Side note: The latest edge build of KeeAgent plugin offers an option for creating a WSL compatible socket. This would be very handy. I already tried to use that socket, but the socket file is currently empty and ssh inside WSL 2 is unable to use it. This appears to be a very new, unreleased and unstable feature. I will follow the development of it and when it finally works (well, for me) I will update this HOWTO. But until then, please use the proven wsl-ssh-agent/npiperelay.exe approach below.
Thanks to the instructions for WSL 2 of the wsl-ssh-agent project, KeeAgent works great in WSL 2 now:
https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility
The approach uses minimal and well maintained tools.
- (03.03.2023) Change: Place the
npiperelay.exenot onto thedevfsfilesystem but rather Windows filesystem (thanks @NOBUTOKA) which fixes strange delays when using the SSH keys.
- Install the KeeAgent plugin for KeePass (2.x).
- The
OpenSSH Authentication AgentWindows service must be stopped. For being sure that it stays stopped, even after rebooting, disable the service (when it is stopped). - Open the KeeAgent options via KeePass Menu → Tools → Options → KeeAgent Tab.
Enable the option
Enable agent for Windows OpenSSH (experimental)A possible error messageWindows OpenSSH agent is already running. KeeAgent cannot listen for Windows OpenSSH requests.can be ignored, everything will still work fine. (You may still find the Workarounds / troubleshooting section at the end of this HOWTO interesting). No socket files need to be created, the options can be left disabled. - Necessary step (thanks @jacobblock):
socatmust also be installed:
sudo apt install socat
- Place the
npiperelay.exeunder the Windows filesystem (not onto the WSL system (devfs) filesystem! (thanks @NOBUTOKA)).
Place the
Note on this change: Although the deprecated approach (of putting npiperelay.exe under /usr/local/bin/npiperelay.exe inside your WSL 2 installation.
It must be on the devfs filesystem, see https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility.npiperelay.exe onto the devfs filesystem) still worked, it introduced strange delays. An user here noticed that placing npiperelay.exe onto the Windows filesystem (one can still symlink it into /usr/local/bin/ if one likes, not only didn't prevent it from running, but also fixed the delay. And indeed, the npiperelay repository itself states the opposite: The npiperelay.exe should be placed onto the windows filesystem, not onto devfs filesystem (interestingly, it would not have even run at that time as WSL hadn't supported running exe files in devfs, but apparently it also would introduce these delays).
Download instructions (thanks @musm; thanks @dmwyatt):
One suitable directory on the Windows filesystem can be C:\Users\<username>\wsl-keeagent\npiperelay.exe (%USERPROFILE%\wsl-keeagent\npiperelay.exe).
You can easily get the compatible path in WSL by using this handy command: wslpath "$(wslvar USERPROFILE)".
# just to be sure the path is right
echo $(wslpath "$(wslvar USERPROFILE)"/wsl-keeagent)
# create dedicated directory on Windows filesystem
mkdir -p $(wslpath "$(wslvar USERPROFILE)"/wsl-keeagent/)
# Download release ZIP into /tmp
# Release v1.5.2
wget https://github.com/rupor-github/wsl-ssh-agent/releases/download/v1.5.2/wsl-ssh-agent.zip -P /tmp
# Extract directly to the prepared Windows directory
sudo 7z e -y /tmp/wsl-ssh-agent.zip -o$(wslpath "$(wslvar USERPROFILE)"/wsl-keeagent/)
# Make the file executable
sudo chmod +x $(wslpath "$(wslvar USERPROFILE)"/wsl-keeagent/npiperelay.exe)
# (optional) Clean up downloaded ZIP file
rm /tmp/wsl-ssh-agent.zip
# Symlink `npiperelay.exe` back into `/usr/local/bin/npiperelay.exe`
sudo ln -s $(wslpath "$(wslvar USERPROFILE)"/wsl-keeagent/npiperelay.exe) /usr/local/bin/npiperelay.exe
What if I followed this guide before this change (pre 3rd March 2023) and I already have
npiperelay.exeat/usr/local/bin/npiperelay.exe? No problem, you can just move it out onto the Windows filesystem and even symlink it from there back to/usr/local/bin/npiperelay.exe, as this doesn't reintroduce the delay issue! See the instructions here
- Create a new script file
~/bin/wsl-ssh-agent-forwarder(thanks @r2evans) with the following contents:
#!/bin/bash
# Usage: wsl-ssh-agent-forward [ -k | -r ]
# Options:
# -k Kill the current process (if exists) and do not restart it.
# -r Kill the current process (if exists) and restart it.
# Default operation is to start a process only if it does not exist.
export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock
sshpid=$(ss -ap | grep "$SSH_AUTH_SOCK")
if [ "$1" = "-k" ] || [ "$1" = "-r" ]; then
sshpid=${sshpid//*pid=/}
sshpid=${sshpid%%,*}
if [ -n "${sshpid}" ]; then
kill "${sshpid}"
else
echo "'socat' not found or PID not found"
fi
if [ "$1" = "-k" ]; then
exit
fi
unset sshpid
fi
if [ -z "${sshpid}" ]; then
rm -f $SSH_AUTH_SOCK
( setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"/usr/local/bin/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork & ) >/dev/null 2>&1
fi
Ensure the script (text) file uses proper UNIX (LF) line endings - especially when you create/edit that file from a Windows editor. You can ensure proper UNIX line endings by using the handy dos2unix tool: (e.g. install it using apt-install -y dos2unix) dos2unix ~/bin/wsl-ssh-agent-forwarder.
