Some options of ssh_config are not supported

[gibsn]

Checklist

• Using latest version on the App Store
• Read the docs
• Searched for existing GitHub issues

Configuration

Blink version 17.0.1.840
iPad OS 17.0.3

Describe the bug

I have lots of hosts in my ssh config and setting all of those through GUI would take much time. I've searched for similar issues and somewhere saw that you support the comlete ssh_config. However at least there directives seem not to work:

ssh_config_parse_line: Unsupported option: ForwardAgent, line: 14
ssh_config_parse_line: Unsupported option: ForwardAgent, line: 19
ssh_config_parse_line: Unsupported option: ForwardAgent, line: 24
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 29
ssh_config_parse_line: Unsupported option: ForwardAgent, line: 36
ssh_config_parse_line: Unsupported option: ForwardAgent, line: 42
ssh_config_parse_line: Unsupported option: ForwardAgent, line: 48
ssh_config_parse_line: Unsupported option: ForwardAgent, line: 217

To make it clear: I am using .ssh/config, not manual ssh config in the GUI

[carloscabanero]

Will take a look. I consider this critical functionality so we will tackle this immediately.

[carloscabanero]

Hi! I could not replicate this behavior. I'm thinking maybe something is going on with the parser, like a previous line or whatever. Given that the issue is very early on, line 14, do you think you could send me the first one or two batches so I can try to replicate from my side? Feel free to do so to my email: Carlos at blink.sh.

Thanks!

PS: I misread IdentitiesOnly for IdentityFile. That option is not currently supported but it should not block the rest. I will add IdentitiesOnly to the backlog.

[gibsn]

Hi!

Sure, I will narrow down my config to a piece that reproduces the problem and will send it to you

[gibsn]

This config:

Host *
    ControlMaster auto
    ControlPath ~/.ssh/sockets/ssh_mux_%h_%p_%r
    ControlPersist yes
    Compression yes

    TCPKeepAlive yes
    ServerAliveInterval 30
    ServerAliveCountMax 6

# this is a jump host to the internal network, that's why I need agent forwarding
Host devpoint
    HostName somedevpointaddr.i
    User me
    ForwardAgent yes

# this is to use a separate ssh-key for repos 
Host github.com
    IdentityFile Git
    IdentitiesOnly yes

Produces this output:

blink> ssh -v github.com
ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7
ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8
ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9
ssh_config_parse_line: Unsupported option: ForwardAgent, line: 15
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20

[carloscabanero]

Thanks! I could replicate it easily now. I have an idea what may be going on, we should have this fixed for our TestFlight version tomorrow. Are you on it?

[gibsn]

Thanks! I could replicate it easily now. I have an idea what may be going on, we should have this fixed for our TestFlight version tomorrow. Are you on it?

not yet, how do I join?

[carloscabanero]

community.blink.sh - On how you found us, reference this issue so I know I need to add you immediately.

[gibsn]

community.blink.sh - On how you found us, reference this issue so I know I need to add you immediately.

I am having trouble following this link:

blink> curl -v https://community.blink.sh
* Rebuilt URL to: https://community.blink.sh/
*   Trying 34.107.103.177...
* TCP_NODELAY set
* Connected to community.blink.sh (34.107.103.177) port 443 (#0)
* SSL peer handshake failed, the server most likely requires a client certificate to connect
* Closing connection 0
curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect
blink> curl -v --insecure https://community.blink.sh
* Rebuilt URL to: https://community.blink.sh/
*   Trying 34.107.103.177...
* TCP_NODELAY set
* Connected to community.blink.sh (34.107.103.177) port 443 (#0)
* WARNING: disabling hostname validation also disables SNI.
* Unknown SSL protocol error in connection to community.blink.sh:-9838
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to community.blink.sh:-9838

[carloscabanero]

Ugh, sorry about that. Will reach out to Mailerlite. In the meantime, please send me the email to carlos at blink.sh. Thanks!

[carloscabanero]

Hi! So I've been checking things out and although the warning messages may show up, this should not affect the functionality. The proper flags, like ForwardAgent should still work.

Is the agent not being forwarded in your scenario? Is there a specific flag not working?

Thanks!

[gibsn]

Hi! I will double-check later today or this weekend

[gibsn]

Hi! So I tried a couple of approaches and here is what I got.

I had loaded my ssh keys through GUI before. I tried connecting to one of my SSH hosts that is configured like this:

Host mynode
    HostName some_amazon_node.eu-central-1.compute.amazonaws.com
    User admin
    ForwardAgent yes

Connecting failed with:

ssh -v mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])

Actually I expected that the ssh command would try all the keys I had specified earlier with GUI. I thought then that if I am trying to connect to a host that is configured through config, not GUI, then the ssh command must be using the keys in the .ssh/directory. So I copied my keys:

blink> ls .ssh | fgrep id_rsa
id_rsa
id_rsa.pub
id_rsa_git
id_rsa_git.pub

Specifying the key with '-i' does not help:

ssh -v -i .ssh/id_rsa mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])

Actually -i does not work even with the key loaded through GUI:

ssh -v -i .ssh/id_rsa mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])

Specifying the key with IdentityFile in config does not work either:

Host mynode
    HostName some_amazon_node.eu-central-1.compute.amazonaws.com
    User admin
    IdentityFile .ssh/id_rsa
    ForwardAgent yes

The only way I managed to make it work is by specifying the 'Dev' key through the IdentityFile:

Host mynode
    HostName some_amazon_node.eu-central-1.compute.amazonaws.com
    User admin
    IdentityFile .ssh/id_rsa
    ForwardAgent yes

blink> ssh -v mynode
ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7
ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8
ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 16
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20
socket_callback_connected: Socket connection callback: 1 (0)
ssh_key_cmp: key types don't match!
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_key_cmp: key types don't match!
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Connected to x.x.x.x

The only key forwarded is the one I connected with:

ssh-add -l
8192 SHA256:rEPWN7wroHpyaoYgZ1ZBOMS/tF9GoKte34yq9Og9lfg Dev (RSA)

Adding to the agent also fails:

blink> ssh-add .ssh/id_rsa_git
Key not found

But adding a key specified through GUI works!

blink> ssh-add Git
Key Git - added to agent.

Forwarding works as expected:

ssh-add -l | wc -l
2

Then I thought that probably adding GUI-key to ssh-agent might help connecting and it did:

blink> ssh-add Dev
Key Dev - added to agent.
blink> ssh -v mynode
ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7
ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8
ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 16
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20
socket_callback_connected: Socket connection callback: 1 (0)
ssh_key_cmp: key types don't match!
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_key_cmp: key types don't match!
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
ssh_packet_userauth_failure: Access denied for 'publickey'. Authentication that can continue: publickey
Connected to x.x.x.x

So to wrap it up here is what I think confused me:

1. ssh command does not try keys specified through GUI, you need to manually load it with ssh-add
2. ssh command does not see keys in the .ssh dir, nor by default neither with the -i param

[carloscabanero]

Thanks a lot for the thorough description, it has been really helpful. So I have been working on solving some of the issues here as well as trying to iron out what the expectations are. I will try to reply in-line based on what Blink does and how I have changed based on what we think it should do.

• On the initial issue with ssh_config_parse_line: Unsupported option.

  • This is misleading as the message actually does not come from Blink, it comes from LibSSH. For quite a while Blink has implemented its own ssh_config parser. We were still calling the LibSSH parser though, if only to make sure we had not forgotten to add some weird flag. I fixed this, so we should not see these messages anymore, and we now rely 100% on our parser.

• Second comment, this is actually expected behavior. Blink does not add all the keys in the GUI by default. It follows the ssh convention of adding those with the default name: id_ecdsa, id_rsa, etc... This is all explained in the GUI and the docs. But let me know if you think we could have made this more clear somehow.

I had loaded my ssh keys through GUI before. I tried connecting to one of my SSH hosts that is configured like this:

Host mynode
    HostName some_amazon_node.eu-central-1.compute.amazonaws.com
    User admin
    ForwardAgent yes

[...]

Actually I expected that the ssh command would try all the keys I had specified earlier with GUI.

• Third problem. Again this is expected. For consistency, we removed file based keys a couple years ago. This definitely breaks the usual convention, so Blink should have warned you. I am surprised this seems to be the first issue we have had about it. It may actually be related to the first issue, the library could be parsing the identity and offering it itself. But very few people work with .ssh/config anyway.

I thought then that if I am trying to connect to a host that is configured through config, not GUI, then the ssh command must be using the keys in the .ssh/directory. So I copied my keys:

blink> ls .ssh | fgrep id_rsa
id_rsa
id_rsa.pub
id_rsa_git
id_rsa_git.pub

Specifying the key with '-i' does not help:

ssh -v -i .ssh/id_rsa mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])

• Third' - This should have worked, you just need to do -i key_name, no path necessary.

Actually -i does not work even with the key loaded through GUI:

ssh -v -i .ssh/id_rsa mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])

• Third''. Expected, no files.

Specifying the key with IdentityFile in config does not work either:

Host mynode
    HostName some_amazon_node.eu-central-1.compute.amazonaws.com
    User admin
    IdentityFile .ssh/id_rsa
    ForwardAgent yes

• Fourth. Not sure I see the difference with the previous here, do you mean the GUI key?

The only way I managed to make it work is by specifying the 'Dev' key through the IdentityFile:

Host mynode
    HostName some_amazon_node.eu-central-1.compute.amazonaws.com
    User admin
    IdentityFile .ssh/id_rsa
    ForwardAgent yes

blink> ssh -v mynode
ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7
ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8
ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 16
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20
socket_callback_connected: Socket connection callback: 1 (0)
ssh_key_cmp: key types don't match!
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_key_cmp: key types don't match!
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Connected to x.x.x.x

The only key forwarded is the one I connected with:

ssh-add -l
8192 SHA256:rEPWN7wroHpyaoYgZ1ZBOMS/tF9GoKte34yq9Og9lfg Dev (RSA)

• Fourth'. Again, no files. ssh-add id_rsa_git works.

