Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support GPG and smartcard users #827

Closed
vovcacik opened this issue Jul 26, 2017 · 108 comments
Closed

Support GPG and smartcard users #827

vovcacik opened this issue Jul 26, 2017 · 108 comments

Comments

@vovcacik
Copy link

vovcacik commented Jul 26, 2017

It seems like ssh.exe cannot use gpg-agent.exe since the latter is storing socket info in S.gpg-agent.ssh file and you expect it to be named pipe.

Are there any guidelines how to use ssh.exe and my authentication GPG key stored on smartcard?

EDITS:
https://dev.gnupg.org/T3883

@bagajjal
Copy link
Collaborator

As of now, we don't support this scenario. This will be added to our backlog and will be picked based on the priority.

@manojampalam
Copy link
Contributor

Is gpg-agent listening on a network socket?

@vovcacik
Copy link
Author

@manojampalam yes, the gpg-agent creates S.gpg-agent.ssh file with TCP port number it listens on and authorization cookie. I believe this way it is compatible with cygwin environment, but unfortunately not with this project (that is using named pipes).

@vovcacik
Copy link
Author

vovcacik commented Aug 12, 2017

@bagajjal I understand, thanks.

When you get to it, make sure you work with the official Windows builds available from gpg ftp (ftp://ftp.gnupg.org/gcrypt/binary/). It is far more superior than Gpg4win, but it is bit hidden out of sight and not advertised at all.

@manojampalam manojampalam changed the title Recommendation for GPG and smartcard users Support GPG and smartcard users Aug 14, 2017
@manojampalam
Copy link
Contributor

@vovcacik your understanding is correct. On Windows the logical equivalent of Unix Domain Sockets is named pipes (that inherently provides authorization capabilities). We unfortunately have no alternative way to use smartcards with this version of OpenSSH. Its a feature that we need to implement for Windows.
You'll have to stick with Cygwin for now (if it works).

@coldacid
Copy link

coldacid commented Dec 7, 2017

Given that UNIX domain sockets are pretty similar to Windows named pipes, I wonder if it'd be possible to create a program that sets up a named pipe that gets assigned to $SSH_AUTH_SOCK and then proxies between that and the socket set up by gpg-agent. I have a couple of concerns about that, though:

  1. Is the protocol used by ssh-agent over named pipes byte-for-byte the same as for ssh-agent over domain sockets? That is, are there endianness issues that need to be considered, or a need to translate between gpg-agent's ssh-agent protocol implementation and Win32-OpenSSH's?
  2. The socket files created by gpg-agent on Windows may match the structure used by Cygwin or MSYS, but don't necessarily do so. For example, on my machine right now S.gpg-agent.ssh only includes a 16-byte cookie, rather than the Cygwin socket header and port number.

@vovcacik
Copy link
Author

vovcacik commented Dec 7, 2017

My S.gpg-agent.ssh contains port number and 16 byte cookie. I am using ftp://ftp.gnupg.org/gcrypt/binary/.

@coldacid
Copy link

coldacid commented Dec 7, 2017

@vovcacik what version of GPG do you have installed, and is it a Cygwin or MSYS build? They each have their own format for the sock file (or more than one possible format), all of which would need to be supported.

@vovcacik
Copy link
Author

vovcacik commented Dec 7, 2017

@coldacid it is neither Cygwin-based, MSYS-based nor Gpg4win, but rather official native build.

gpg (GnuPG) 2.1.21
libgcrypt 1.7.6

@coldacid
Copy link

coldacid commented Dec 7, 2017

@vovcacik Gpg4win uses the "official native build" as you put it. Could you update to 2.2.3 and see what the socket file looks like afterwards?

@manojampalam
Copy link
Contributor

Protocol used by Windows version of ssh-agent is the same as in Unix. So a named pipe to network sock interop adapter should work for your case.

@coldacid
Copy link

coldacid commented Dec 7, 2017

@manojampalam excellent. I'll take some time this weekend to prototype one out.

@coldacid
Copy link

I whipped up a quick program that should provide a named pipe connected to gpg-agent but it unfortunately doesn't work. I'm not too good with low-level socket/stream stuff so perhaps someone else can figure out what I'm doing wrong for the actual communication between the pipe and the TCP socket served by gpg-agent.

I've put up the program as a gist: https://gist.github.com/coldacid/6e4e8306bcdc0a8954961454bc2558ee

@coldacid
Copy link

coldacid commented Dec 10, 2017

Also it looks like $SSH_AUTH_SOCK requires the full pipe name (that is, \\.\pipe\pipename instead of pipename) in order to connect. Otherwise ssh and ssh-add try to open a regular file based on the environment variable's value instead.

[Edit] note to self: described at #669 (comment)

@coldacid
Copy link

coldacid commented Apr 6, 2018

I've filed a feature request with GnuPG to support named pipes for ssh-agent on their side: https://dev.gnupg.org/T3883

@gpoul
Copy link

gpoul commented Apr 7, 2018

Just to make sure this is linked here, as it might be interesting context...

https://lists.gnupg.org/pipermail/gnupg-devel/2017-April/032825.html
https://lists.gnupg.org/pipermail/gnupg-devel/2017-April/032829.html
https://lists.gnupg.org/pipermail/gnupg-devel/2017-May/032854.html

Wish you luck!

