Comments (20)
carloscabanero
commented on June 19, 2024
1
Will take a look. I consider this critical functionality so we will tackle this immediately.
from blink.
gibsn
commented on June 19, 2024
1
Hi!
Second comment, this is actually expected behavior. Blink does not add all the keys in the GUI by default. It follows the ssh convention of adding those with the default name: id_ecdsa, id_rsa, etc... This is all explained in the GUI and the docs. But let me know if you think we could have made this more clear somehow.
Yeah, I get it now. I did read all the docs you have on your website but of course missed some points. Probably it would be more handy for me if it was documented in ssh --help, because when I encounter problems with a command-line tool, I seek answers in --help or man, not web docs
from blink.
gibsn
commented on June 19, 2024
1
Third problem. Again this is expected. For consistency, we removed file based keys a couple years ago. This definitely breaks the usual convention, so Blink should have warned you. I am surprised this seems to be the first issue we have had about it. It may actually be related to the first issue, the library could be parsing the identity and offering it itself. But very few people work with .ssh/config anyway.
The problem is that ssh --help states the opposite:
-i <identity> Selects a file from which the identity (private key)
for public key authentication is read. The default is
~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
~/.ssh/id_rsa. Identity files may also be specified
on a per-host basis in the configuration pane in the
Settings of Blink.
from blink.
carloscabanero
commented on June 19, 2024
Hi! I could not replicate this behavior. I'm thinking maybe something is going on with the parser, like a previous line or whatever. Given that the issue is very early on, line 14, do you think you could send me the first one or two batches so I can try to replicate from my side? Feel free to do so to my email: Carlos at blink.sh.
Thanks!
PS: I misread IdentitiesOnly for IdentityFile. That option is not currently supported but it should not block the rest. I will add IdentitiesOnly to the backlog.
from blink.
gibsn
commented on June 19, 2024
Hi!
Sure, I will narrow down my config to a piece that reproduces the problem and will send it to you
from blink.
gibsn
commented on June 19, 2024
This config:
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/ssh_mux_%h_%p_%r
ControlPersist yes
Compression yes
TCPKeepAlive yes
ServerAliveInterval 30
ServerAliveCountMax 6
# this is a jump host to the internal network, that's why I need agent forwarding
Host devpoint
HostName somedevpointaddr.i
User me
ForwardAgent yes
# this is to use a separate ssh-key for repos
Host github.com
IdentityFile Git
IdentitiesOnly yes
Produces this output:
blink> ssh -v github.com
ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7
ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8
ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9
ssh_config_parse_line: Unsupported option: ForwardAgent, line: 15
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20
from blink.
carloscabanero
commented on June 19, 2024
Thanks! I could replicate it easily now. I have an idea what may be going on, we should have this fixed for our TestFlight version tomorrow. Are you on it?
from blink.
gibsn
commented on June 19, 2024
Thanks! I could replicate it easily now. I have an idea what may be going on, we should have this fixed for our TestFlight version tomorrow. Are you on it?
not yet, how do I join?
from blink.
carloscabanero
commented on June 19, 2024
community.blink.sh - On how you found us, reference this issue so I know I need to add you immediately.
from blink.
gibsn
commented on June 19, 2024
community.blink.sh - On how you found us, reference this issue so I know I need to add you immediately.
I am having trouble following this link:
blink> curl -v https://community.blink.sh
* Rebuilt URL to: https://community.blink.sh/
* Trying 34.107.103.177...
* TCP_NODELAY set
* Connected to community.blink.sh (34.107.103.177) port 443 (#0)
* SSL peer handshake failed, the server most likely requires a client certificate to connect
* Closing connection 0
curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect
blink> curl -v --insecure https://community.blink.sh
* Rebuilt URL to: https://community.blink.sh/
* Trying 34.107.103.177...
* TCP_NODELAY set
* Connected to community.blink.sh (34.107.103.177) port 443 (#0)
* WARNING: disabling hostname validation also disables SNI.
