WinSSHTerm - does it work with Teleport?

[WinSSHTerm]

Hi,
a user recently asked if it is possible to use WinSSHTerm (which is basically a wrapper GUI for PuTTY and WinSCP) to ssh into a server through Teleport. WinSSHTerm now supports certificates (since 2.37.1), however I don't have access to a Teleport setup.

Here is a YouTube video that shows how to manually set up certificates to launch PuTTY and WinSCP. For use with Teleport, a proxy ("Local") has to be configured too afaik.

There is a migration tool available, which should automatically create a connection file for WinSSHTerm and migrate all relevant settings from the PuTTY sessions generated by Teleport.

I'd be glad if someone could check it out and confirm if it works, thanks!
Patrick

[webvictim]

Hey - I tried to run the migration tool and got an error: P-St/Migrate2WinSSHTerm#13

I'll be happy to test things if it's possible to fix that error. Thanks!

Edit: now fixed!

[webvictim]

OK, now I've got the migration tool working, I ran it and it generated a connections.xml file containing the details of my two PuTTY connections that were added using Teleport's tsh puttyconfig command.

The connections load OK, but when I attempt to load a session to connect through Teleport, I get an error: "X11 forwarding is not enabled":

The session halts at this point and I cannot access the server.

This error is being passed back from Teleport, which does not allow X forwarding by default. As such, the PuTTY sessions it creates don't have X forwarding enabled when created either. It seems that out of the box, WinSSHTerm expects this to be enabled by default?

If I manually edit the "Config" of the connection to set "don't forward" next to "X11 forward", things work as expected:

Debugging info

connections.xml (real hostname was redacted):

<?xml version='1.0' encoding='utf-8'?>
<WinSSHTerm Version='1'>
<Node Name='Sessions' Type='Container' Expanded='True'>
<Node Name='ip-172-31-30-140%20(proxy:teleport.example.com)' Type='Connection' Descr='' Username='ubuntu' Password='' PrivateKey='C:\Users\gus\.tsh\keys\teleport.example.com\webvictim.ppk' Hostname='ip-172-31-30-140' Port='3022' Certificate='C:\Users\gus\.tsh\keys\teleport.example.com\webvictim-ssh\purple-cert.pub' pSshProxy='enabled' pType='Local' pHost='teleport.example.com' pPort='0' pUser='ubuntu' pTelnetCmd='C:\\Windows\\tsh.exe proxy ssh --cluster=purple --proxy=%proxyhost %user@%host:%port' />
<Node Name='ip-172-31-8-63%20(proxy:teleport.example.com)' Type='Connection' Descr='' Username='ubuntu' Password='' PrivateKey='C:\Users\gus\.tsh\keys\teleport.example.com\webvictim.ppk' Hostname='ip-172-31-8-63' Port='22' Certificate='C:\Users\gus\.tsh\keys\teleport.example.com\webvictim-ssh\purple-cert.pub' pSshProxy='enabled' pType='Local' pHost='teleport.example.com' pPort='0' pUser='ubuntu' pTelnetCmd='C:\\Windows\\tsh.exe proxy ssh --cluster=purple --proxy=%proxyhost %user@%host:%port' />
</Node>
</WinSSHTerm>

Screenshot of the Computer\HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ip-172-31-30-140%20(proxy:teleport.example.com) registry key as created by Teleport with tsh puttyconfig:

[webvictim]

I also tried to use the "Copy Files" button on the connection to invoke WinSCP, but unfortunately that doesn't work:

I suspect this is because WinSCP is not being told to import the SSH Host CAs set in the PuTTY registry keys when it's invoked.

You can see under step 5 in the docs here that Teleport requires that checkbox enabled for seamless connections: https://goteleport.com/docs/connect-your-client/putty-winscp/#using-winscp-to-transfer-files-over-sftp

This is to save users from having to manually re-import their SSH Host CA configuration, which are also automatically generated and written to PuTTY's registry key when running tsh puttyconfig:

[WinSSHTerm]

Thanks for testing!

This error is being passed back from Teleport, which does not allow X forwarding by default. As such, the PuTTY sessions it creates don't have X forwarding enabled when created either. It seems that out of the box, WinSSHTerm expects this to be enabled by default?

Right, X11 forwarding is enabled by default for all connections in WinSSHTerm by changing the session parameter in the registry. A way to get around this would be to adapt the migration script to turn off X11 forwarding for each migrated connection - if the session was created by Teleport. Maybe a simple substring check for "tsh.exe" in the proxy telnet command would be a good way to identify Teleport. What do you think?

I suspect this is because WinSCP is not being told to import the SSH Host CAs set in the PuTTY registry keys when it's invoked.

That shouldn't be the case, because WinSSHTerm will force this by using the command line parameter /rawconfig Interface\SshHostCAsFromPuTTY=1.

When you click on "Copy files" and the WinSCP windows pops up, you can see all command line parameters for WinSCP (and PuTTY) by opening up a PowerShell terminal and enter this command:

Get-CimInstance Win32_Process -Filter "name like '%putty%' or name like '%plink%' or name like '%winscp%'" | select CommandLine | Format-Table -wrap

With my test connection, this will ouput something like this for WinSCP:

"C:\Users\pst\...\tools\WinSCP\WinSCP.exe"
"scp:[email protected]:22/" /privatekey=C:\WinSSHTerm-2.37.0\my_user_private_key.ppk /rawconfig
Interface\SshHostCAsFromPuTTY=1 /rawsettings DetachedCertificate=C:\WinSSHTerm-2.37.0\my_user_certificate.pub
SendBuf=0 SshSimple=0 utf=1 /sessionname="srv01.mycompany.com ([email protected])" /newinstance

The output might give a hint on what's going wrong here. Could you share it?

[WinSSHTerm]

Thanks for testing! Nice, I will release an official fix soon.

I seem to recall during my original WinSCP testing that this happened when using SCP rather than SFTP. I can confirm that if I override "Protocol" to "sftp" under the "Copy Files" configuration - this resolves it and WinSCP connects as expected

I'm not sure if I can do much here, as this doesn't seem to be a problem with WinSSHTerm. However, I could change the migration script, so that sftp will be set automatically for all migrated Teleport sessions. So no X11 Forwarding and SFTP instead of SCP. This should make connecting work out of the box. I will do some changes to the migration script and let you know.

[webvictim]

I think that sounds like a great solution!

[WinSSHTerm]

I made new releases:
WinSSHTerm-2.37.2
Migrate2WinSSHTerm-0.20
Connecting to PuTTY/WinSCP should work now without the need to change the configuration after migrating the sessions. Does it work for you?

[webvictim]

Hi - I can confirm that with WinSSHTerm 2.37.2 and Migrate2WinSSHTerm 0.20, everything works fine out of the box!