wsl2-ssh-pageant icon indicating copy to clipboard operation
wsl2-ssh-pageant copied to clipboard

Published 20 hours ago verified publisher icon BlackReloaded

No longer works with Pageant 0.75

Open Ordinant opened this issue 4 years ago • 9 comments

Describe the bug Install and use Putty 0.75, The included Pageant version no longer works with wsl2-ssh-pageant.

To Reproduce Steps to reproduce the behavior:

  1. Download and install Putty 0.75. Set up Pageant to start at Windows login time with valid, known-working SSH keys that your GitHub account also has.
  2. Configure your login shell to use wsl2-ssh-pageant for Bash as described in its README.
  3. In a WSL2 Bash shell, run ssh -T [email protected]
  4. Note with sadness the failure to validate.

Expected behavior 5. Switch back to Pageant 0.74 6. The same command under the same conditions validates just fine.

Desktop

  • OS: Windows 10 version 21H1, build 19043.1052
  • WSL2 configured with Ubuntu 20.04 LTS with the latest updates

Additional context Pageant 0.75 has new features that allow reading encrypted keys without decrypting them. I did not use this feature to load my key into Pageant, but the changes to allow this feature are a likely suspect for the cause of the failure reported here.

Ordinant avatar Jun 30 '21 18:06 Ordinant

Confirmed. Same configuration, same problem.

thomasfrobieter avatar Jul 01 '21 17:07 thomasfrobieter

I digged into the sourcecode of putty and IMHO the changes to support named pipes are the underlying issue, maybe combined with deferred decryption. The very interesting part is that putty/pageant has started implementing a real IPC based on named pipes. That would remove the need to use WM_COPY based communication to a window handle.

IMO the right path to take is investigating the documentation of the new IPC and rewrite that part of wsl2-ssh-pageant to leverage the new way. If someone is willing to help/work on this go ahead. As for myself I'm not able to say when I could work on this. To be humble my workflow is still working (GPG with Yubikey) and therefore it's not the highest priority for me. Maybe I find some time in the coming weeks to have a more concrete look into it.

https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=98538caa39d20f3efe8de307fa5169e9fb0787d2 https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pageant-named-pipe.html

tobiaskohlbau avatar Jul 02 '21 06:07 tobiaskohlbau

I've got good news for you. You could get it working by using the winssh mode I added a while back. It works exactly the same.

  1. Identify the named pipe by (get-childitem \\.\pipe\).FullName.
  2. Modify the startup script within wsl2 for e.g. fish:
set -x SSH_AUTH_SOCK "$HOME/.ssh/agent.sock"
if not ss -a | grep -q "$SSH_AUTH_SOCK";
  rm -f "$SSH_AUTH_SOCK"
  set wsl2_ssh_pageant_bin "$HOME/.ssh/wsl2-ssh-pageant.exe"
  if test -x "$wsl2_ssh_pageant_bin";
    setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin --ssh \\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\pageant.tobia.3bb4c2257c77e8cebbce0d301586be8a2be2bba26859168d43e7d38ad8166794" >/dev/null 2>&1 &
  else
    echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
  end
  set --erase wsl2_ssh_pageant_bin
end
  1. Restart wsl by wsl --shutdown.
  2. Check the connection via ssh-add -L.

That many backslashes are really needed as it is passed through many programs which escape each on their own.

tobiaskohlbau avatar Jul 18 '21 14:07 tobiaskohlbau

I'll give that a try today. Is there a missing step 3, or just a numbering issue?

Thanks!

Ordinant avatar Jul 18 '21 15:07 Ordinant

I'll give that a try today. Is there a missing step 3, or just a numbering issue?

Thanks!

Oh sorry just me unable to enumerate thing properly. Just updated the comment.

tobiaskohlbau avatar Jul 19 '21 07:07 tobiaskohlbau

I've got good news for you. You could get it working by using the winssh mode I added a while back. It works exactly the same.

Fun fact: While this tool worked for me with both PuTTY 0.75 & 0.76, I had problems with tools making many requests against the agent (e.g. ansible), which switching to the named pipe also fixed...

Suggestion: Maybe prepend \\.\pipe\ automatically if the path after --ssh doesn't contain any backslashes, that way excessive escaping can be avoided in most cases...

TobiX avatar Jul 21 '21 13:07 TobiX

@tobiaskohlbau wrote:

I've got good news for you. You could get it working by using the winssh mode I added a while back. It works exactly the same. ...

...
    setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin --ssh \\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\pageant.tobia.3bb4c2257c77e8cebbce0d301586be8a2be2bba26859168d43e7d38ad8166794" >/dev/null 2>&1 &

... That many backslashes are really needed as it is passed through many programs which escape each on their own.

Actually you can use forward slashes so it can be simplified to

    setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin --ssh //./pipe/pageant.tobia.3bb4c2257c77e8cebbce0d301586be8a2be2bba26859168d43e7d38ad8166794" >/dev/null 2>&1 &

ophers avatar Oct 24 '21 21:10 ophers

@ophers thanks for the contribution, didn't know that :)

tobiaskohlbau avatar Oct 26 '21 12:10 tobiaskohlbau

I'm currently using this snippet in my zsh config to automate the connection with my PuTTY agent: https://github.com/TobiX/dotfiles/blob/e22c877bdf5051d78370d18e95dbed88f8820ee6/zsh/rc.ssh#L22-L24

The "random" string in the pipe name seems to be generated by the PuTTY agent using some WinCrypto routines... Would be nice if this could be integrated, but I don't know how to find the "current" name of the pipe using Go...

TobiX avatar Oct 28 '21 09:10 TobiX