
  if test -x "$wsl2_ssh_pageant_bin"; then
    (setsid nohup socat UNIX-LISTEN:"$GPG_AGENT_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin -gpgConfigBasepath ${config_path} -gpg S.gpg-agent" >/dev/null 2>&1 &)
  else
    echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
  fi
  unset wsl2_ssh_pageant_bin
fi

If I start wsl2-ssh-pageant.exe manually with

./.ssh/wsl2-ssh-pageant.exe -gpgConfigBasepath "C:\Users\swb19\AppData\Roaming\gnupg"

It makes my entire shell hang and I have to close the Window, however

./.ssh/wsl2-ssh-pageant.exe -h

Shows the help just fine

Stopped working Pageant query error 'WM_COPYDATA failed'

Describe the bug
The gpg side of things is working fine. however I keep getting ssh-add -L: connection refused.

in the verbose log I am seeing this:

2021/08/22 22:31:19 Starting exe
2021/08/22 22:31:19 Reading length: 1
2021/08/22 22:31:19 Querying pageant
2021/08/22 22:31:19 Pageant query error 'WM_COPYDATA failed'
2021/08/22 22:31:19 io.ReadFull length error 'EOF

To Reproduce
Steps to reproduce the behavior:
Unsure how. I just installed it normally and ran ssh-add -L

Expected behavior
ssh-add -L should show me my key just like the winssh one does

Desktop (please complete the following information):

OS: Windows 11
WSL2: Ubuntu Community preview with wslg enabled.

Strange behavior in both Git Bash and IDEs

Describe the bug
For some reason I'm not being able to use my SSH and GPG clients in both Git Bash and my IDE (Jetbrains Idea).

I'm using wsl2-ssh-pageant as a way to fetch my GPG and SSH credentials from my Yubikey. When I use it from Linux, it works as expected. First, I start my gpg-agent with gpgconf --launch gpg-agent, them I reboot my WSL and, afterwards, I can run both gpg --card-status and ssh-add -L inside my Linux machine and it fetches my credentials.

The problem is on the Windows side. On a new Powershell I can run gpg --card-status and see the expected output, but running ssh-add -L leads to:

PS C:\Users\accou> ssh-add -L
Error connecting to agent: No such file or directory

When it should display my ssh-keys from my Yubikey (as it does in Linux):

~
❯ ssh-add -L
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAkNoM9kXjOtO1elu47lOWTemQINo4C1585yWK8xvuvbkkrCnxCdEpg7kOyYGG5G1+mTUzHSCg5hvK11wXgQHTvAOxgNw1ZcDrcdwnXwNVKs1quek9zLqNyi9ySoem4R1w== cardno:13 380 995
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINzpr94SDBXbnKE5EHMAwAhSkhRZK2Zordf3BoINFxww cardno:13 380 995

The problem is worse when I open an Bash terminal (from Git) inside Windows. My gpg --card-status leads to:

accou@bud-0001 MINGW64 ~
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

(after a long delay)

And the ssh-add -L has the same result as it does in Powershell.

That should not be a problem (since it is working in Linux), but I would like to fetch/push from my git repositories (configured to use SSH) directly in my IDE, but I can't. Since my IDE is running in Windows, it can sign my commits (problably because Powershell can see my gpg key) but I can't use my SSH key.

Expected behavior
I would like to use my GPG and SSH keys on both sides (Linux and Windows)

RTNETLINK answers: Invalid argument

socat version 1.7.3.4 on Apr 25 2020 06:17:10
   running on Linux version #1 SMP Wed Feb 19 06:37:35 UTC 2020, release 4.19.104-microsoft-standard, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

After updating my Pengwin install, I get two RTNETLINK messages on console start. Everything appears to function fine, just it complaining about a bad argument.

log report when trying to use with gpg card status - io.ReadFull length error 'EOF'

Describe the bug
Following instructions from repo I'm getting errors like below. I was trying to use yubikey 5 but after following steps I'm lost where problem is now.