* Unknown SSL protocol error in connection to community.blink.sh:-9838
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to community.blink.sh:-9838
from blink.
carloscabanero
commented on June 19, 2024
Ugh, sorry about that. Will reach out to Mailerlite. In the meantime, please send me the email to carlos at blink.sh. Thanks!
from blink.
carloscabanero
commented on June 19, 2024
Hi! So I've been checking things out and although the warning messages may show up, this should not affect the functionality. The proper flags, like ForwardAgent should still work.
Is the agent not being forwarded in your scenario? Is there a specific flag not working?
Thanks!
from blink.
gibsn
commented on June 19, 2024
Hi! I will double-check later today or this weekend
from blink.
gibsn
commented on June 19, 2024
Hi! So I tried a couple of approaches and here is what I got.
I had loaded my ssh keys through GUI before. I tried connecting to one of my SSH hosts that is configured like this:
Host mynode
HostName some_amazon_node.eu-central-1.compute.amazonaws.com
User admin
ForwardAgent yes
Connecting failed with:
ssh -v mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])
Actually I expected that the ssh command would try all the keys I had specified earlier with GUI. I thought then that if I am trying to connect to a host that is configured through config, not GUI, then the ssh command must be using the keys in the .ssh/directory. So I copied my keys:
blink> ls .ssh | fgrep id_rsa
id_rsa
id_rsa.pub
id_rsa_git
id_rsa_git.pub
Specifying the key with '-i' does not help:
ssh -v -i .ssh/id_rsa mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])
Actually -i does not work even with the key loaded through GUI:
ssh -v -i .ssh/id_rsa mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])
Specifying the key with IdentityFile in config does not work either:
Host mynode
HostName some_amazon_node.eu-central-1.compute.amazonaws.com
User admin
IdentityFile .ssh/id_rsa
ForwardAgent yes
The only way I managed to make it work is by specifying the 'Dev' key through the IdentityFile:
Host mynode
HostName some_amazon_node.eu-central-1.compute.amazonaws.com
User admin
IdentityFile .ssh/id_rsa
ForwardAgent yes
blink> ssh -v mynode
ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7
ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8
ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 16
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20
socket_callback_connected: Socket connection callback: 1 (0)
ssh_key_cmp: key types don't match!
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_key_cmp: key types don't match!
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Connected to x.x.x.x
The only key forwarded is the one I connected with:
ssh-add -l
8192 SHA256:rEPWN7wroHpyaoYgZ1ZBOMS/tF9GoKte34yq9Og9lfg Dev (RSA)
Adding to the agent also fails:
blink> ssh-add .ssh/id_rsa_git
Key not found
But adding a key specified through GUI works!
blink> ssh-add Git
Key Git - added to agent.
Forwarding works as expected:
ssh-add -l | wc -l
2
Then I thought that probably adding GUI-key to ssh-agent might help connecting and it did:
blink> ssh-add Dev
Key Dev - added to agent.
blink> ssh -v mynode
ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7
ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8
ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 16
ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20
socket_callback_connected: Socket connection callback: 1 (0)
ssh_key_cmp: key types don't match!
ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
ssh_key_cmp: key types don't match!
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
ssh_packet_userauth_failure: Access denied for 'publickey'. Authentication that can continue: publickey
Connected to x.x.x.x
So to wrap it up here is what I think confused me:
- ssh command does not try keys specified through GUI, you need to manually load it with ssh-add
- ssh command does not see keys in the .ssh dir, nor by default neither with the -i param
from blink.
carloscabanero
commented on June 19, 2024
Thanks a lot for the thorough description, it has been really helpful. So I have been working on solving some of the issues here as well as trying to iron out what the expectations are. I will try to reply in-line based on what Blink does and how I have changed based on what we think it should do.
-
On the initial issue with
ssh_config_parse_line: Unsupported option.- This is misleading as the message actually does not come from Blink, it comes from LibSSH. For quite a while Blink has implemented its own ssh_config parser. We were still calling the LibSSH parser though, if only to make sure we had not forgotten to add some weird flag. I fixed this, so we should not see these messages anymore, and we now rely 100% on our parser.
-
Second comment, this is actually expected behavior. Blink does not add all the keys in the GUI by default. It follows the ssh convention of adding those with the default name: id_ecdsa, id_rsa, etc... This is all explained in the GUI and the docs. But let me know if you think we could have made this more clear somehow.
