Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

Certificates aren't properly added to the ssh-agent service

Open tomtastic opened this issue 1 year ago • 3 comments
trafficstars

Prerequisites

  • [X] Write a descriptive title.
  • [X] Make sure you are able to repro it on the latest version
  • [X] Search the existing issues.

Steps to reproduce

All versions from 8.1.0.1 to 9.5.0.1p1-Beta fail to add a matching pair of identity and certificate into the agent when using using ssh-add.

PS C:\Users\user> winget install Microsoft.OpenSSH.Beta --override ADDLOCAL=Client
Found OpenSSH Beta [Microsoft.OpenSSH.Beta] Version 9.5.0.0
Successfully verified installer hash
Starting package install...
Successfully installed

PS C:\Users\user> Get-Command ssh-add
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Application     ssh-add.exe                                        9.5.0.0    C:\Program Files\OpenSSH\ssh-add.exe

PS C:\Users\user> ssh -V
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

PS C:\Users\user> dir .ssh
    Directory: C:\Users\user\.ssh

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        08/05/2024     14:30            634 id_ecdsa
-a----        09/05/2024     07:42           1338 id_ecdsa-cert.pub
-a----        08/05/2024     14:30            233 id_ecdsa.pub

Expected behavior

PS C:\Users\user> ssh-add -v
Identity added: C:\Users\user/.ssh/id_ecdsa (abc\user@DESKTOP-123)
Certificate added: C:\Users\user/.ssh/id_ecdsa-cert.pub (cert)

PS C:\Users\user> ssh-add -l
384 SHA256:GPcZoAOWDF3mEc9ZNe2qDsa71ottMJPJyNsx13vB+Z4 abc\user@DESKTOP-123 (ECDSA)
384 SHA256:GPcZoAOWDF3mEc9ZNe2qDsa71ottMJPJyNsx13vB+Z4 abc\user@DESKTOP-123 (ECDSA-CERT)

Actual behavior

PS C:\Users\user> ssh-add -v
Identity added: C:\Users\user/.ssh/id_ecdsa (abc\user@DESKTOP-123)
Certificate added: C:\Users\user/.ssh/id_ecdsa-cert.pub (cert)

PS C:\Users\user> ssh-add -l
384 SHA256:GPcZoAOWDF3mEc9ZNe2qDsa71ottMJPJyNsx13vB+Z4 abc\user@DESKTOP-123 (ECDSA-CERT)

Error details

No response

Environment data

PS C:\Users\user> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.4291
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.4291
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

Visuals

No response

tomtastic avatar May 09 '24 07:05 tomtastic

Related:

  • https://github.com/PowerShell/Win32-OpenSSH/issues/1333
  • https://github.com/PowerShell/Win32-OpenSSH/issues/1954

tomtastic avatar May 09 '24 07:05 tomtastic

@tgauth / @maertendMSFT Is there anything else I can provide to help your investigation? It seems like the hashes of the identity and cert (which are the same) are colliding in the registry path they're being referenced in, and so one overwrites the other leaving ssh-add -l to list only the most recently added to the registry path.

tomtastic avatar Jul 29 '24 08:07 tomtastic

Could the registry path be created from a hash including the filename (eg. id_ecdsa-cert.pub vs id_ecdsa.pub) to differentiate the two otherwise identical hashes?

tomtastic avatar Dec 28 '24 00:12 tomtastic