我有一个包含多个按需 SSH 隧道的设置,我喜欢通过 Windows 服务进行管理。我通常使用 Cygwin 及其自己的 OpenSSH(OpenSSH_9.5p1、OpenSSL 3.0.12 2023 年 10 月 24 日),但也尝试过 Microsoft 的 OpenSSH 端口(OpenSSH_for_Windows_9.4p1、LibreSSL 3.7.3)。我使用 Cygwin 将cygrunsrv这些 SSH 隧道作为 Windows 服务进行管理,并将其融入autossh其中。我已经使用这个设置大约 10 年了,它很有效令人惊奇地好吧。现在我试图让一切与 FIDO 身份验证器一起工作,但遇到了麻烦。
通过上述两种 SSH 实现,我都可以成功连接到具有 ed25519_sk 私钥的服务器,并在被要求时触碰我的 FIDO 身份验证器。
但是,当通过 Windows 服务建立连接时,我尝试获取用户在线提示失败了。问题似乎是 Windows 服务与用户的桌面会话分离,无法轻松与用户交互。事实上,Microsoft 建议运行一个桌面应用程序,以便在您的服务需要时处理用户交互(至少作为解决方案之一)。
问题是:当 SSH 的任一端口作为 Windows 服务运行时,是否有办法与用户交互并证明存在?
我尝试过什么?
“正常”连接尝试
Windows ssh 交互方式
debug1: Offering public key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug1: Server accepts key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
Confirm user presence for key ED25519-SK SHA256:...
debug1: find_helper: using "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as helper
User presence confirmed
Authenticated to ...
Windows ssh 作为 Windows 服务:
debug1: Offering public key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: sign_and_send_pubkey: using publickey with ED25519-SK SHA256:...
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:...
debug3: notify_start: cannot notify: no display
debug1: find_helper: using "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as helper
debug3: Creating process with CREATE_NO_WINDOW
debug3: spawning "C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe" as subprocess
debug3: start_helper: started pid=18372
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg len 186, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_INTERNAL
debug1: sshsk_sign: sk_sign failed with code -1
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=18372
debug1: identity_sign: sshkey_sign: invalid format
sign_and_send_pubkey: signing failed for ED25519-SK "C:\\Users\\.../.ssh/id_ed25519_sk": invalid format
交互式工作,但作为 Windows 服务则不行。
Cygwin ssh 交互方式
Cygwin OpenSSH 的成功案例与 Windows 非常相似(为简洁起见,这里不再重现)。
Cygwin ssh 作为 Windows 服务
debug1: Offering public key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: sign_and_send_pubkey: using publickey with ED25519-SK SHA256:...
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:...
debug3: no authentication agent, not adding key
debug3: notify_start: cannot notify: no display
debug3: start_helper: started pid=62202
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/sbin/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg len 186, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_INTERNAL
debug1: sshsk_sign: sk_sign failed with code -1
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=62202
debug1: identity_sign: sshkey_sign: invalid format
sign_and_send_pubkey: signing failed for ED25519-SK "/home/.../.ssh/id_ed25519_sk": invalid format
在这两种失败情况下,问题似乎都是无法创建窗口,即无法作为 Windows 服务与用户直接交互。这与 Windows Vista 以来的变化以及 Microsoft 资源的建议一致。
SSH 代理介导的连接尝试
现在我认为 SSH 代理会有所帮助。Windows 和 Cygwin SSH 都可以成功地与各自的 ssh 代理配合使用(跳过输出,没有什么有趣的内容)。但是,当作为 Windows 服务运行时:
Windows ssh + ssh 代理:
debug1: Offering public key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: C:\\Users\\.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator agent
debug3: sign_and_send_pubkey: using publickey with ED25519-SK SHA256:...
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:...
sign_and_send_pubkey: signing failed for ED25519-SK "C:\\Users\\.../.ssh/id_ed25519_sk" from agent: agent refused operation
Cygwin ssh + ssh 代理:
debug1: Offering public key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator
debug3: sign_and_send_pubkey: using publickey with ED25519-SK SHA256:...
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:...
debug3: ssh_get_authentication_socket_path: path '~/.ssh-agent'
debug3: no authentication agent, not adding key
debug3: notify_start: cannot notify: no display
debug3: start_helper: started pid=62407
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/sbin/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg len 186, compat 0x4000000
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
debug1: ssh_sk_sign: fido_dev_get_assert: FIDO_ERR_INTERNAL
debug1: sshsk_sign: sk_sign failed with code -1
debug1: ssh-sk-helper: Signing failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=62407
debug1: identity_sign: sshkey_sign: invalid format
sign_and_send_pubkey: signing failed for ED25519-SK "/home/.../.ssh/id_ed25519_sk": invalid format
我以为 ssh-agent 可以解决问题,但由于某种原因它没有起作用。
类似问题
为什么 ssh-agent 会[电子邮件保护]密钥产生代理拒绝操作尽管纯粹基于 Linux,但这个看起来基本相似。
答案1
我越想越觉得,这个问题无法通过 SSH 代理解决。SSH 代理应该接管处理 FIDO 身份验证的责任。并且由于它能与用户的桌面会话进行交互,当 Windows 服务请求其进行身份验证帮助时应该不会出现任何问题。
关于 Cygwin SSH 代理不工作,我最终对这一行产生了怀疑:
debug3: ssh_get_authentication_socket_path: path '~/.ssh-agent'
debug3: no authentication agent, not adding key
我已经开始了我的经纪人生涯ssh-agent -a ~/.ssh-agent,做过当我测试与的交互式连接时工作SSH_AUTH_SOCK=~/.ssh-agent ssh -vvv ...。
盯着这个看了一会儿后,我突然开始怀疑波浪号在作为 Windows 服务运行时没有展开。所以我尝试使用以下命令设置路径/home/.../.ssh-agent:
debug1: Offering public key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/.../.ssh/id_ed25519_sk ED25519-SK SHA256:... authenticator agent
debug3: sign_and_send_pubkey: using publickey with ED25519-SK SHA256:...
debug3: sign_and_send_pubkey: signing using [email protected] SHA256:...
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to ... using "publickey".
这是一段漫长的旅程。希望它也能帮助其他人。