@coldacid
Copy link

coldacid commented Apr 7, 2018

It sounds like Werner doesn't want to accept named pipes, but Win32-OpenSSH switching away from them doesn't sound like it'll happen either. Shame that Windows didn't have AF_UNIX sockets from the get-go.

I wonder if it'd be feasible to turn on AF_UNIX support in the ssh client now that it's available since build 17063, and get it enabled in Windows builds of gpg-agent as well. If that could be done without changing/removing existing functionality in both systems, and without requiring users to be on the cutting edge builds of Win10, then it might be a way around this impasse.

@manojampalam
Copy link
Contributor

@coldacid your adapter in here
https://gist.github.com/coldacid/6e4e8306bcdc0a8954961454bc2558ee
most likely did not work, because you are using syncronous pipes. I'll try to write up a native exe in the next couple of days.

@coldacid
Copy link

@manojampalam I tried async as well, without any change in results. I just never updated the gist with it.

@manojampalam
Copy link
Contributor

@coldacid got an initial (oversimplified) version posted here https://github.com/manojampalam/ssh-agent-adapter
uds-2-np.exe exposes an Unix Domain Sockets agent over a named pipe. Running it should spit something like this:
set SSH_AUTH_SOCK=\\.\pipe\usd-2-np-9036
The other utility np-2-uds.exe, does the reverse and is added just to test the one above. I basically injected these 2 in conjunction between the Windows OpenSSH tools to test E2E.

The IO redirection part works just fine. What's still needed is the logic to read port and cookie from the authentication file. I've put in TODO's in uds-2-np.c indicating the places this logic needs to go to.

@coldacid
Copy link

@manojampalam I can certainly take a look at the port and cookie stuff this evening.

@coldacid
Copy link

@manojampalam I started work this evening to parse out the port and cookie info, but my C is pretty rusty and I still need to get the "socket" file name to pass to my new function. Tomorrow evening I'll continue on and see if I can't get all this to work.

By the way, with a deeper dive into gpg-agent, I found that it's not relying on Cygwin or MSYS at all, but rather its own libassuan library to provide the AF_UNIX emulation. This explains the confusion around different possible socket file formats; a Cygwin build would have libassuan think that AF_UNIX sockets are available (and use Cygwin's emulation), an MSYS build could go either way based on environment configuration at build time, and the official Gpg4win builds use libassuan's own emulation. Because of this I considered pulling in libassuan, but figured the cost/benefit ratio was better just writing my own function for this.

@coldacid
Copy link

I've PR'd some work to parse out the port and cookie from the socket file and to send it across to gpg-agent, but uds-2-np seems to be getting stuck same as my gisted C# program even with my changes.

@coldacid
Copy link

@manojampalam have you had a chance to look at the work I PR'd to ssh-agent-adapter yet? Perhaps there's something I've overlooked that will make it work.

@manojampalam
Copy link
Contributor

Not yet @coldacid. Were you able to debug where its getting stuck? Was there any traffic in and out the adapter?

Can you point me to instructions to install and use gpg-agent on Windows?

@cyrmax
Copy link

cyrmax commented Jan 3, 2023

Hello! Seems like i am doing something wrong, because i cannot make it to work for me.
I have installed latest win32-openssh, latest gpg (version 2.4.0). I have added "enable-win32-openssh-support" to gpg-agent.conf file.
I have confirmed that there is named pipe \.\pipe\openssh-ssh-agent.
I have created environment variable SSH_AUTH_SOCK at user and system variables with value of "\.\pipe\openssh-ssh-agent".
I have rebooted the PC and started gpg agent with gpg-connect-agent /bye. Checked again that named pipe exists.

And it still does not work.
I have inserted my smartcard and ssh-add -L shows no identities.
gpg --card-status shows my smartcard correctly.

What i am doing wrong? Help me please!

@SamJakob
Copy link

SamJakob commented Jan 3, 2023

Hello! Seems like i am doing something wrong, because i cannot make it to work for me. I have installed latest win32-openssh, latest gpg (version 2.4.0). I have added "enable-win32-openssh-support" to gpg-agent.conf file. I have confirmed that there is named pipe .\pipe\openssh-ssh-agent. I have created environment variable SSH_AUTH_SOCK at user and system variables with value of ".\pipe\openssh-ssh-agent". I have rebooted the PC and started gpg agent with gpg-connect-agent /bye. Checked again that named pipe exists.

And it still does not work. I have inserted my smartcard and ssh-add -L shows no identities. gpg --card-status shows my smartcard correctly.

What i am doing wrong? Help me please!

I tried setting this up on another PC and had exactly the same issue. I’m going to take a look at my configuration on the working one and see if I can identify any missing steps.

