unreality
Unable to use agent with OpenSSH on Windows 10
Authentication doesn't work for me when using OpenSSH. The running nCryptAgent seems to be ignored. Nothing in nCryptAgent.log. Works with PuTTY though.
Is there any way to debug this?
config.json:
"namedpipe": true
Windows 10 22H2 OpenSSH_for_Windows_9.2p1
Have you made sure the OpenSSH Authentication Agent in Services is stopped and relaunched nCryptAgent? I cannot remember whether an error is thrown if the named pipe already exists, so it may be failing silently if thats the case,,
It's stopped, yes. Otherwise there's an error message in the log:
Error result from listener Run(): open \\.\pipe\openssh-ssh-agent: Access is denied.
Wanted to pop in to get notifications on this. Same story here:
- Standard OpenSSH Agent was stopped before starting nCryptAgent
PowerShell 7.3.6 PS C:\Users\Ghostling> sc query ssh-agent SERVICE_NAME: ssh-agent TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PS C:\Users\Ghostling> - nCryptAgent is running (tried normally and as administrator) with a key (
namegoeshere) available. - Log only says regular startup stuff. Notably, the named pipe listener (for OpenSSH) seems to have started correctly:
2023/08/11 11:16:00 Loading key namegoeshere 2023/08/11 11:16:00 Starting listener *listeners.NamedPipe 2023/08/11 11:16:00 Got length 2048 2023/08/11 11:16:00 Saving public key to C:\Users\Ghostling\AppData\Roaming\nCryptAgent\PublicKeys\29247bf882f7e4ccf2e342ccdb85ba89.pub - To test if the agent works, I decided to try authenticating to GitHub. I cleared out all key files from
~/.sshto avoid unwanted interference. The only thing in my SSH config is changing theUsertogitbecause that's what GitHub uses. I added the public key generated by nCryptAgent to my GitHub account, so if the agent works properly, I should be able to see the welcome message. Ranssh -vto show verbose details - the client tries all the common key files (that aren't there) and fails, without using the agent.PowerShell 7.3.6 PS C:\Users\Ghostling> ssh -v github.com OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3 debug1: Reading configuration data C:\\Users\\Ghostling/.ssh/config debug1: C:\\Users\\Ghostling/.ssh/config line 1: Applying options for github.com debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug1: Connecting to github.com [140.82.121.4] port 22. debug1: Connection established. debug1: identity file C:\\Users\\Ghostling/.ssh/id_rsa type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_rsa-cert type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_dsa type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_dsa-cert type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_ecdsa type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_ecdsa-cert type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_ecdsa_sk type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_ed25519 type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_ed25519-cert type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_ed25519_sk type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_ed25519_sk-cert type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_xmss type -1 debug1: identity file C:\\Users\\Ghostling/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6 debug1: Remote protocol version 2.0, remote software version babeld-d815c248 debug1: compat_banner: no match: babeld-d815c248 debug1: Authenticating to github.com:22 as 'git' debug1: load_hostkeys: fopen C:\\Users\\Ghostling/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU debug1: load_hostkeys: fopen C:\\Users\\Ghostling/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory debug1: Host 'github.com' is known and matches the ED25519 host key. debug1: Found key in C:\\Users\\Ghostling/.ssh/known_hosts:1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: pubkey_prepare: ssh_get_authentication_socket: Permission denied debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_rsa debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_dsa debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_ecdsa debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_ecdsa_sk debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_ed25519 debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_ed25519_sk debug1: Will attempt key: C:\\Users\\Ghostling/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_rsa debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_dsa debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_ecdsa debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_ecdsa_sk debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_ed25519 debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_ed25519_sk debug1: Trying private key: C:\\Users\\Ghostling/.ssh/id_xmss debug1: No more authentication methods to try. [email protected]: Permission denied (publickey). PS C:\Users\Ghostling>
Edit: Forgot to mention, just like OP, PuTTY works for me
When you run ssh-add -l does it give a connection error, or an empty list?
If ssh-add is listing the nCryptAgent keys, im unsure why SSH itself is failing to enumerate and try them for authentication. Perhaps try connecting again with ssh -vvvv to get up to debug3 level and see if there are any hints?
I did some testing on my own (now that I got reminded that ssh-add -l exists) and I found an unrelated issue that might also be relevant.
When I create a key (tried RSA 2048 and ECDSA 256, both act the same), everything works fine. ssh-add -l shows it, and I can authenticate with it, with both PuTTY and the OpenSSH client.
However, after a restart of the agent (RMB->Exit on the tray icon and starting it back up again) all keys show up as "Missing". The "Public Key Location" field is blank, and the "Errors" field has this message:
NCryptOpenKey for container "C:\\Users\\Adam W�jcik\\AppData\\Local\\Microsoft\\Crypto\\PCPKSP\\3e04953c8be2157363dfbee0bda261ec10c012df\\1e9f96ccaaf251743bbdf936dab8f646afe517e8.PCPKEY" returned NTE_BAD_KEYSET: The operation completed successfully.
(One of the characters in my username shows up weird as it's a diacritic. I double checked on a fully ASCII user Ghostling and the same error occured, so it's only a visual error)
In this state, the key is still listed under ssh-add -l but authentication no longer works:
PS C:\Users\Adam Wójcik> ssh-add -l
256 SHA256:lGBm/tYUm8JP3UwiDprZ29D0vuw4gyaBa7dfQfF6QWM ec (ECDSA)
PS C:\Users\Adam Wójcik> ssh github.com
sign_and_send_pubkey: signing failed for ECDSA "ec" from agent: agent refused operation
[email protected]: Permission denied (publickey).
PS C:\Users\Adam Wójcik>
Checking manually I can confirm that the problematic PCPKEY file is still there.
I am not sure what caused this behaviour to be different from the error I was encountering earlier, where the SSH client didn't acknowledge the agent at all. I am unable to replicate that original problem at all now.
@unreality The cause turned out to be the 384-bit ECDSA key which was created in nCryptAgent. For some reason it doesn't play well with OpenSSH server on Linux. I tried nCryptAgent with ECDSA-256 and RSA-2048 keys – both work fine. I also verified that ECDSA-384 key works in the same setup without nCryptAgent (ssh-keygen -t ecdsa -b 384).
The relevant part of OpenSSH client log when using ECDSA-384 key in nCryptAgent:
debug3: ssh_get_authentication_socket_path: path '\\\\.\\pipe\\openssh-ssh-agent'
debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: TEST ECDSA SHA256:<key_fingerprint> agent
debug1: Will attempt key: <user_profile>/.ssh/id_rsa
debug1: Will attempt key: <user_profile>/.ssh/id_ecdsa
debug1: Will attempt key: <user_profile>/.ssh/id_ecdsa_sk
debug1: Will attempt key: <user_profile>/.ssh/id_ed25519
debug1: Will attempt key: <user_profile>/.ssh/id_ed25519_sk
debug1: Will attempt key: <user_profile>/.ssh/id_xmss
debug1: Will attempt key: <user_profile>/.ssh/id_dsa
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
@youk thanks for the investigation, i'll try to find some time to look into ECDSA-384 and see whats going on