╰─ gpg --card-status
gpg: can't connect to the agent: End of file
gpg: OpenPGP card not available: No agent running

while on Win it's working fine

PS C:\Windows\system32> gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0

Desktop (please complete the following information):

OS: Microsoft Windows [Version 10.0.19042.1415]

PS C:\Windows\system32> wsl -l -v
 NAME      STATE           VERSION
* Ubuntu    Running         2

╰─ ps aux | grep -i socat
lukasz      65  0.0  0.0   6968  1824 ?        SNs  14:29   0:00 socat UNIX-LISTEN:/home/lukasz/.ssh/agent.sock,fork EXEC:/home/lukasz/.ssh/wsl2-ssh-pageant.exe
lukasz      70  0.0  0.0   6968  3276 ?        SNs  14:29   0:00 socat UNIX-LISTEN:/home/lukasz/.gnupg/S.gpg-agent,fork EXEC:/home/lukasz/.ssh/wsl2-ssh-pageant.exe --gpg S.gpg-agent
lukasz     221  0.0  0.0   8160   720 pts/1    S+   14:32   0:00 grep -i socat

╰─ cat wsl2-gpg-ssh.log
2021/12/31 14:21:33 Starting exe
2021/12/31 14:22:26 io.ReadFull length error 'EOF'

Cannot open netlink socket: Protocol not supported

Describe the bug
Error showing: Cannot open netlink socket: Protocol not supported

To Reproduce
Steps to reproduce the behavior:

Follow the steps and Install the pageant
Turn on WSL Ubuntu
See error

Screenshots

Desktop (please complete the following information):

OS: Win10

Empty terminal window opening and closing on each connection

Describe the bug
Everytime the socat fork executes a new instance of wsl2-ssh-pageant, an empty terminal window (Windows Terminal Preview, as it is my default terminal application, but it also happens when the normal conhost terminal is configured) opens for a second and then closes again. Should the PIN need to be put in, the window stays open until I have done so too. Because it opens in the foreground and steals input focus during its lifetime, this is moderately annoying. While this behaviour does not occur 100% of time, I am unsure which circumstances lead to the window appearing and which do not.

I believe that this has started to occur after upgrading my OS to Windows 11 (in-place upgrade, not a new installation). It also seems that the problem disappears with an upgrade of my GnuPG version (on Windows) from 2.2.28 to 2.3.4, but unfortunately this upgrade seems to break some other think regarding the YubiKey detection and Pageant connection (see e.g. #25) so I had to roll this back. As the issue was not appearing completely consistently with the old version either, it could also be that the new version is affected as well and just didn't show the behaviour during my time of experimenting with it.

I am not necessarily asserting that this is a bug with wsl2-ssh-pageant itself, it may well also be caused by my specific configuration, which is why I'm trying to provide as much information as I can below, maybe someone experiences similar issues and can see a similarity in circumstances. Also, the attached wsl2-ssh-pageant log at the bottom does contain an error, however this does not seem to impact functionality, but it might still be a possible cause?

To Reproduce

Execute any command resulting in the GPG socket's usage, e.g. ssh-add -L, gpg --card-status or just any ssh <host>
See a empty terminal window with wsl2-ssh-pageant's path as its title open up and close again immediately afterwards (or after PIN entry is complete)

Expected behavior
The execution of wsl2-ssh-pageant should not open up any window or cause any UI interaction.

Screenshots

Image of the empty Windows Terminal Preview window opening up in response to a ssh-add -L, with the executable's path set as the tab's/window's title

Desktop:

OS: Windows 11
Execution environment: Arch @ WSL2
Terminal: Windows Terminal Preview 1.12.3472.0
Software: Gpg4Win 3.1.16 & GnuPG 2.2.28

wsl2-ssh-pageant integration script

export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
export GPG_AGENT_SOCK="$HOME/.gnupg/S.gpg-agent"
GPG_WINDOWS_SOCKETDIR=$(gpgconf.exe --list-dirs | grep socketdir | cut -f2- -d: | tr -d '\r\n' | sed -e 's|\\|/|g' -e 's|%3a|\\:|g')
WSL2_SSH_PAGEANT_LOG_DIR="$HOME/.local/log/wsl2-ssh-pageant"
WSL2_SSH_PAGEANT_BIN="$APPDATA/wsl2-ssh-pageant/wsl2-ssh-pageant.exe"

if test -x "$WSL2_SSH_PAGEANT_BIN"; then
  if ! ss -a | grep -q "$SSH_AUTH_SOCK"; then
    rm -f "$SSH_AUTH_SOCK"
    (setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$WSL2_SSH_PAGEANT_BIN --verbose --logfile $WSL2_SSH_PAGEANT_LOG_DIR/wsl2sp-ssh.log" > /dev/null 2>&1 &)
  fi
  if ! ss -a | grep -q "$GPG_AGENT_SOCK"; then
    rm -rf "$GPG_AGENT_SOCK"
    (setsid nohup socat UNIX-LISTEN:"$GPG_AGENT_SOCK,fork" EXEC:"$WSL2_SSH_PAGEANT_BIN --gpg S.gpg-agent --gpgConfigBasepath $GPG_WINDOWS_SOCKETDIR --verbose --logfile $WSL2_SSH_PAGEANT_LOG_DIR/wsl2sp-gpg.log" > /dev/null 2>&1 &)
  fi
else
  echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
fi