Adding to the agent also fails:

blink> ssh-add .ssh/id_rsa_git
Key not found

But adding a key specified through GUI works!

blink> ssh-add Git
Key Git - added to agent.

Forwarding works as expected:

ssh-add -l | wc -l
2

• Fifth. This is correct, no files.

Then I thought that probably adding GUI-key to ssh-agent might help connecting and it did:

blink> ssh-add Dev
Key Dev - added to agent.
blink> ssh -v mynode
ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7
ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8
ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 16
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20
socket_callback_connected: Socket connection callback: 1 (0)
ssh_key_cmp: key types don't match!
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_key_cmp: key types don't match!
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
ssh_packet_userauth_failure: Access denied for 'publickey'. Authentication that can continue: publickey
Connected to x.x.x.x

• It seems like it all boils down to one thing: Do not use files for keys, import them to the GUI. And then you can reference them either on ssh_config or anywhere else, no need to add the ".ssh" path in any case.

So to wrap it up here is what I think confused me:

1. ssh command does not try keys specified through GUI, you need to manually load it with ssh-add
2. ssh command does not see keys in the .ssh dir, nor by default neither with the -i param

• Add additional warnings for referencing keys on files, as it breaks the convention (key starts with .ssh or has a slash).

[gibsn]

Hi!

Second comment, this is actually expected behavior. Blink does not add all the keys in the GUI by default. It follows the ssh convention of adding those with the default name: id_ecdsa, id_rsa, etc... This is all explained in the GUI and the docs. But let me know if you think we could have made this more clear somehow.

Yeah, I get it now. I did read all the docs you have on your website but of course missed some points. Probably it would be more handy for me if it was documented in ssh --help, because when I encounter problems with a command-line tool, I seek answers in --help or man, not web docs

[gibsn]

Third problem. Again this is expected. For consistency, we removed file based keys a couple years ago. This definitely breaks the usual convention, so Blink should have warned you. I am surprised this seems to be the first issue we have had about it. It may actually be related to the first issue, the library could be parsing the identity and offering it itself. But very few people work with .ssh/config anyway.

The problem is that ssh --help states the opposite:

 -i <identity>           Selects a file from which the identity (private key)
                          for public key authentication is read. The default is
                          ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
                          ~/.ssh/id_rsa.  Identity files may also be specified
                          on a per-host basis in the configuration pane in the
                          Settings of Blink.

[gibsn]

To make it clear: GUI-keys are named 'Dev' and 'Git', key-files in the .ssh dir are named id_rsa[.pub] and id_rsa_git[.pub]

Third' - This should have worked, you just need to do -i key_name, no path necessary.
Actually -i does not work even with the key loaded through GUI:

ssh -v -i .ssh/id_rsa mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])

There is a mistake in the snippet, it should have been this:

ssh -v -i Dev mynode

I tried it now and it works, although I did not add the Dev key to the agent manually. Probably I made a mistake when was testing this case earlier.

Fourth'. Again, no files. ssh-add id_rsa_git works.
Adding to the agent also fails:

blink> ssh-add .ssh/id_rsa_git
Key not found

ssh-add id_rsa_git does not work, because there is not GUI-key named id_rsa_git:

blink> ssh-add id_rsa_git
Key not found

It seems like it all boils down to one thing: Do not use files for keys, import them to the GUI. And then you can reference them either on ssh_config or anywhere else, no need to add the ".ssh" path in any case.

Got it

[gibsn]

THIS MESSAGE WAS HEAVILY EDITED BECAUSE I UNDERSTOOD THAT I GOT IT ALL WRONG

The only problem I have left is that in order to forward my keys I need to add it manually to the agent each time I start blink. Is there any reason why you don't want it to be added automatically on startup? Probably I am missing a way how I can configure it to be done automatically?

[carloscabanero]

Thanks again, I flagged the conversations from my side so we will do the proper changes to help, etc...

I was gonna ask you about how you would prefer to load keys as well given your number of hosts. Blink has a special agent that is basically an agent per host and a default agent. Usually, the default agent holds all the keys you want to forward to all hosts, like the usual ssh-agent, but this is known to be troublesome.

If you create the host in Blink, then you can define what specific keys you want to forward there, so each host can have different access. This has to be done at the GUI as there is no standard ssh flag at the moment. You can also specify different "constraints" like Asking you every time before use, or once per connection, etc...

Our idea here is that most people just forward keys to one or two hosts, and if they need to forward to more than that they probably want to have very specific control for when this happens (the manual way). So far, the per-host agent has really served us well and removed the need for the default agent. But does this work for you? Or would you rather have a more generic way to assign keys to group of hosts in the agent or the default agent?

[gibsn]

I have only two keys: one for connecting to hosts and one for communicating with git repos. Basically I need to be able to forward the 'git' key to any host I ssh to.

I guess the default agent would work for me. Another option is to provide a way to initialise each shell session automatically with something like .bash_profile, so that I can ssh-add my keys there.

[carloscabanero]

Shipped on 17.2.0

Created #1960 to get control over the default agent.