How to use tsh on Windows 7?

Hi guys,
i have download and put it on c:\Windows ,run tsh login --proxy=xxx in cmd, login in browser window successful.
tsh ls works fine but when i try to login to node tsh ssh --proxy=xxx root@$hostname , it shows “sessions not supported on windows”
i have follow to set something , but nothing work
am i miss something?

You will need to run an SSH agent on your WIndows machine, then use tsh login to log into a Teleport cluster. This will generate a certificate which will be loaded into the SSH agent - you can validate that this has happened by running ssh-add -l.

Once you have the certificate in your SSH agent you can then use an SSH client as normal.

Hi gus:
thanks for your reply, but its still not working :confused:
Q1: i got another pc running in windows 10 with openssh-client(beta)
still,tsh login work fine,but when i run ssh-add -l cmd output The agent has no identities,
Q2: if i want use xshell to login node,how to config that? more detail plz

  1. One other thing you may need is to make sure that the SSH_AUTH_SOCK environment variable for the ssh-agent is set correctly - try running echo %SSH_AUTH_SOCK% before you tsh login to make sure it isn’t blank.

  2. I’m afraid I’m not familiar with xshell. If you have a Windows 10 machine then I’d consider using WSL/Windows Subsystem for Linux ( as then you could run the Linux version of tsh natively which would make things much easier.

emmm ,does it mean %SSH_AUTH_SOCK% was blank?
WSL was a good idea ,but its hard to persuade dev switch OS to win10 :no_mouth:
so i have to find some way make tsh workfine :joy:

If you’re using Powershell then I think you need to use echo $Env:SSH_AUTH_SOCK but if not then yes, that means the value was blank.

How are you launching ssh-agent?

i have try , $Env:SSH_AUTH_SOCK run in powershell and %SSH_AUTH_SOCK% run in cmd, have got same result: blank ,nothing output . in fact ,i don’t know how to launch ssh-agent in windows , eval ssh-agent doesn’t work in windows
i think problem is how to configure openssh login with teleport cerificate
i have follow and make a test in MacOS ,when i run ssh root@key it’s show
ssh_exchange_identification: Connection closed by remote host
here is my ~/.ssh/config

Here is my ~/.ssh/config for a similar setup:

Host gustest-main-auth-0
    Port 3022
    ProxyCommand ssh -p 3023 -s proxy:%h:%p

When I provide a key from a similar path to log in using ssh it works fine:

$ ssh -i ~/.tsh/keys/ root@gustest-main-auth-0

Can you try explicitly providing the correct key to the ssh command on the command line? If it still doesn’t work, can you run the same command with ssh -v and post the logs here?

hi gus,here is my ssh log

Infinite:~ mike$ ssh -i ~/.tsh/keys/ scops@key
subsystem request failed on channel 0
ssh_exchange_identification: Connection closed by remote host
Infinite:~ mike$ ssh -vvv -i ~/.tsh/keys/ scops@key
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/mike/.ssh/config
debug1: /Users/mike/.ssh/config line 38: Applying options for key
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Executing proxy command: exec ssh -p 3023 -s proxy:key:3022
debug1: identity file /Users/mike/.tsh/keys/ type 0
debug1: identity file /Users/mike/.tsh/keys/ type 4
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: permanently_drop_suid: 501
subsystem request failed on channel 0
ssh_exchange_identification: Connection closed by remote host

  1. That SSH log you posted looks to be from a Mac, not a Windows machine - how are you connecting?

  2. What appears in the Teleport logs on when you’re trying to connect? You may need to change the Teleport server to running with the --debug flag to get sufficient information.

1:yep ,that log from Mac, because i want try use SSH client login node with teleport cerificate
2:--debug flag in auth or proxy ? we deploy auth and proxy in different host

@dadayoo As per this issue ( you could try using -A as a parameter to ssh to make sure that the agent is forwarded.

We would need logs from both the auth and proxy servers showing an unsuccessful connection to help further.