-
Notifications
You must be signed in to change notification settings - Fork 799
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unix domain sockets return spurious data from getsockopt(SO_PEERCRED) if the peer has already departed, which breaks ssh-agent forwarding for Ubuntu 18.04 #3183
Comments
How did you upgrade? |
@DarthSpock, |
Some more diagnosis: this bug is caused by initiating an SSH connection that uses agent connection forwarding (ssh -O ForwardAgent=yes). When that connects, it does a test connection to the auth sock:
On the SSH agent side, this one connect/close pair causes the bogus data returned from getsockopt SO_PEERCRED (probably because the peer is already gone by the time of the getsockopt call):
… and after that time the ssh-agent remains alive but is unusable because it closed its end of the socket. This is the only thing that differs between Ubuntu 16.04 and 18.04 -- in earlier versions, the agent would log the error message and drop that specific connection but keep its listening socket open; now (probably for security paranoia) it becomes unusable after one failed connection. So there's a simple workaround for now: don't use agent forwarding. |
I have noticed my ssh-agent exhibiting similar behaviour after upgrading to 18.04 using |
I can confirm having the same issue, using Ubuntu 18.04 from the Microsoft Store on a new Windows 10 installation. |
My config is identical to the example in your link. This does not resolve the issue for me. |
@DarthSpock, I already have the |
@DarthSpock the issue is the new socket close call in the error-handling path of the ssh-agent binary. Why would that be any different from a clean install? I'm pretty sure this is just another minor compatibility bug in the implementation of getsockopt. |
@DarthSpock I'm doing this on a clean Windows 10 install with a clean Ubuntu 18.04 install. I've since removed the 18.04 install and installed 16.04 where I don't have this issue. |
It's a bug in WSL. |
Is there anything I can do to help progress this ticket? Anything needed to reproduce the issue? |
@rarenerd By following CONTRIBUTING.md |
I can confirm a clean installation of Ubuntu 18.04 on 1803 build of Windows 10 results in this problem (WSL was installed after updating to 1803) |
There were changes in Insider Build 17704 that may address this. |
I can confirm that SSH agent forwarding works on 17711. |
will this get fixed for non insider-builds? or do we have to wait for the fall-update of Windows 10? |
@thegass it's not useless, just install Ubuntu 16 instead of 18 from the windows store, it works fine |
@d-rez will try the old version. (tried already opensuse but that has the same problem) |
was introduced in version 7.3 ( http://www.openssh.com/txt/release-7.3 ) which is not the case for ubuntu 16.04:
and is limiting factor for me, for example. |
Any idea if this is getting rolled up into a prod update soon? I can't revert to 16.04 solely for the sake of SSH (because I need some of the updated userland), and yet I really need SSH forwarding to work, otherwise I can't checkout repositories on remote machines with my own key. |
@rcarmo - We typically only service security and reliability issues, so this won't be available in a non-Insiders build until the next update due this fall. |
Could you run multiple distributions in parallel (16.04 for git clone et al; 18.04 for a current userland) and use the Windows host as the shared storage provider (/mnt/c/git-repose-here)? |
@rcarmo have you tried grabbing the ssh-agent binary from 16.04 and using that as a workaround? |
It's not practical to maintain two copies of Ansible, Terraform, |
@0xabu from the thread above I was under the impression this was also broken in other distros, but yes, that worked, thanks! Not that I'm happy about it, but it is a semi-acceptable workaround for WSL. Which should probably have off-cycle updates (hint hint). Here's a quick
cd /tmp/
wget http://mirrors.kernel.org/ubuntu/pool/main/o/openssh/openssh-client_7.2p2-4ubuntu2.4_amd64.deb
dpkg -x openssh-client_7.2p2-4ubuntu2.4_amd64.deb /tmp/deb
sudo mv /usr/bin/ssh-agent /usr/bin/ssh-agent.18.04
# for safekeeping in case of bionic updates
sudo mv /tmp/deb/usr/bin/ssh-agent /usr/bin/ssh-agent.16.04
sudo cp /usr/bin/ssh-agent.16.04 /usr/bin/ssh-agent
sudo chown root:ssh /usr/bin/ssh-agent (Edits for readability.) |
@rcarmo this worked for me, thanks! |
#3183 (comment) #3183 (comment) |
I can confirm that Windows 10 October 2018 Update Version 1809 (OS Build 17763.1) works fine with Ubuntu Bionic's ssh-agent from the openssh-client apt package version 1:7.6p1-4. |
Just posting @rcarmo workaround with fixed package url
|
Package is now openssh-client_7.2p2-4ubuntu2.7_amd64.deb cd /tmp/
wget http://mirrors.kernel.org/ubuntu/pool/main/o/openssh/openssh-client_7.2p2-4ubuntu2.7_amd64.deb
dpkg -x openssh-client_7.2p2-4ubuntu2.7_amd64.deb /tmp/deb
sudo mv /usr/bin/ssh-agent /usr/bin/ssh-agent.18.04
# for safekeeping in case of bionic updates
sudo mv /tmp/deb/usr/bin/ssh-agent /usr/bin/ssh-agent.16.04
sudo cp /usr/bin/ssh-agent.16.04 /usr/bin/ssh-agent
sudo chown root:ssh /usr/bin/ssh-agent
I know this is an old issue, but some companies are still rolling out Build 1803 so the fix is still relevant |
Got same issue and the workaround really save my day. thanks a lot. |
I also have the same issue here. After downgrading the |
Just updating the script again for those who need it.
|
If anyone having problems with BSOD (lxcore.sys), try to run |
Thanks @ADotOut . This was really helpful. |
ssh-agent is still broken in the latest ubuntu 18 from the windows store.
the environment variable is not being set when you close a Ubuntu terminal and reopen it. |
If you're still having this issue, double-check that
I started getting "Error connecting to agent: Connection refused" after an automatic system reboot, so I checked, and sure enough, the socket in /tmp had somehow persisted across a reboot. Obviously the listening |
add these code to
|
You create a new process each time you open bash. We can reuse one if ! pgrep ssh-agent > /dev/null; then
rm -f /tmp/ssh-auth-sock
eval "$(ssh-agent -s -a /tmp/ssh-auth-sock)"
else
export SSH_AUTH_SOCK=/tmp/ssh-auth-sock
fi
ssh-add |
This worked fine until I restarted the pc. Now I'm only left with:
Any idea? |
@Morgy93 I updated script above and replace socket file lookup with a process. |
I can approve that the script is working fine to reuse one ssh-agent. if ! pgrep ssh-agent > /dev/null; then
rm -f /tmp/ssh-auth-sock
eval "$(ssh-agent -s -a /tmp/ssh-auth-sock)"
ssh-add
else
export SSH_AUTH_SOCK=/tmp/ssh-auth-sock
fi There is still the issue that you have to enter the password after a restart. Any idea how to solve that? |
There's by the way some "official" script in the docs:
Source: https://code.visualstudio.com/docs/remote/troubleshooting#_setting-up-the-ssh-agent |
Try this: if ! pgrep ssh-agent > /dev/null; then |
Actually non of the above scripts are working in WSL2 Ubuntu 18.04. |
this snippet I currently use in my .bashrc.local (as I often copy .bashrc and other dot files to servers, splitting into separate .bashrc.local ensures desktop specific settings doesn't hit remote servers)
.bashrc part to include local file:
.ssh/config to learn new keys once used:
all that works fine for me on WSL2 with Ubuntu 20.04 |
Anyone in 2022 and beyond running wsl2, can confirm this worked for me! |
This worked for me on 2022 using wsl2 |
Since upgrading from Ubuntu 16.04 to 18.04, I've noticed that my ssh-agent setup no longer works reliably. For the purposes of debugging, I ran ssh-agent as:
After doing this, I can add keys to the agent, and make exactly one SSH connection. Later, trying to connect to the agent fails with
Error connecting to agent: Connection refused
. Before the SSH connection (when everything still works), getsockopt appears to behave as expected, returning the pid/uid/gid of the process connecting to the socket:However later, getsockopt returns -1 as uid/gid which obviously makes ssh-agent unhappy:
I'm on RS4 build 17134. /tmp is on an lxfs mountpoint.
The text was updated successfully, but these errors were encountered: