Running vault login under windows throws invalid handle

[lrstanley]

When attempting to use vault in a Windows environment, I receive the following error (suspect it's related to stdin being different in mingw or similar?):

liam@windows MINGW64 ~/Downloads
$ ./vault.exe login -method=ldap username=someusername
Password (will be hidden):
Error authenticating: The handle is invalid.

It will immediately exit, without entering a password. This has been tested within Cygwin as well as Git Bash, under Windows 7 and 10, x84_64.

Environment:

• Vault Server Version (retrieve with vault status): n/a
• Vault CLI Version (retrieve with vault version): v0.10.3

It's worth noting that one can still utilize password=<your-password> directly in the prompt, but this is far from the desired behavior, as it shows the password, and in certain environments, will log to the bash history (even on windows).

[jefferai]

Unfortunately I'm going to need to point you towards cygwin/mingw/msys. Those aren't native shells, and unless Vault isn't working with the native Windows shell or Powershell, any difference with how it works in non-native shells is basically a bug in those shells.

It's possible compiling within a Cygwin environment might cause different behaviors, but I'm not sure.

[lrstanley]

I'm confused.. if it's not working with both, the only similarity between the two situations is Vault. Other Golang-written executables looking for stdin within mingw/cygwin/etc, work without issue. Simply put, I don't see how this is a "bug" in both cygwin/mingw.

It's likely Vault would have to make edge-cases for these environments, because cygwin/mingw/etc aren't ever going to do exactly what Windows or Linux do (tty by default). Bash running under Cywgin, will connect the executable to the console handles via simple redirection. Singling out these users is a huge issue in a corporate environment, for us.

From what it sounds like others have to do, is if Cygwin/Mingw, force the use of a pty (or something like winpty), or at least let people know like this.

Example application which has functional stdin on these environments: https://github.com/concourse/fly/tree/master/pty; which, from brief review, looks like if on Windows, they just force a pty, without prior checking.

Compiling within a Cygwin environment, doesn't seem like it would change anything. It's still a windows binary.

For now, I think we're just going to have to redirect users to utilize winpty. E.g. $ winpty ./vault.exe auth -method=ldap username=someusername, which does properly prompt, regardless of cygwin or mingw.

[lrstanley]

It's worth noting, I have a strong dislike for Windows, so I personally don't care. But the people using Vault, if they are required to use Windows, are going to care.

[jefferai]

if it's not working with both, the only similarity between the two situations is Vault

That's my point, Vault is the same but the execution environment is different.

Example application which has functional stdin on these environments: https://github.com/concourse/fly/tree/master/pty; which, from brief review, looks like if on Windows, they just force a pty, without prior checking.

I'm more than happy to accept a patch fixing the problem.

Compiling within a Cygwin environment, doesn't seem like it would change anything. It's still a windows binary.

From past experience (not with Go) dealing with cross-compilation, it seems likely to me that it'll link against different libraries, which may provide proper support.

But the people using Vault, if they are required to use Windows, are going to care.

It'd be great if one of those people can then dig in and figure out what the issue is. This is the first report of this issue we've seen, and that might be due to recent changes (or not), but it suggests that it is not a common problem, or that the vast majority of Windows users aren't running it under Cygwin/Mingw.

If someone on the team is interested maybe they'll dig in, but unless this isn't working in Windows Shell or PowerShell, it's hard to explicitly dedicate engineering resources to this, and considering almost everyone (or maybe just everyone?) on the team is using Linux or Mac, it's unlikely to be a small lift to get Cygwin going on a Windows box to dig in.

[SvenDowideit]

wow! I just hit this too - it works running the command in cmd.exe, but in git for windows, it errors out just as it prints the Password (will be hidden):

I'm always astounded at the horrible corner cases windows illuminates.

@lrstanley and @jefferai in my case, there is a "as usual" work around - prefix any interactive commands with winpty

dow184@TOWER-SL MINGW64 ~/src/onaci/swarm-infra (master)
$ winpty vault login --address=${CENTRAL_VAULT} -format=json -method=ldap username=dow184
Password (will be hidden):
{
  "request_id": "30483993-735e-fab0-977c-756dc84ce578",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {},
...

@jhowardmsft I really wonder - is there a better way to transparently make this kind of thing "just work"? if its something that could get upstreamed into the windows builds in go, it'd save a heck of a lot of unknowns.

[SvenDowideit]

I guess @rprichard might be able to give pointers?

[ztou]

same issue here, running in git bash from latest git-for-windows

huangjoh@SHAPC0N4NVD MINGW64 ~
$ vault login -method=ldap username=huangjoh
Password (will be hidden):
Error authenticating: The handle is invalid.

huangjoh@SHAPC0N4NVD MINGW64 ~
$ git --version
git version 2.21.0.windows.1

[SvenDowideit]

@ztou I presume adding winpty to the command fixes it?

$ winpty vault login -method=ldap username=huangjoh

[lrstanley]

As mentioned before, others have solved this by just forcing a tty on Windows, checking if there is a pty/tty on other systems, then defaulting to Go's os.Stdin. I don't think it's a bad solution, as a situation where vault is going to be executed on Windows without a terminal is much more rare than the reverse. In addition, the behavior of the terminal emulators isn't going to change anytime soon.

See the following (open_raw_* files):
https://github.com/concourse/concourse/tree/master/fly/pty

Usage of that package:
https://github.com/concourse/concourse/blob/fd3dd2cdb63381dd6d186beed53cbfb3f0d53a5f/fly/commands/hijack.go#L176

I would make a pr myself, but haven't had the time unfortunately.

If someone could at least re-open the issue, as I think it's something that is going to have to be solved by Vault, even if it's not necessarily a bug with Vault. I don't think Go itself can solve this, as IMO it's a bit opinionated.

[SvenDowideit]

and then i cam across https://github.com/kr/pty too - i don't see windows support, but maybe its an abstraction that would allow go to have one...

[mikeokner]

Bumping this if only to say that I have a lot of Windows users who use non-native shells like git-bash, mobaxterm, cygwin, etc. and then have problems authenticating with Vault due to this issue. I'd guess Windows users are in the minority of Vault users and it's not a show-stopper, but it is a bit of a nuisance to have to explain workarounds to users before they've even really gotten started.

[trentondyck]

+1 for a windows fix. using the workaround 'winpty' but please.
By the way, for windows git bash users. just add this to your .bashrc file, then it behaves as normal:
vault() { if [[ $@ == "login" ]]; then command winpty vault login; else command vault "$@"; fi; }