Running socat processes (including --gpgConfigBasepath due to #26)

❯ ps aux | grep -i socat
philipp+  4788  0.0  0.0   7528  3536 ?        Ss   22:37   0:00 socat UNIX-LISTEN:/home/philipp.holler/.ssh/agent.sock,fork EXEC:/mnt/c/Users/philipp.holler/AppData/Roaming/wsl2-ssh-pageant/wsl2-ssh-pageant.exe --verbose --logfile /home/philipp.holler/.local/log/wsl2-ssh-pageant/wsl2sp-ssh.log
philipp+  4793  0.0  0.0   7528  2196 ?        Ss   22:37   0:00 socat UNIX-LISTEN:/home/philipp.holler/.gnupg/S.gpg-agent,fork EXEC:/mnt/c/Users/philipp.holler/AppData/Roaming/wsl2-ssh-pageant/wsl2-ssh-pageant.exe --gpg S.gpg-agent --gpgConfigBasepath C\:/Users/philipp.holler/AppData/Roaming/gnupg --verbose --logfile /home/philipp.holler/.local/log/wsl2-ssh-pageant/wsl2sp-gpg.log

SSH agent socket wsl2-ssh-pagent log snippet

2021/12/28 22:55:04 Starting exe
2021/12/28 22:55:04 Reading length: 1
2021/12/28 22:55:04 Querying pageant
2021/12/28 22:55:04 io.ReadFull length error 'EOF'

Ubuntu 20.04 / WSL2: Cannot open netlink socket: Protocol not supported

Describe the bug
Multiple error lines on executing .bashrc / login:
"Cannot open netlink socket: Protocol not supported"

To Reproduce
Do what you described for performing setup.

Expected behavior
Should work.

Desktop (please complete the following information):

OS: Win 10
WSL2
Ubuntu 20.04

agent refused operation when running ssh-add -L

Describe the bug
After installation, when trying to run ssh-add -L in WSL, it returns error:

➜ ssh-add -L
error fetching identities: agent refused operation

To Reproduce
Steps to reproduce the behavior:

Follow installation step
Run ssh-add -L

Expected behavior
List of key from my yubikey

Desktop (please complete the following information):

OS: Windows 10 2004

Additional context
Using gpg4win, yubikey, zsh

When running gpg --card-status in WSL, the command works fine.

Any help on debugging this is appreciated. 👍

"error fetching identities: communication with agent failed" with KeeAgent

Describe the bug

I'm trying to use this with KeeAgent, which is a plugin for KeePass2, which in turn is essentially just a pageant, like putty-pageant, except that it loads SSH keys from your password database.

To Reproduce

Steps to reproduce the behavior:

Setup KeeAgent
Setup wsl2-ssh-pageant
Run ssh-add -L
Get error

Expected behavior

wsl2-ssh-pageant being able to communitcate with KeeAgent

Desktop (please complete the following information):

OS: Windows 10
WSL OS: Debian 10

Not working on Arch distro

Hi, I want to migrate my OS from Ubuntu to Arch. When I insert the Yubikey, both Windows and Ubuntu can recognize the smartcard and print the status. However, I found that the pageant is not working on Arch.

In Windows powershell:

In Ubuntu:

In Arch:

I then check whether socat is running and found that it only run on the first-executed wsl instance. If I run Ubuntu first then socat won't run properly on Arch. Although I did try to run Arch before Ubuntu but still have no luck. However, I noticed there is a different behavior between these two OS.

When socat successfully run on Ubuntu, only the socat-rendered gpg-agent is found in jobs:

When socat run on Arch. it would behave like in Ubuntu in the beginning:

However, when I checked the smartcard by gpg --card-status, it take a few second and shows an error "can't connect to the agent: End of file"
When I ran it second time it became "No such device":

Later I checked the jobs with htop again and found that the standard gpg-agent is up:

I suspect that should be the reason which cause the pageant failed on Arch.
Another possibility would be the fish shell since I'm using fish in Arch and bash in Ubuntu, I'll check whether the pageant can work on fish on Ubuntu or bash on Arch.

Issues communicating with agent after closing and re-opening last Terminal

On the latest Windows 11 Release Preview, the agent communication consistently breaks if I close and re-open the terminal.
ssh-add -l then fails with communication with agent failed.

The strange thing is, it works fine when I initially open the Terminal, and it freshly starts socat.
It also works great if I then open another terminal, while the other is still open.