A telling symptom for incorrect line endings are errors like
command not found: ^M
command not found: ^M
parse error near `fi'
The bash script parser encountered characters that are used as line endings on non-UNIX systems, trying to interpret them and failing in the process. (thanks @jetzerb)
- Make the script executable:
chmod +x ~/bin/wsl-ssh-agent-forwarder - Add the following line to your
.bashrc(~/.bashrc) to execute the script above:
# KeeAgent
. ~/bin/wsl-ssh-agent-forwarderIt is important that the script is sourced (. is shorthand for source), not just executed inside .basrc,
as otherwise the exported environment variables would be used for the child process.
The VSCode terminal is a case for this.
- Important: Ensure the socket file exists (even just as an empty placeholder file)!
mkdir -p $HOME/.ssh
touch $HOME/.ssh/agent.sock
- (Tip) Reload .bashrc config in current bash session:
$ source ~/.bashrc
- You can check the key agent functionality by either connecting via SSH or listing the keys with
ssh-add -l(thanks @jacobblock). KeePass should automatically show the authentication prompt and/or notify that SSH keys have been accessed. Note: The KeePass program must be running when KeeAgent should be used. Turning on KeePass autostart could be a good idea.
ssh-add -l is helpful for debugging as it simply tries to connect to the SSH Agent to list the available keys, reporting potential issues.
ssh suddenly doesn't use KeeAgent anymore / "Windows OpenSSH agent is already running" error message / TortoiseGit/TortoiseSVN
Once in a while I encounter the issue where ssh suddenly doesn't use KeeAgent anymore. The "Windows OpenSSH agent is already running" error message when closing/confirming the KeeAgent options dialog (KeePass Menu → Tools → Options → KeeAgent Tab) also appears then. This could be caused by a deeper, underlying issue: I noticed that this happens when updating TortoiseGit or TortoiseSVN (I have both installed). These tools also install their own version of PuTTY/Pageant - this may cause issues with KeeAgent which also tries to run its own SSH agent. Uninstalling TortoiseGit and TortoiseSVN appears to alleviate the issue. Of course, one still wants to use TortoiseGit and TortoiseSVN. An uninstall isn't necessary. It should be sufficient to just disable the PuTTY Pageant that ships with TortoiseGit and TortoiseSVN, so they don't interfere with KeeAgent (and they aren't used anyway).
The ~/bin/wsl-ssh-agent-forwarder script can also be manually invoked with a -r or -k paramter.
-r makes it restart the SSH agent forwarding process, while -k kills it without restarting it (see the script comments).
When the SSH client has issues using the forwarded SSH agent, using wsl-ssh-agent-forwarder with -r and -k (and restarting/reloading the shell) can fix those issues without the need for rebooting the whole system.
Some issues (probably some stuck process or socket or pipe) can be fixed by simply rebooting the sytem.
What if I followed this guide before this change (pre 3rd March 2023) and I already have npiperelay.exe at /usr/local/bin/npiperelay.exe?
No problem, you can just move it out onto the Windows filesystem and even symlink it from there back to /usr/local/bin/npiperelay.exe, as this doesn't reintroduce the delay issue!
# just to be sure the path is right
echo $(wslpath "$(wslvar USERPROFILE)"/wsl-keeagent)
# create dedicated directory on Windows filesystem
mkdir -p $(wslpath "$(wslvar USERPROFILE)"/wsl-keeagent/)
# Move `npiperelay.exe` from `devfs` filesystem to Windows filesystem
sudo mv /usr/local/bin/npiperelay.exe $(wslpath "$(wslvar USERPROFILE)"/wsl-keeagent/)
# (optional) Change file ownership back from `root` to the normal user
sudo chown $USER npiperelay.exe
# Symlink `npiperelay.exe` back into `/usr/local/bin/npiperelay.exe`
sudo ln -s $(wslpath "$(wslvar USERPROFILE)"/wsl-keeagent/npiperelay.exe) /usr/local/bin/npiperelay.exe
Thanks to the symlink, nothing else (like paths) needs to be changed. You are done here, the fix is applied and the delays should be fixed now. No need to reload or restart either, as the binary is invoked each time, hence the next time the SSH agent is used, the binary at new location is used instead, which should fix the delay.