@colemickens
Copy link

Two thoughts, first, the pipe path should have two slashes at the front, so \\.\pipe\... rather than \.\pipe\....

Second, maybe check the ssh client version as well? I have been using the latest from github which is often much newer than is available directly through Windows.

@SamJakob
Copy link

SamJakob commented Jan 4, 2023

Ah yes, per the second point, I uninstalled the bundled OpenSSH from Additional Features in Settings and installed PowerShell/Win32-OpenSSH. This then worked perfectly. (The most recent MSI installer from the releases section did the trick.)

For my case, I guess this beta version should work fine, otherwise it might be worth searching through updates from Windows Update as I believe newer versions of the SSH client might be released there.

EDIT: This was on the second system, where I had already done the configuration outlined in my earlier comment - which I would expect you'd have to do regardless. On the first system, I don't recall ever installing this but it is kept very up-to-date either way, I think I happened to have a more up-to-date build of the SSH client which is why that system worked.

@cyrmax
Copy link

cyrmax commented Jan 4, 2023

@SamJakob @colemickens

I have removed openssh client optional feature in Windows and then installed openssh from github releases.
Then I have updated gpg4win to latest version.
I have done all steps described in previous comments and it still does not work for me.

Here are several outputs that may tell something.
Help me please!

PS C:\Users\cyrmax> gpg --version
gpg (GnuPG) 2.4.0
libgcrypt 1.10.1
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\cyrmax\AppData\Roaming\gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

PS C:\Users\cyrmax> ssh -V
OpenSSH_for_Windows_9.1p1, LibreSSL 3.6.1


PS C:\Users\cyrmax> gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: <some long id>
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: <correct serial number>
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 1
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: 58DE 6683 8D1C FAD2 2A52  83F3 AEFB 45AC A247 412F
      created ....: 2022-07-18 17:13:04
Encryption key....: 7928 343C B864 670E 7CFF  A32D C4B2 51F3 22A9 6F16
      created ....: 2022-07-18 17:13:04
Authentication key: 1B7B 98DD 9F21 A7F2 B86A  16F3 4202 57F9 415A CC48
      created ....: 2022-07-18 17:41:13
General key info..: pub  rsa4096/AEFB45ACA247412F 2022-07-18 Kirill Belousov <[email protected]>
sec>  rsa4096/AEFB45ACA247412F  created: 2022-07-18  expires: never
                                card-no: 0006 18057313
ssb>  rsa4096/C4B251F322A96F16  created: 2022-07-18  expires: never
                                card-no: 0006 18057313
ssb>  rsa4096/420257F9415ACC48  created: 2022-07-18  expires: never
                                card-no: 0006 18057313


PS C:\Users\cyrmax> (get-childitem \\.\pipe\).FullName | select-string "openssh-ssh-agent"
\\.\pipe\openssh-ssh-agent


PS C:\Users\cyrmax> echo $env:SSH_AUTH_SOCK
\\.\pipe\openssh-ssh-agent


PS C:\Users\cyrmax> ssh-add -L
The agent has no identities.

And there are my config files:

gpg.conf:
use-agent


gpg-agent.conf:
enable-putty-support
enable-ssh-support
enable-win32-openssh-support
default-cache-ttl 300
default-cache-ttl-ssh 600
max-cache-ttl 1200
max-cache-ttl-ssh 1200

sshcontrol file contains the ID of my keygrip.

With wsl-ssh-pageant all worked but i have decided to get rid of intermediate program and use new features of gpg4win and openssh and now it is not working.

@Anon-4
Copy link

Anon-4 commented Jan 23, 2023

I have removed openssh client optional feature in Windows and then installed openssh from github releases.
Then I have updated gpg4win to latest version.
I have done all steps described in previous comments and it still does not work for me.

I'm having the exact same problem. All the way down to the output and config files. I still have no idea what I'm doing wrong.

@thxkiwi
Copy link

thxkiwi commented Jan 24, 2023

@Anon-4 I'm not affiliated with the project, just another user. I was able to Windows 11 working with no extra software other than openssh provided with Windows 11 and gpg4win/Kleopatra.

Windows 10 didn't go as smoothly because the \.\pipe\ pipe/socket was not created without some coercion. For that I needed wsl-ssh-pageant and to run it on login (via shell:startup) using the following arguments -systray -winssh openssh-ssh-agent

In each case (Windows 10, Windows 11) I observed that some gpg process must first run to initialize the agent. Starting Kleopatra at startup (to run in the system tray) seems to be enough.

Happy to compare configs and outcomes with you if helps get you going.

@Anon-4
Copy link

Anon-4 commented Jan 25, 2023

Hey @thxkiwi!

Thanks for your help on this. I forgot to mention that I'm on Windows 11 in my previous comment - although I'm thinking it won't make a difference. I looked a bit further into it and it looks like I am running into an issue with the pipe creation - just like your windows 10 case.

I turned on logging for the gpg-agent and I got this:

2023-01-25 12:22:44 gpg-agent[15336] listening on socket 'C:\\Users\\anon\\AppData\\Local\\gnupg\\S.gpg-agent'
2023-01-25 12:22:44 gpg-agent[15336] listening on socket 'C:\\Users\\anon\\AppData\\Local\\gnupg\\S.gpg-agent.extra'
2023-01-25 12:22:44 gpg-agent[15336] listening on socket 'C:\\Users\\anon\\AppData\\Local\\gnupg\\S.gpg-agent.browser'
2023-01-25 12:22:44 gpg-agent[15336] listening on socket 'C:\\Users\\anon\\AppData\\Local\\gnupg\\S.gpg-agent.ssh'
2023-01-25 12:22:44 gpg-agent[15336] gpg-agent (GnuPG) 2.4.0 started
2023-01-25 12:22:44 gpg-agent[15336] Win32-OpenSSH thread started
2023-01-25 12:22:44 gpg-agent[15336] putty message loop thread started
2023-01-25 12:22:44 gpg-agent[15336] cannot create pipe: 5
2023-01-25 12:22:44 gpg-agent[15336] Win32-OpenSSH thread stopped

Running the ssh-add -l command will result in the output: The agent has no identities.

I have tried maually setting the SSH_AUTH_SOCK to \\.\pipe\openssh-ssh-agent via windows control panel for my user, then the system, and then both with no avail. I've since removed both entries though.

Although, if I run gpg-agent.exe (calling the program directly, instad of using gpg-connect-agent /bye) straight from an Administrator CMD Prompt, the pipe gets created with no problems. Running ssh-add -l works fine too and I can ssh into my server perfectly fine.

❯ gpg-agent.exe --homedir C:\Users\anon\AppData\Roaming\gnupg --enable-win32-openssh-support --daemon -vv
gpg-agent[16924]: listening on socket 'C:\\Users\\anon\\AppData\\Local\\gnupg\\S.gpg-agent'
gpg-agent[16924]: listening on socket 'C:\\Users\\anon\\AppData\\Local\\gnupg\\S.gpg-agent.extra'
gpg-agent[16924]: listening on socket 'C:\\Users\\anon\\AppData\\Local\\gnupg\\S.gpg-agent.browser'
gpg-agent[16924]: listening on socket 'C:\\Users\\anon\\AppData\\Local\\gnupg\\S.gpg-agent.ssh'
gpg-agent[16924]: gpg-agent (GnuPG) 2.4.0 started
gpg-agent[16924]: putty message loop thread started
gpg-agent[16924]: Win32-OpenSSH thread started

This is what confuses me. Do you think I have some sort of permission problem?

Here are my configs and other metadata:

gpg-agent.conf:

enable-ssh-support
enable-putty-support
enable-win32-openssh-support
default-cache-ttl 600
max-cache-ttl 7200
#debug-level 4
##log-file C:\Users\anon\Desktop\log.log

Versions:

❯ gpg --version
gpg (GnuPG) 2.4.0
libgcrypt 1.10.1
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\Jonar\AppData\Roaming\gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
❯ ssh -V
OpenSSH_for_Windows_9.1p1, LibreSSL 3.6.1

Thanks for you help again!

@SamJakob
Copy link

SamJakob commented Jan 25, 2023

@Anon-4 (also not affiliated with project, just a user interested in getting this working repeatably and consistently)
Do you notice anything out of the ordinary with file permissions and does everything work properly when you start gpg-connect-agent as Administrator?

I have a working system I can compare things to, I have a non-working system I was attempting to set up at one point but no longer need and it's not very convenient to access but could access if need be.

Edit: both systems are Windows 11, but unless the problem actually appears to be from OpenSSH's end, I suspect whether the system is Windows 10 or 11 doesn't matter, and one can update OpenSSH manually if need be either way.

@thxkiwi
Copy link

thxkiwi commented Jan 26, 2023

@Anon-4 [Preface: I am not a "Windows developer" so help me help you] I'll turn on logging for gpg-agent and we can compare. What are you doing to enable gpg-agent logging? I've tried using log-file in gpg-agent.conf and got nothing. I've turned on logging via Kleopatra and only get gpg log messages.

UPDATE: Adding software versions

gpg (GnuPG) 2.4.0
libgcrypt 1.10.1
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\User\AppData\Roaming\gnupg
Supported algorithms:
Pubkey: RSA (1), ELG (16), DSA (17), ECDH (18), ECDSA (19), EDDSA (22)
Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7),
        AES192 (S8), AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11),
        CAMELLIA192 (S12), CAMELLIA256 (S13)
Hash: SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10),
      SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)
PS C:\Users\User\AppData\Roaming\gnupg> ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

Are you running Windows 11 22H2? I'm still on 21H2 just FWIW.

@while0x1
Copy link

while0x1 commented Jan 26, 2023

I followed the thread and was able to get a SSH session to login using the yubikey. Interestingly it only works once.. after you logout of the SSH session and try again it does not work a second time. You need to redo the whole procedure or -->

I noticed you can get it to work without having to stop and restart gpg-agent.exe --homedir... - by just entering gpg-connect-agent /bye TWICE in a non-elevated user powershell session.. I would really like to be able to automate the whole procedure in a task or preferably just have it work without any user/script interaction.. but i suppose that's the point of it being a dev release..

@Anon-4
Copy link

Anon-4 commented Jan 26, 2023

Hey all! Thanks so much for your help on this!

@SamJakob To my knowledge, I'm not aware of any out-of-the-ordinary file permissions concerning anything gpg related. I've checked the permissions of "C:\Program Files (x86)\GnuPG" and Administrators have Full Control, however Users don't. I'm not sure of the impacts of it though cause my user account is an Adminitrator account (Although, I'm not really familiar with windows' permission system - I only have background with Mac and Linux so please take my advice with a grain of salt). Everything does work properly when I run gpg-agent-connect /bye through an Administator Prompt. I actually should of tried that first lol. Maybe reinstalling GPG might be an option? What do you think?

@thxkiwi Same I came from Mac/Linux HAHAHA so that's why this thing is so confusing to me. Maybe you forgot to add the debug-level option? What I did to enable logging for the gpg-agent was just appending log-file C:\Users\anon\Desktop\log.log as well as debug-level 4 to my gpg-agent.conf file. Also yeah I forgot to mention that I'm currently on 22H2.

debug-level 4
log-file C:\Users\anon\Desktop\log.log

@while0x1 That is pretty Interesting though. I've tried entering gpg-connect-agent /bye twice like you did in a non-elevated powershell prompt with no avail. Maybe it is something to do with my config? I'm not too sure though.

@SamJakob
Copy link

@Anon-4 I was referring to the Local/gnupg folder - I’m wondering if it’s maybe some discrepancy between accounts made with a microsoft account vs a local account as that’s the only difference I can think of…

@Anon-4
Copy link

Anon-4 commented Jan 26, 2023

@SamJakob Oh yeah that's my bad HAHAHA I doubled check ‪C:\Users\anon\AppData\Roaming\gnupg just then and the System, Administators and my own user have full control permissions. The account difference is interesting. I never thought of it that way. I'll make a local account and get back to you with results.

@Anon-4
Copy link

Anon-4 commented Jan 26, 2023

@SamJakob I made a local account and it seems to be the exact same result :(

Here's the log from my test account:

2023-01-26 22:46:54 gpg-agent[26508] listening on socket 'C:\\Users\\test\\AppData\\Local\\gnupg\\S.gpg-agent'
2023-01-26 22:46:54 gpg-agent[26508] listening on socket 'C:\\Users\\test\\AppData\\Local\\gnupg\\S.gpg-agent.extra'
2023-01-26 22:46:54 gpg-agent[26508] listening on socket 'C:\\Users\\test\\AppData\\Local\\gnupg\\S.gpg-agent.browser'
2023-01-26 22:46:55 gpg-agent[26508] listening on socket 'C:\\Users\\test\\AppData\\Local\\gnupg\\S.gpg-agent.ssh'
2023-01-26 22:46:55 gpg-agent[26508] gpg-agent (GnuPG) 2.4.0 started
2023-01-26 22:46:55 gpg-agent[26508] putty message loop thread started
2023-01-26 22:46:55 gpg-agent[26508] Win32-OpenSSH thread started
2023-01-26 22:46:55 gpg-agent[26508] cannot create pipe: 5
2023-01-26 22:46:55 gpg-agent[26508] Win32-OpenSSH thread stopped

@kaylynb
Copy link

kaylynb commented Feb 1, 2023

@Anon-4

I know you said you removed the windows version of OpenSSH but try running:

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

I found on my system that OpenSSH.Client~~~~0.0.1.0 was Present, even though I don't remember installing it and I thought I'd checked before installing the latest version from GitHub. I probably just misread the output before and just noticed now.

Once removing this for sure I went from having the exact same problem (cannot create pipe: 5) to having it work after a restart.


Some more details:

I noticed when running ls \\.\pipe\, that openssh-ssh-agent was created on login, even though I never started the gpg agent. Error 5 is access denied, and according to documentation that should only happen if a pipe was created by a program with certain properties differing from expected. I couldn't find any program holding the pipe open though.

If I ran gpg-agent manually in an elevated shell ssh appeared to work properly in an elevated shell as well. In a non-elevated shell ssh only worked every other time.

After removing the builtin ssh client and restarting, the pipe isn't getting created on login and instead is only created when the gpg agent runs via something like gpg-connect-agent /bye or gpg --card-status.

@thxkiwi
Copy link

thxkiwi commented Feb 10, 2023

Coming back to this on a Windows 11 22H2 machine, I now get what others have been experiencing "invalid format" resulting from ssh-add -L when using SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

I observe, similarly to @kaylynb , the \\.\pipe\openssh-ssh-agent socket is not created by gpg-agent.

I observe that gpgconf --list-dirs agent-ssh-agent shows the AppData\Local\gnupg\S.gpg-agent.ssh location.

ssh -V
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3

UPDATE

I've tried using what previously worked for me in #827 (comment) but now get

error fetching identities: agent refused operation

@thxkiwi
Copy link

thxkiwi commented Feb 11, 2023

My Windows 11 22H2 Issues Resolved

Software Installed

  • gpg4win / Kleopatra
gpg --version
gpg (GnuPG) 2.4.0
libgcrypt 1.10.1
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\MichaelKiwiNgarimu\AppData\Roaming\gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

gpgconf -V
* GnuPG 2.4.0 (c0556edb8)
MingW32
Windows 10.0 build 22621

* Libgcrypt 1.10.1 (ae0e5678)
version:1.10.1:10a01:1.46:12e00:
cc:80300:gcc:8.3-win32 20190406:
ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20:sm4:
pubkeys:dsa:elgamal:rsa:ecc:
digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2:sm3:
rnd-mod:w32:
cpu-arch:x86:
mpi-asm:i386/mpih-add1.S:i386/mpih-sub1.S:i386/mpih-mul1.S:i386/mpih-mul2.S:i386/mpih-mul3.S:i386/mpih-lshift.S:i386/mpih-rshift.S:
hwflist:intel-cpu:intel-bmi2:intel-ssse3:intel-sse4.1:intel-pclmul:intel-aesni:intel-rdrand:intel-avx:intel-avx2:intel-fast-vpgather:intel-rdtsc:intel-shaext:intel-vaes-vpclmul:
fips-mode:n:::
rng-type:standard:1:3030000:1:
compliance:::

* GpgRT 1.46 (ea03187)

* Libassuan 2.5.5 (f8cfb56)

* KSBA 1.6.3 (bffa9b3)

* NTBTLS 0.3.1 (802494e)

  • OpenSSH
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

ssh -V
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3

gpg.conf

None

gpg-agent.conf

debug-level 4
log-file c:\Users\Me\.gnupg\gpg-agent.log
enable-ssh-support
enable-putty-support
enable-win32-openssh-support
use-standard-socket

sshcontrol

Created using the output from

gpg --list-secret-keys --with-keygrips

Copy and paste the key grip of the authentication key into the file. Include a newline after the 40-byte key grip ID.

Running gpg-agent

  • Run gpg-connect-agent /bye as your user
    • Do not run gpg-agent or gpg-connect-agent elevated

Errors and How I Resolved Them

access denied

  • I would get this if I ran gpg-agent/gpg-connect-agent elevated

invalid format

  • Seems to be when $env:SSH_AUTH_SOCK is using the $(gpgconf --list-dirs agent-ssh-socket)
    • Solution: manually set $env:SSH_AUTH_SOCK="\\.\pipe\openssh-ssh-agent

agent refused operation

  • gpg-agent.log shows 2023-02-11 03:33:59 gpg-agent[14932] ssh request identities failed: Line too long <GPG Agent>
  • Initially I created sshcontrol using echo <value> >> sshcontrol
    • Maybe this puts an extra non-printable character or something somewhere in the file
    • I recreated an empty file in VSCode, added the contents as described above and saved it as sshcontrol

@j1g5awi
Copy link

j1g5awi commented Mar 17, 2023

My Issues Resolved

DISABLE the openssh ssh-agent Windows service IS IMPORTANT

@cyrmax @Anon-4 @SamJakob Have you slove this problem ?

I have met the same problem, get The agent has no identities. from ssh-add -l any way, I think I need some help.

There is my env below:

Windows 11

22H2 22621.1413

GPG

 gpg --version

gpg (GnuPG) 2.4.0
libgcrypt 1.10.1
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\Admin\.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

 gpgconf -V

* GnuPG 2.4.0 (c0556edb8)
MingW32
Windows 10.0 build 22621

* Libgcrypt 1.10.1 (ae0e5678)
version:1.10.1:10a01:1.46:12e00:
cc:80300:gcc:8.3-win32 20190406:
ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20:sm4:
pubkeys:dsa:elgamal:rsa:ecc:
digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2:sm3:
rnd-mod:w32:
cpu-arch:x86:
mpi-asm:i386/mpih-add1.S:i386/mpih-sub1.S:i386/mpih-mul1.S:i386/mpih-mul2.S:i386/mpih-mul3.S:i386/mpih-lshift.S:i386/mpih-rshift.S:
hwflist:intel-cpu:intel-fast-shld:intel-bmi2:intel-ssse3:intel-sse4.1:intel-pclmul:intel-aesni:intel-rdrand:intel-avx:intel-avx2:intel-fast-vpgather:intel-rdtsc:
fips-mode:n:::
rng-type:standard:1:3030000:1:
compliance:::

* GpgRT 1.46 (ea03187)

* Libassuan 2.5.5 (f8cfb56)

* KSBA 1.6.3 (bffa9b3)

* NTBTLS 0.3.1 (802494e)

gpg-agent.conf

###+++--- GPGConf ---+++###
enable-ssh-support
enable-putty-support
enable-win32-openssh-support
use-standard-socket

