Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

Agent Forwarding Windows client to Windows host not working?

Open monil-patel opened this issue 3 years ago • 12 comments

Originally posted here: https://github.com/PowerShell/openssh-portable/issues/540 , but was asked to open an issue here

"OpenSSH for Windows" version 8.1.0.1

Server OperatingSystem Windows 10 Enterprise

Client OperatingSystem Windows 10 Pro

What is failing Unable to forward ssh keys through agent forwarding from windows client -> windows server

Is agent forwarding supported when connecting from a windows client to a windows host machine ?

I tried all of the things below, but had no luck and stumbled across this comment https://github.com/PowerShell/Win32-OpenSSH/issues/1136#issuecomment-500549297 which says Agent forwarding is not supported on the server yet, but you should be able to use the client to forward agent to a non-Windows target.

Was following these instructions from github : https://docs.github.com/en/developers/overview/using-ssh-agent-forwarding

  1. used keygen to generate public/private keys and added public to github.com
  2. ssh-add "location of private key". Can see them on client machine through ssh-add -l
  3. Test using agent
PS C:\Users\monil> ssh -T [email protected]
Hi monil-patel! You've successfully authenticated, but GitHub does not provide shell access.
  1. Specified ForwardAgent in the ssh config
Host my-pc
  HostName host...
  User username
  IdentityFile C:\Users\user\.ssh\id_rsa
  ForwardAgent yes
  1. ssh to my-pc, and run ssh -T [email protected] again

Expected output

# ssh session
PS C:\Users\monil> ssh -T [email protected]
Hi monil-patel! You've successfully authenticated, but GitHub does not provide shell access.

Actual output

# ssh session
[email protected]: Permission denied (publickey).

Cant list any keys under the ssh session

# ssh session
C:\Users\monil>ssh-add -l
Error connecting to agent: No such file or directory

monil-patel avatar Nov 29 '21 17:11 monil-patel

Dear @bagajjal , could you please consider elevating the priority of this issue? We all know Windows is not about security, but using private keys instead of passwords is so much of a common practice nowadays, that all Microsoft's efforts on OpenSSH become useless without this feature.

dmikushin avatar Jul 05 '22 12:07 dmikushin

Been trying to use a windows jump for ssh jump but no bueno.. ssh works fine for the intial linux->windowsjump connection, but not able to forward agent for authentication with the next linux server. (chain looks like this: linux->windows->linux)

Having a working openssh server in windows would solve a lot of issues for me as we already have windows jump hosts established for reaching other segments of the network.

nem8 avatar Oct 14 '22 06:10 nem8

Have the same issue trying to go Windows 10 -> Windows Server 2022 -> git clone from GitLab instance, forwarding seems to be broken.

ddnomad avatar Nov 08 '22 18:11 ddnomad

It appears the issue is that the OpenSSH server hasn't been modified to setup a windows pipe instead of a unix socket. Seeing these error messages in the sshd service log when agent forwarding is attempted:

6536 2023-02-23 21:31:57.977 debug1: session_input_channel_req: session 0 req [email protected]
6536 2023-02-23 21:31:57.977 Unix domain server sockets are not supported
6536 2023-02-23 21:31:57.977 error: unix_listener: cannot bind to path /tmp/ssh-xiQjI8Be4b/agent.5160: Operation not supported

davidkhess avatar Feb 24 '23 03:02 davidkhess

Hi Together I have the same issue from Windows 11 (OpenSSH_for_Windows_8.6p1) -> Windows Server 2022 (OpenSSH_for_Windows_8.1p1) -> git clone from a GlitLab instance

globi84 avatar May 25 '23 09:05 globi84

The bug also affects the latest Version OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2

the-working-rene avatar Jun 05 '23 11:06 the-working-rene

This is quite disappointing. This prevents using git + public key auth within a Windows VM, connected from VSCode and Remote SSH.

mrtumnus avatar Jun 09 '23 17:06 mrtumnus

For those looking for agent forwarding working. Beta versions already allow this. Just download the latest msi from GitHub releases, install it, and you've got it.

Thank you, devs! You're the best!

plashenkov avatar Feb 24 '24 03:02 plashenkov

@plashenkov Could you elaborate on that? Are you SSH forwarding to a Windows machine that runs the OpenSSH server and you can use your local keys? Does that create a new named pipe and set SSH_AUTH_SOCK like when forwarding to a Linux server?

florisvdg avatar Mar 04 '24 20:03 florisvdg

@florisvdg

I have OpenSSH auth agent running on Windows and local SSH keys with a passphrase. Now I can connect to VMs (running locally) with Linux as well as to my real cloud servers. I can connect to my cloud servers from VMs now as well.

My VMs run Docker services as well, and if I pass SSH_AUTH_SOCK there (from the VM to a Docker container), I can connect to my cloud servers even from the Docker container as well.

I can confirm that my SSH keys are only on my Windows host.

P.S. Ah you are asking about a Windows host and a Windows server. I didn't tried that. I have a Windows host and everything other is Linux. Stable Windows OpenSSH versions didn't allow that while the beta now allows.

plashenkov avatar Mar 04 '24 21:03 plashenkov

Right, that makes sense now. Thanks for the clarification.

So yeah, people looking to SSH into a Windows box with agent forwarding enabled will still have to wait :(

I'll be watching this PR in the mean time. 👀

florisvdg avatar Mar 04 '24 22:03 florisvdg

i had set ssh_shell to wn32 version bash, but still can't foward ssh socket

nocanstillbb avatar Apr 07 '24 08:04 nocanstillbb