I had loaded my ssh keys through GUI before. I tried connecting to one of my SSH hosts that is configured like this:
Host mynode HostName some_amazon_node.eu-central-1.compute.amazonaws.com User admin ForwardAgent yes[...]
Actually I expected that the ssh command would try all the keys I had specified earlier with GUI.
- Third problem. Again this is expected. For consistency, we removed file based keys a couple years ago. This definitely breaks the usual convention, so Blink should have warned you. I am surprised this seems to be the first issue we have had about it. It may actually be related to the first issue, the library could be parsing the identity and offering it itself. But very few people work with .ssh/config anyway.
I thought then that if I am trying to connect to a host that is configured through config, not GUI, then the ssh command must be using the keys in the .ssh/directory. So I copied my keys:
blink> ls .ssh | fgrep id_rsa id_rsa id_rsa.pub id_rsa_git id_rsa_git.pubSpecifying the key with '-i' does not help:
ssh -v -i .ssh/id_rsa mynode ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey ssh_agent_get_ident_count: Answer type: 12, expected answer: 12 Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])
- Third' - This should have worked, you just need to do
-i key_name, no path necessary.
Actually -i does not work even with the key loaded through GUI:
ssh -v -i .ssh/id_rsa mynode ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey ssh_agent_get_ident_count: Answer type: 12, expected answer: 12 Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])
- Third''. Expected, no files.
Specifying the key with IdentityFile in config does not work either:
Host mynode HostName some_amazon_node.eu-central-1.compute.amazonaws.com User admin IdentityFile .ssh/id_rsa ForwardAgent yes
- Fourth. Not sure I see the difference with the previous here, do you mean the GUI key?
The only way I managed to make it work is by specifying the 'Dev' key through the IdentityFile:
Host mynode HostName some_amazon_node.eu-central-1.compute.amazonaws.com User admin IdentityFile .ssh/id_rsa ForwardAgent yes blink> ssh -v mynode ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7 ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8 ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9 ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 16 ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20 socket_callback_connected: Socket connection callback: 1 (0) ssh_key_cmp: key types don't match! ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory ssh_key_cmp: key types don't match! ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey ssh_agent_get_ident_count: Answer type: 12, expected answer: 12 Connected to x.x.x.xThe only key forwarded is the one I connected with:
ssh-add -l 8192 SHA256:rEPWN7wroHpyaoYgZ1ZBOMS/tF9GoKte34yq9Og9lfg Dev (RSA)
- Fourth'. Again, no files.
ssh-add id_rsa_gitworks.
Adding to the agent also fails:
blink> ssh-add .ssh/id_rsa_git Key not foundBut adding a key specified through GUI works!
blink> ssh-add Git Key Git - added to agent.Forwarding works as expected:
ssh-add -l | wc -l 2
- Fifth. This is correct, no files.
Then I thought that probably adding GUI-key to ssh-agent might help connecting and it did:
blink> ssh-add Dev Key Dev - added to agent. blink> ssh -v mynode ssh_config_parse_line: Unsupported option: TCPKeepAlive, line: 7 ssh_config_parse_line: Unsupported option: ServerAliveInterval, line: 8 ssh_config_parse_line: Unsupported option: ServerAliveCountMax, line: 9 ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 16 ssh_config_parse_line: Unsupported option: IdentitiesOnly, line: 20 socket_callback_connected: Socket connection callback: 1 (0) ssh_key_cmp: key types don't match! ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory ssh_key_cmp: key types don't match! ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey ssh_agent_get_ident_count: Answer type: 12, expected answer: 12 ssh_packet_userauth_failure: Access denied for 'publickey'. Authentication that can continue: publickey Connected to x.x.x.x
- It seems like it all boils down to one thing: Do not use files for keys, import them to the GUI. And then you can reference them either on ssh_config or anywhere else, no need to add the ".ssh" path in any case.
So to wrap it up here is what I think confused me:
- ssh command does not try keys specified through GUI, you need to manually load it with ssh-add
- ssh command does not see keys in the .ssh dir, nor by default neither with the -i param
- Add additional warnings for referencing keys on files, as it breaks the convention (key starts with .ssh or has a slash).
from blink.
gibsn
commented on June 19, 2024
To make it clear: GUI-keys are named 'Dev' and 'Git', key-files in the .ssh dir are named id_rsa[.pub] and id_rsa_git[.pub]
Third' - This should have worked, you just need to do -i key_name, no path necessary.
Actually -i does not work even with the key loaded through GUI:ssh -v -i .ssh/id_rsa mynode
ssh_packet_userauth_failure: Access denied for 'none'. Authentication that can continue: publickey
ssh_agent_get_ident_count: Answer type: 12, expected answer: 12
Error connecting to technochat. authFailed(methods: [SSH.AuthAgent])
There is a mistake in the snippet, it should have been this:
ssh -v -i Dev mynode
I tried it now and it works, although I did not add the Dev key to the agent manually. Probably I made a mistake when was testing this case earlier.
Fourth'. Again, no files. ssh-add id_rsa_git works.
Adding to the agent also fails:blink> ssh-add .ssh/id_rsa_git
Key not found
ssh-add id_rsa_git does not work, because there is not GUI-key named id_rsa_git:
blink> ssh-add id_rsa_git
Key not found
It seems like it all boils down to one thing: Do not use files for keys, import them to the GUI. And then you can reference them either on ssh_config or anywhere else, no need to add the ".ssh" path in any case.
Got it
from blink.
gibsn
commented on June 19, 2024
THIS MESSAGE WAS HEAVILY EDITED BECAUSE I UNDERSTOOD THAT I GOT IT ALL WRONG
The only problem I have left is that in order to forward my keys I need to add it manually to the agent each time I start blink. Is there any reason why you don't want it to be added automatically on startup? Probably I am missing a way how I can configure it to be done automatically?
from blink.
carloscabanero
commented on June 19, 2024
Thanks again, I flagged the conversations from my side so we will do the proper changes to help, etc...
I was gonna ask you about how you would prefer to load keys as well given your number of hosts. Blink has a special agent that is basically an agent per host and a default agent. Usually, the default agent holds all the keys you want to forward to all hosts, like the usual ssh-agent, but this is known to be troublesome.
If you create the host in Blink, then you can define what specific keys you want to forward there, so each host can have different access. This has to be done at the GUI as there is no standard ssh flag at the moment. You can also specify different "constraints" like Asking you every time before use, or once per connection, etc...
Our idea here is that most people just forward keys to one or two hosts, and if they need to forward to more than that they probably want to have very specific control for when this happens (the manual way). So far, the per-host agent has really served us well and removed the need for the default agent. But does this work for you? Or would you rather have a more generic way to assign keys to group of hosts in the agent or the default agent?
from blink.
gibsn
commented on June 19, 2024
I have only two keys: one for connecting to hosts and one for communicating with git repos. Basically I need to be able to forward the 'git' key to any host I ssh to.
I guess the default agent would work for me. Another option is to provide a way to initialise each shell session automatically with something like .bash_profile, so that I can ssh-add my keys there.
from blink.
carloscabanero
commented on June 19, 2024
Shipped on 17.2.0
Created #1960 to get control over the default agent.
from blink.
Related Issues (20)
- `whatsnew` links to GitHub issues broken due to typos HOT 1
- Can't change hex code custom press to custom string without going back to the list first HOT 1
- mosh to host with ProxyJump throws Fatal error: Unexpectedly found nil while unwrapping an Optional value HOT 1
- Mosh appears to drop extra environment variables
- Synchronized Output (DEC mode 2026) HOT 1
- Groups
- Mosh updates
- Migrating from Hterm
- SSH does not support "ssh -l login name" HOT 3
- Running `mosh myserver` instantly crashes Blink HOT 11
- Delete button on Magic Keyboard not working after update HOT 2
- Add `ping6` command to local shell HOT 1
- Blink does not respect swapped Modifier keys from iPad settings HOT 1
- Cannot log in using WebAuthn HOT 23
- Pressing Ctrl+D in telnet prompt freezes app
- Dig command is not working until reboot. HOT 3
- Stage manager and external display iPadOS 17.4
- Enabling show smart keys with external keyboard option does not work on iPad HOT 1
- Hard crash entering `ctrl-^` then `.` then `enter` into `blink>` prompt HOT 6
- Missing tab completion for `mosh1` HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from blink.