OpenSSH

OpenSSH_for_Windows_9.2p1, LibreSSL 3.6.1

@thxkiwi
Copy link

thxkiwi commented Mar 23, 2023

@j1g5awi

  1. Have you stopped the openssh ssh-agent Windows service?
PS> Get-Service ssh-agent

Status   Name               DisplayName
------   ----               -----------
Stopped  ssh-agent          OpenSSH Authentication Agent
  1. Have you ensured that gpg-agent is running?
PS> gpg-connect-agent "killagent" /bye
OK closing connection
PS> gpg-connect-agent /bye
gpg-connect-agent: no running gpg-agent - starting 'C:\\Program Files (x86)\\GnuPG\\bin\\gpg-agent.exe'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to the agent established

If you're still not seeing any keys output from ssh-add -L then try getting gpg-agent logs (see my earlier comment above). The same comment lists the errors that I encountered and how I resolved them. I hope some of this helps you.

@j1g5awi
Copy link

j1g5awi commented Mar 24, 2023

@thxkiwi Thanks your help!

I got logs below:

2023-03-24 11:04:32 gpg-agent[10616] listening on socket 'C:\\Users\\Admin\\AppData\\Local\\gnupg\\d.mq77ymnxxdn7hyts\\S.gpg-agent'
2023-03-24 11:04:32 gpg-agent[10616] listening on socket 'C:\\Users\\Admin\\AppData\\Local\\gnupg\\d.mq77ymnxxdn7hyts\\S.gpg-agent.extra'
2023-03-24 11:04:32 gpg-agent[10616] listening on socket 'C:\\Users\\Admin\\AppData\\Local\\gnupg\\d.mq77ymnxxdn7hyts\\S.gpg-agent.browser'
2023-03-24 11:04:32 gpg-agent[10616] listening on socket 'C:\\Users\\Admin\\AppData\\Local\\gnupg\\d.mq77ymnxxdn7hyts\\S.gpg-agent.ssh'
2023-03-24 11:04:32 gpg-agent[10616] gpg-agent (GnuPG) 2.4.0 started
2023-03-24 11:04:32 gpg-agent[10616] putty message loop thread started
2023-03-24 11:04:32 gpg-agent[10616] Win32-OpenSSH thread started
2023-03-24 11:04:32 gpg-agent[10616] cannot create pipe: 5
2023-03-24 11:04:32 gpg-agent[10616] Win32-OpenSSH thread stopped
2023-03-24 11:04:32 gpg-agent[10616] DBG: chan_0x000002b8 -> OK Pleased to meet you
2023-03-24 11:04:32 gpg-agent[10616] DBG: chan_0x000002b8 <- RESET
2023-03-24 11:04:32 gpg-agent[10616] DBG: chan_0x000002b8 -> OK
2023-03-24 11:04:32 gpg-agent[10616] DBG: chan_0x000002b8 <- killagent
2023-03-24 11:04:32 gpg-agent[10616] DBG: chan_0x000002b8 -> OK closing connection
2023-03-24 11:04:32 gpg-agent[10616] secmem usage: 0/32768 bytes in 0 blocks

Do you know what does it mean?

@thxkiwi
Copy link

thxkiwi commented Mar 24, 2023

I think "5" relates to a Windows HRESULT "ERROR_ACCESS_DENIED". I saw that error when I was running gpg-agent with elevated privileges. Are you running gpg-agent with elevated privileges, or as administrator?

@j1g5awi
Copy link

j1g5awi commented Mar 24, 2023

I just install gpg4win from their offical website, and open the Kleopatra in Desktop icon, and never see any prompt for elevating privilege.

@char-46
Copy link

char-46 commented May 23, 2023

Eh, I think I met a other question.
When I type ssh-add -L, the error message The agent has no identities and the correct message ssh-sth here (none) appear alternately.


My Environment:

Windows 11 22H2 (OS 22621.1702)

gpg-agent run as Administrator

PS> gpg --version
gpg (GnuPG) 2.4.0
libgcrypt 1.10.1
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\Me\AppData\Roaming\gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

PS> gpgconf -V
* GnuPG 2.4.0 (c0556edb8)
MingW32
Windows 10.0 build 22621

* Libgcrypt 1.10.1 (ae0e5678)
version:1.10.1:10a01:1.46:12e00:
cc:80300:gcc:8.3-win32 20190406:
ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20:sm4:
pubkeys:dsa:elgamal:rsa:ecc:
digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2:sm3:
rnd-mod:w32:
cpu-arch:x86:
mpi-asm:i386/mpih-add1.S:i386/mpih-sub1.S:i386/mpih-mul1.S:i386/mpih-mul2.S:i386/mpih-mul3.S:i386/mpih-lshift.S:i386/mpih-rshift.S:
hwflist:intel-bmi2:intel-ssse3:intel-sse4.1:intel-pclmul:intel-aesni:intel-rdrand:intel-avx:intel-avx2:intel-rdtsc:intel-shaext:intel-vaes-vpclmul:
fips-mode:n:::
rng-type:standard:1:3030000:1:
compliance:::