However, if I close the Terminal, and then re-open it, communication with the agent becomes impossible with the above error.
Killing socat and opening another terminal(re-running the code in zshrc) fixes the issue momentarily, until I close all terminals again.

However again, if I close the Terminal and wait long enough for WSL2 to stop the VM after a minute or so, and then start a new Terminal, a new socat process is started and it works fine.
So this only happens if I somewhat quickly close and re-open the last open Terminal.

In that state, ps lists the socat process just fine, and it also appears in ss output.

I have adapted the snippet in my zshrc to account for that situation:

export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
ssh-add -l >/dev/null 2>&1; SSH_RES=$?
ss -a | grep -q "$SSH_AUTH_SOCK"; SS_RES=$?
if [[ $SSH_RES == 1 && $SS_RES == 0 ]]; then
    pkill -f "$SSH_AUTH_SOCK"
    SS_RES=1
fi
if [[ $SS_RES != 0 ]]; then
    rm -f "$SSH_AUTH_SOCK"
    PAGEANT_BIN="$HOME/.ssh/wsl2-ssh-pageant.exe"
    if test -x "$PAGEANT_BIN"; then
        (setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$PAGEANT_BIN" >/dev/null 2>&1 &)
    else
        echo >&2 "WARNING: $PAGEANT_BIN is not executable."
    fi
    unset PAGEANT_BIN
fi
unset SSH_RES SS_RES

But that is merely a workaround, and not an actual fix for the issue.

GPG yubikey socket not working

SSH seems to be working, and accessing my Yubikey was working previously, but WSL2 (on two different systems) no longer is able to talk to my Yubikey.

socat is running, but the result of gpg --card-status is:

gpg: error getting version from 'scdaemon': No SmartCard daemon
gpg: OpenPGP card not available: No SmartCard daemon

Wsl2 / Windows 11 Extremely slow agent communication times

So I've been using this for a long time on windows 10 and have had absolutely no issues, well done for a really awesome piece of software.

However, since upgrading my laptop to windows 11 and reinstalling WSL2 (with WLSg if that makes a difference) the communication to the agent is EXTREMELY slow. From typing ssh at the command line to actually getting the gpg pincode prompt (/touch to auth flash on my yubikey) is taking over 20s, ssh-add -L is also taking a similar amount of time.

Performing the same operation from windows connecting to the gpg agent and I get the prompt instantly from both putty and winssh, implying this is an issue with the WSL2 connection somewhere.

Any ideas?

Suggestion for README installation notes

I have a suggestion, make the installation snippet in README like this:

sudo apt-get install socat
cd ~/.ssh/
wget https://github.com/BlackReloaded/wsl2-ssh-pageant/releases/latest/download/wsl2-ssh-pageant.exe
chmod +x wsl2-ssh-pageant.exe

(Notice that URL link is to latest release)

Exact lines does not matter, but grand idea is: It would allow copy pasting the whole thing and running in one swoop.

Thanks, great utility.

Agent suddenly stopped working - agent refused operation

I've been using this tool for a couple of months. My setup is the following:

Windows 11
Fedora 35 (WSL 2)

My SSH private key is inside my Yubikey 5 NFC. I've properly configured it to enabled using it as my SSH credential As I've said, I've been using it for some months and a couple of days ago SSH stopped working. Here is the log:

OpenSSH_8.7p1, OpenSSL 1.1.1o  FIPS 3 May 2022
debug1: Reading configuration data /home/delucca/.ssh/config
debug1: /home/delucca/.ssh/config line 1: Applying options for github.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host github.com originally github.com
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/delucca/.ssh/config
debug1: /home/delucca/.ssh/config line 1: Applying options for github.com
debug2: add_identity_file: ignoring duplicate key ~/.ssh/id_yubikey.pub
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host github.com originally github.com
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/delucca/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/delucca/.ssh/known_hosts2'
debug2: resolving "github.com" port 22
debug3: ssh_connect_direct: entering
debug1: Connecting to github.com [20.201.28.151] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /home/delucca/.ssh/id_yubikey.pub type 2
debug1: identity file /home/delucca/.ssh/id_yubikey.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version babeld-fc5e4bc0
debug1: compat_banner: no match: babeld-fc5e4bc0
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to github.com:22 as 'git'
debug3: record_hostkey: found key type ED25519 in file /home/delucca/.ssh/known_hosts:1
debug3: record_hostkey: found key type RSA in file /home/delucca/.ssh/known_hosts:2
debug3: record_hostkey: found key type ECDSA in file /home/delucca/.ssh/known_hosts:3
debug3: load_hostkeys_file: loaded 3 keys from github.com
debug1: load_hostkeys: fopen /home/delucca/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type [email protected], using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
debug2: ciphers stoc: [email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
debug2: MACs stoc: [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug3: record_hostkey: found key type ED25519 in file /home/delucca/.ssh/known_hosts:1
debug3: record_hostkey: found key type RSA in file /home/delucca/.ssh/known_hosts:2
debug3: record_hostkey: found key type ECDSA in file /home/delucca/.ssh/known_hosts:3
debug3: load_hostkeys_file: loaded 3 keys from github.com
debug1: load_hostkeys: fopen /home/delucca/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /home/delucca/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/delucca/.ssh/id_yubikey.pub ECDSA SHA256:ZGpNW4kxP4mKM5j6HjblwgKD9nqnc4NzecB/6qQqEH8 explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/delucca/.ssh/id_yubikey.pub ECDSA SHA256:ZGpNW4kxP4mKM5j6HjblwgKD9nqnc4NzecB/6qQqEH8 explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/delucca/.ssh/id_yubikey.pub ECDSA SHA256:ZGpNW4kxP4mKM5j6HjblwgKD9nqnc4NzecB/6qQqEH8 explicit agent
debug3: sign_and_send_pubkey: ECDSA SHA256:ZGpNW4kxP4mKM5j6HjblwgKD9nqnc4NzecB/6qQqEH8
debug3: sign_and_send_pubkey: signing using ecdsa-sha2-nistp384 SHA256:ZGpNW4kxP4mKM5j6HjblwgKD9nqnc4NzecB/6qQqEH8
045646sign_and_send_pubkey: signing failed for ECDSA "/home/delucca/.ssh/id_yubikey.pub" from agent: agent refused operation
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).

I've already tried to change my pinentry program, but the issue persisted.

What should I do?

new wsl2-ssh-pageant.exe instance is create for every gpg communication

Describe the bug
This is how I start the process in WSL 2:

setsid socat UNIX-LISTEN:$GPG_AGENT_SOCK,fork EXEC:"$HOME/.ssh/wsl2-ssh-pageant.exe --verbose --gpgConfigBasepath 'C:/Users/user-name/AppData/Local/gnupg' --gpg S.gpg-agent" >/dev/null 2>&1 &

To Reproduce
Steps to reproduce the behavior:

Start a WSL 2 terminal
Start the socat process like above
Repeat gpg --card-status 3 times
Check the wsl2-ssh-pageant.exe process in Windows Task Manager

Expected behavior

No wsl2-ssh-pageant.exe process should be found in the Task Manager

Screenshots

Desktop (please complete the following information):

OS: Windows 11
Browser [e.g. chrome, safari]
Version [e.g. 22]

Additional context

Gpg4win v4.0.0
wsl2-ssh-pageant v1.4.0

Hide console output on launch

When launching as per the README every first time starting up the WSL machine the following is displayed:

[2] 39
[2]  + 39 done       setsid nohup socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork  > /dev/null 2>&1
[2] 44
[2]  + 44 done       setsid nohup socat UNIX-LISTEN:$GPG_AGENT_SOCK,fork  > /dev/null 2>&1

Would it be possible to supress this output, I have tried with no luck.

No longer works with Pageant 0.75

Describe the bug
Install and use Putty 0.75, The included Pageant version no longer works with wsl2-ssh-pageant.

To Reproduce
Steps to reproduce the behavior:

Download and install Putty 0.75. Set up Pageant to start at Windows login time with valid, known-working SSH keys that your GitHub account also has.
Configure your login shell to use wsl2-ssh-pageant for Bash as described in its README.
In a WSL2 Bash shell, run ssh -T [email protected]
Note with sadness the failure to validate.

Expected behavior
5. Switch back to Pageant 0.74
6. The same command under the same conditions validates just fine.

Desktop

OS: Windows 10 version 21H1, build 19043.1052
WSL2 configured with Ubuntu 20.04 LTS with the latest updates

Additional context
Pageant 0.75 has new features that allow reading encrypted keys without decrypting them. I did not use this feature to load my key into Pageant, but the changes to allow this feature are a likely suspect for the cause of the failure reported here.

blackreloaded / wsl2-ssh-pageant Goto Github PK

wsl2-ssh-pageant's People

Contributors

Stargazers

Watchers

Forkers

wsl2-ssh-pageant's Issues

Fedora

Ubuntu

Relevant .bashrc lines

Recommend Projects

Recommend Topics

Recommend Org

Relevant `.bashrc` lines