53

On my Ubuntu machine, I simply use Keychain to maintain a single ssh-agent which stays logged in.

I'd like something similar to that on Windows now that OpenSSH is natively included. I was using Git Bash with the well-known if [ -z "$SSH_AUTH_SOCK" ] ; then ... script but this resulted in many ssh agents being opened, I knew it was advised against (partly due to this blog post: http://rabexc.org/posts/pitfalls-of-ssh-agents) - which is what made me get Keychain for Ubuntu. Another reason for not using this any more is that I'm moving to PowerShell as my main shell.

But I'm not sure how to achieve the same kind of thing on Windows specifically with PowerShell and with Win32-OpenSSH.

Thanks!

Southclaws
  • 635

6 Answers6

55

You must configure OpenSSH Authentication Agent service to automatically start (or you can start it manually every time when opening your PowerShell for the first time: Start-Service ssh-agent).

After that, you need to ssh-add C:\path\to\your\ssh\key\id_rsa only once. After that, every time the ssh-agent is started, the key will be there. You can check with ssh-add -l.

To have SSH agent to automatically start with Windows, you can run:

Set-Service ssh-agent -StartupType Automatic

on a Administrator PowerShell prompt.

Martin Prikryl
  • 24,007
Davi Koscianski Vidal
  • 665
  • 7
  • 8
6

In addition to what's covered here, I ran into an issue getting it to work with Git because apparently Git uses its own SSH executable by default. To solve this, you need to set core.sshCommand in your Git config to point to the OpenSSH executable installed by Windows:

git config --global core.sshCommand C:/Windows/System32/OpenSSH/ssh.exe

This article is where I found the solution, and it covers all the steps of the process of setting up SSH in Windows: https://richardballard.co.uk/ssh-keys-on-windows-10/.

Community
  • 1
Cole
  • 71
  • 1
  • 1
4

Not a full answer, but still a solution to the problem that brought me here. (I also see a comment from one other person here that seems to be the same problem.)

If you have Git for Windows or MinGW or anything else which might add GNU utilities to your Windows path, that can interfere with the OpenSSH for Windows binaries. For me, I had to remove ProgramFiles/Git/bin from my PATH environment variable and then restart PowerShell in order to get this to work. Prior to that I was getting "communication with agent failed"

Kevin Rak
  • 254
  • 2
  • 5
2

I knew it was advised against (partly due to this blog post: http://rabexc.org/posts/pitfalls-of-ssh-agents) - which is what made me get Keychain for Ubuntu.

In light of this argument I must warn you against using ssh-agent from the PowerShell port of openssh as it silently uses ondisk storage of your keys in the Registry. See my own question (and answer) where-does-windows-openssh-ssh-agent-service-secretly-store-private-keys for a full explanation.

Essentially there are 3 problems with it:

  1. It stores secret keys ON DISK - never use in a shared or guest situation
  2. (traces of) Secret keys remain ON DISK after deletion
  3. PoweShell implementation does not conform to the openssh manual page ssh-agent.1 in key aspects of security.
aribi
  • 121
0

Searching for solutions to keep the ssh-agent open while using Git Bash (part of Git for Windows), rather than Windows PowerShell, may land you here too. Here's how to do that instead:

The best Windows instructions I've ever seen are on GitHub's documentation website, here: https://docs.github.com/en/authentication/connecting-to-github-with-ssh/working-with-ssh-key-passphrases?platform=windows#auto-launching-ssh-agent-on-git-for-windows

Essentially, you just need to add this script to the bottom of your ~/.bashrc file on Windows (usually at /c/Users/myusername/.bashrc):

# -------------------------------- START -----------------------------------
# Auto-launch the ssh-agent and load all private keys on Git for Windows
# Copied from: https://stackoverflow.com/a/76568760/4561887
env=~/.ssh/agent.env

agent_load_env () { test -f "$env" && . "$env" >| /dev/null ; }


agent_start () {
    (umask 077; ssh-agent >| "$env")
    . "$env" >| /dev/null ; }


agent_load_env


agent_run_state: 0=agent running w/ key; 1=agent w/o key; 2=agent not


running


agent_run_state=$(ssh-add -l >| /dev/null 2>&1; echo $?)


if [ ! "$SSH_AUTH_SOCK" ] || [ $agent_run_state = 2 ]; then
    echo "Starting ssh-agent and adding your private keys."
    agent_start
    ssh-add
elif [ "$SSH_AUTH_SOCK" ] && [ $agent_run_state = 1 ]; then
    echo "Adding your private keys to ssh-agent."
    ssh-add
fi


unset env


-------------------------------- END -------------------------------------

I provide full, beginner-friendly, and more up-to-date, instructions in my answer here: Stack Overflow: Running SSH Agent when starting Git Bash on Windows

Gabriel Staples
  • 2,558
-1

If you don't want to start the OpenSSH Authentication Agent service every time your device boots, but only when you open a shell, then consider adding the command to start the service to your PowerShell profile.

First, open the profile with your favorite editor:

notepad $PROFILE

Then paste the following code:

# For OpenSSH Authentication Agent startup and shutdown
$IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
if ($IsAdmin)
{
    $ServiceName = "ssh-agent"
    ($ServiceObject = Get-Service -Name $ServiceName) | Set-Service -StartupType Manual
    if ($ServiceObject.Status -ne "Running")
    {
        Start-Service $ServiceName
    }
    Write-Host "You can use git with SSH in this shell"
    Register-EngineEvent -SourceIdentifier PowerShell.Exiting -Action {
        taskkill /F /IM ssh-agent.exe /T
    }
}
else {
    Write-Warning "You cannot use git with SSH in this shell because it was not launched with admin privileges"
}
Bennet
  • 1