* GpgRT 1.46 (ea03187)

* Libassuan 2.5.5 (f8cfb56)

* KSBA 1.6.3 (bffa9b3)

* NTBTLS 0.3.1 (802494e)

PS> ssh -V
OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2

PS> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'


Name  : OpenSSH.Client~~~~0.0.1.0
State : NotPresent

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

PS> echo $env:SSH_AUTH_SOCK
\\.\pipe\openssh-ssh-agent

gpg.conf

use-agent

gpg-agent.conf

debug-level 4
log-file c:\Users\Me\gpg\gpg-agent.log
enable-ssh-support
enable-putty-support
enable-win32-openssh-support

keygrip from gpg --list-secret-keys --with-keygrip is in sshcontrol

@namelessmasses
Copy link

I just install gpg4win from their offical website, and open the Kleopatra in Desktop icon, and never see any prompt for elevating privilege.

I would see that error if I was running gpg-agent or gpg-connect-agent elevated.

@namelessmasses
Copy link

Eh, I think I met a other question. When I type ssh-add -L, the error message The agent has no identities and the correct message ssh-sth here (none) appear alternately.
...

PS> echo $env:SSH_AUTH_SOCK
\.\pipe\openssh-ssh-agent


Does the pipe exist?

gpg-agent.conf

debug-level 4
log-file c:\Users\Me\gpg\gpg-agent.log
enable-ssh-support
enable-putty-support
enable-win32-openssh-support

Have you checked the logs for any errors?

keygrip from gpg --list-secret-keys --with-keygrip is in sshcontrol

Is this file formatted correctly? I found sshcontrol to be quite finicky. Check the file contents against the documented format for sshcontrol (https://www.gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html)

@piotrpdev
Copy link

  1. Have you stopped the openssh ssh-agent Windows service?
PS> Get-Service ssh-agent

Status   Name               DisplayName
------   ----               -----------
Stopped  ssh-agent          OpenSSH Authentication Agent

Thanks for this, I stopped the service and it fixed my issues :)

It was also set to "Automatic" startup for some reason so I disabled it.

@lislon
Copy link

lislon commented May 29, 2024

I want to add that if you encounter the issue ssh request identities failed: Line too long <GPG Agent>, make sure that
sshcontrol (In my case c:/Users/USER/AppData/Roaming/gnupg/sshcontrol) ends with unix-end line \n. Even if it contains just a single keygrip, it should have new-line character at the end.
Reference: https://github.com/gpg/gnupg/blob/9adaa79ab43e2f87178b8ee5ab1a353cba384606/g10/tdbdump.c#L160-L161

@bencejuhaasz
Copy link

bencejuhaasz commented Sep 17, 2024

I followed the guide, but I get

ssh-add -l
Error connecting to agent: No such file or directory

after setting $env:SSH_AUTH_SOCK="\.\pipe\openssh-ssh-agent"

@RainCat1998
Copy link

My Issues Resolved

DISABLE the openssh ssh-agent Windows service IS IMPORTANT

@cyrmax @Anon-4 @SamJakob Have you slove this problem ?

I have met the same problem, get The agent has no identities. from ssh-add -l any way, I think I need some help.

There is my env below:

Windows 11

22H2 22621.1413

GPG

 gpg --version

gpg (GnuPG) 2.4.0
libgcrypt 1.10.1
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\Admin\.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

 gpgconf -V

* GnuPG 2.4.0 (c0556edb8)
MingW32
Windows 10.0 build 22621

* Libgcrypt 1.10.1 (ae0e5678)
version:1.10.1:10a01:1.46:12e00:
cc:80300:gcc:8.3-win32 20190406:
ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20:sm4:
pubkeys:dsa:elgamal:rsa:ecc:
digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2:sm3:
rnd-mod:w32:
cpu-arch:x86:
mpi-asm:i386/mpih-add1.S:i386/mpih-sub1.S:i386/mpih-mul1.S:i386/mpih-mul2.S:i386/mpih-mul3.S:i386/mpih-lshift.S:i386/mpih-rshift.S:
hwflist:intel-cpu:intel-fast-shld:intel-bmi2:intel-ssse3:intel-sse4.1:intel-pclmul:intel-aesni:intel-rdrand:intel-avx:intel-avx2:intel-fast-vpgather:intel-rdtsc:
fips-mode:n:::
rng-type:standard:1:3030000:1:
compliance:::

* GpgRT 1.46 (ea03187)

* Libassuan 2.5.5 (f8cfb56)

* KSBA 1.6.3 (bffa9b3)

* NTBTLS 0.3.1 (802494e)

gpg-agent.conf

###+++--- GPGConf ---+++###
enable-ssh-support
enable-putty-support
enable-win32-openssh-support
use-standard-socket

OpenSSH

OpenSSH_for_Windows_9.2p1, LibreSSL 3.6.1

Yes, all you need is DISABLE the openssh ssh-agent Windows service.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests