client side ssh agent support instead of path to key file

[alister]

Hi,

Is implementing ssh agent support for vms ide on the roadmap ? I'm guessing it's not currently supported based on https://wiki.vmssoftware.com/SSH_Settings

https://github.com/mscdex/ssh2#readme e.g has agent in it's connect call

Code: Select all

agent - string - Path to ssh-agent's UNIX socket for ssh-agent-based user authentication. Windows users: set to 'pageant' for authenticating with Pageant or (actual) path to a cygwin "UNIX socket." Default: (none)

but i'm not sure about ssh2-streams support for this. I am guessing as mentioned in passing before in the previous issue that you are using your own fork of ssh2-streams for the connection to VMS (https://github.com/vmssoftware/ssh2-streams), but it's unclear from my scan of their readme whether it has support

Ideally i'd be able to use vms ide using ssh-agent, like configured here https://learn.microsoft.com/en-us/windo ... generation OR failing that pageant.

[sergey_vorfolomeev]

The current version of SSH2 support this, but VMS-IDE does not contain the required executable file.
It must be ~/home/.vscode/extensions/vmssoftwareinc.vms-ide-1.5.59/util/pageant.exe
It is not the pageant.exe from PUTTY folder, it is compiled from scratch from SSH2 provided source (see util folder).
To use it change the connection like that:

Code: Select all

                "addConnectConfig": {
                    "agent" : "pageant",
                    "agentForward" : true,
                    "authHandler" : [ "agent" ]
                },

At this time VMS-IDE does not recognize that connection has an agent, so it asks for a password. Just press enter and it will go.

[alister]

Hi Sergey,

Thanks again for the quick response. I'll give that a try. I'm pretty new to a bunch of stuff in this space, and have limited time available for it, but i'll try this and post a reply as soon as i've been able to.

[alister]

Hi Sergey,

I've just got back to this courtesy of my sysadmin getting public key auth working.

The short answer is i got this working, thank you !

The longer answer is
- I was using diffie-hellman-group14-sha256 when connecting previously with a password. When i used pageant it seems like there is the remote side is only offering up diffie-hellman-group14-sha1. I have more to do to understand this, possibly this error is in our VMS side configuration. As far as i know the algorithms in the KEX offered by the remote side are it's full subset, not just those that match the incoming algorithms from the client (https://goteleport.com/blog/ssh-handsha ... y-exchange).
- I am a little concerned with using that pre-compiled executable in the ssh2 directory, due to security constraints in my job. For any others facing this, downloading the windows sdk and compiling in the visual studio developer command prompt was able to rebuild the pageant shim exe present in ssh2
- It looks like that code is sending pageant a windows message (win32 api style), rather than via some other mechanism (i don't know how putty communicates with it on windows - maybe that code was lifted from putty on windows ?) - this led me to look a bit more at agent interactions - It looks like ssh2 supports agents other than pageant. https://github.com/mscdex/ssh2#agent-related . It also looks like it will default to using openssh-agent on a windows environment. Now I connect to VMS using Windows terminal and openssh, and VMS IDE. The simplest option for me would be to use the pre-installed openssh on windows - i already have windows terminal connecting like this. Is it possible for vms ide to use these ? It seems like this might be possible ?

I haven't settled on putty / pageant vs inbuilt openssh - so this isn't an out and out feature request, i just wonder if it might be able to make this "just work" for people on windows, if they follow https://learn.microsoft.com/en-us/windo ... management - where as pageant requires installing it and key format conversion.

Added in 16 minutes 49 seconds:
Hmmm,

On second reading of the ssh2 readme, i think i've misread it - options are pageant or cygwin. Trying
"addConnectConfig": {
"agent" : "openssh",
"agentForward" : true,
"authHandler" : [ "agent" ]
}},

Results in
client error: Error: Invalid cygwin unix socket path
client error: Error: All configured authentication methods failed
Cannot find files on remote source
Synchronization failed. [vms-ide]

So looks like pageant it is !

[alister]

ok - I might have celebrated too early. Still debugging this. It can syncronize (run sftp commands ?), but fails when building with:

create shell error: Error: Unable to request agent forwarding.

I can connect a shell to this machine using putty and pageant, and with openssh/ssh-agent.

Searching for related issues i can see https://github.com/mscdex/ssh2/issues/989 - but it's too early to know if this is the case.

Sergey - if possible, could you confirm if the build action, with a pagent setup works for you ?

PS: The paragraph about the KEX algorithm from my previous reply can be ignored - my fault - now resolved)

[sergey_vorfolomeev]

It works without forwarding.

Code: Select all

                "addConnectConfig": {
                    "agent": "pageant"
                },

[alister]

Hi Sergey,

ok - that works for me too. Both synchronize and build can be executed without agentForward. I'm still new to ssh - looking here https://www.howtogeek.com/devops/what-i ... ou-use-it/ to understand ssh forwarding it looks like i only need that if i am needing to authenticate not just with my target server, but with other downstream servers. I don't believe i have that need (Our make files execute buids locally)- are there any commands issued by vms ide during the build or debug process that have that need ? I am trying to understand if i am likely to see a future use case for this

[alister]

Hi again Sergey,

I'm now happily using this and it's working well. Can i please ask, given your comment "At this time VMS-IDE does not recognize that connection has an agent, so it asks for a password. Just press enter and it will go." is this a feature that is being worked on. It would remove that bit of friction from the workflow if you didn't have to press enter everytime

[sergey_vorfolomeev]

It is done in the new version VMS-IDE v.1.5.60

[alister]

Works like a charm - thank you Sergey !

PS: For anyone else reading or using this, each new extension version you have to create the util directory and re-add the pageant.exe communicator from the ssh2 utils - as per Sergeys comment above