How to use tsh on Windows 7?

dadayoo · June 5, 2019, 3:56am

Hi guys,
i have download teleport-v3.2.6-windows-amd64-bin.zip and put it on c:\Windows ,run tsh login --proxy=xxx in cmd, login in browser window successful.
tsh ls works fine but when i try to login to node tsh ssh --proxy=xxx root@$hostname , it shows “sessions not supported on windows”
i have follow https://gravitational.com/teleport/docs/user-manual/#using-openssh-client to set something , but nothing work
am i miss something?
thanks!

gus · June 6, 2019, 3:09pm

You will need to run an SSH agent on your WIndows machine, then use tsh login to log into a Teleport cluster. This will generate a certificate which will be loaded into the SSH agent - you can validate that this has happened by running ssh-add -l.

Once you have the certificate in your SSH agent you can then use an SSH client as normal.

dadayoo · June 10, 2019, 3:10am

Hi gus:
thanks for your reply, but its still not working
Q1: i got another pc running in windows 10 with openssh-client(beta)
still,tsh login work fine,but when i run ssh-add -l cmd output The agent has no identities,
Q2: if i want use xshell to login node,how to config that? more detail plz

gus · June 10, 2019, 11:06am

One other thing you may need is to make sure that the SSH_AUTH_SOCK environment variable for the ssh-agent is set correctly - try running echo %SSH_AUTH_SOCK% before you tsh login to make sure it isn’t blank.
I’m afraid I’m not familiar with xshell. If you have a Windows 10 machine then I’d consider using WSL/Windows Subsystem for Linux (https://docs.microsoft.com/en-us/windows/wsl/install-win10) as then you could run the Linux version of tsh natively which would make things much easier.

dadayoo · June 10, 2019, 11:49am

emmm ,does it mean %SSH_AUTH_SOCK% was blank?
sshauthsock
WSL was a good idea ,but its hard to persuade dev switch OS to win10
so i have to find some way make tsh workfine

gus · June 10, 2019, 5:27pm

If you’re using Powershell then I think you need to use echo $Env:SSH_AUTH_SOCK but if not then yes, that means the value was blank.

How are you launching ssh-agent?

dadayoo · June 11, 2019, 11:56am

i have try , $Env:SSH_AUTH_SOCK run in powershell and %SSH_AUTH_SOCK% run in cmd, have got same result: blank ,nothing output . in fact ,i don’t know how to launch ssh-agent in windows , eval ssh-agent doesn’t work in windows
i think problem is how to configure openssh login with teleport cerificate
i have follow https://gravitational.com/teleport/docs/user-manual/#using-openssh-client and make a test in MacOS ,when i run ssh root@key it’s show
ssh_exchange_identification: Connection closed by remote host
here is my ~/.ssh/config
testdomain

gus · June 11, 2019, 3:25pm

Here is my ~/.ssh/config for a similar setup:

Host gustest-main-auth-0
    Port 3022
    ProxyCommand ssh -p 3023 %r@gustest-main.gravitational.co -s proxy:%h:%p

When I provide a key from a similar path to log in using ssh it works fine:

$ ssh -i ~/.tsh/keys/gustest-main.gravitational.co/gus@gravitational.com root@gustest-main-auth-0
root@gustest-main-auth-0:~#

Can you try explicitly providing the correct key to the ssh command on the command line? If it still doesn’t work, can you run the same command with ssh -v and post the logs here?

dadayoo · June 13, 2019, 1:14am

hi gus,here is my ssh log

Infinite:~ mike$ ssh -i ~/.tsh/keys/jxz.testdomain.net/useraaa@testdomain.net scops@key
subsystem request failed on channel 0
ssh_exchange_identification: Connection closed by remote host
Infinite:~ mike$ ssh -vvv -i ~/.tsh/keys/jxz.testdomain.net/useraaa@testdomain.net scops@key
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/mike/.ssh/config
debug1: /Users/mike/.ssh/config line 38: Applying options for key
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Executing proxy command: exec ssh -p 3023 scops@jxz.testdomain.net -s proxy:key:3022
debug1: identity file /Users/mike/.tsh/keys/jxz.testdomain.net/useraaa@testdomain.net type 0
debug1: identity file /Users/mike/.tsh/keys/jxz.testdomain.net/useraaa@testdomain.net-cert type 4
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: permanently_drop_suid: 501
subsystem request failed on channel 0
ssh_exchange_identification: Connection closed by remote host

gus · June 14, 2019, 7:09pm

That SSH log you posted looks to be from a Mac, not a Windows machine - how are you connecting?
What appears in the Teleport logs on jxz.testdomain.net when you’re trying to connect? You may need to change the Teleport server to running with the --debug flag to get sufficient information.

dadayoo · June 14, 2019, 11:28am

1:yep ,that log from Mac, because i want try use SSH client login node with teleport cerificate
2:--debug flag in auth or proxy ? we deploy auth and proxy in different host

gus · June 20, 2019, 1:34pm

@dadayoo As per this issue (https://github.com/gravitational/teleport/issues/2782) you could try using -A as a parameter to ssh to make sure that the agent is forwarded.

We would need logs from both the auth and proxy servers showing an unsuccessful connection to help further.

gus · February 10, 2020, 10:59pm

There is a guide on how to use tsh and ssh on Windows here: How to connect to Teleport hosts using Windows