Use an ssh-agent in WSL with your ssh setup from windows 10

Philipp Scheit
3 min readJan 10, 2019

TL;DR: use the (debian-)package keychain

I use a lot of ssh in WSL (the unix bash for windows 10). For example I run ansible in bash for windows, because ansible cannot be run as controller in windows.

I searched for options to integrate my ssh-agent from windows, which is already setup correctly. I use keepass and keeagent on the windows side, which work really, really well. Here are the solutions if found so far:

Start an own ssh-agent (most stable, most inconvenient)

in bash:

eval $(ssh-agent -s)
ssh-add — < /g/EigeneDateien/ssh/id_rsa

I pipe the ssh key into ssh-add because otherwise ssh-add would complain, that the key is not secure. You can then use keypass and autotype to type your key-passphrase

Use socat to map your windows ssh-agent to a socket in WSL (most convenient, less stable)

Run socat, which maps the windows pipe (with npiperelay) to a unix socket. This sounded so good in the first place, but it’s not really stable. I found myself often to kill and restart the socat. I did not found out why.

sudo rm -rf /tmp/ssh-agent-pipe
sudo socat UNIX-LISTEN:/tmp/ssh-agent-pipe,fork,group=psc,umask=007 EXEC:”npiperelay.exe -ep -s //./pipe/openssh-ssh-agent”,nofork &
export SSH_AUTH_SOCK=”/tmp/ssh-agent-pipe”

Use keepass and keeagent to create the “openssh-ssh-agent” pipe:

you need for converting the windows pipe into the unix pipe, which is in turn read by socat.

Use package: keychain (mediocre convenient, stable)

This is my solution right now for several months. There’s a ubuntu package called keychain

sudo apt-get install keychain

then append to your ~/.bashrc

/usr/bin/keychain --nogui $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh

Or wherever your ssh key resides.

When you start bash it will ask for the passphrase of the key, or will pickup the last time you entered your passphrase. So you don’t have to put in the passphrase for every new bash window.

This might not work by default, if your key is created on windows. It will fail with: Error: Problem adding; giving up. You need then configure via wsl.conf

enabled = true
options = "metadata,umask=22,fmask=11"

This will change that all windows created files are rwxrwxrwx — and this is the reason why keychain cannot add your private key file to the agent. It needs 600 (octal) permissions

chmod 600 $HOME/.ssh/id_rsa

look at the options for the wsl.conf here:
an interesting one in the automount section is root

Then exit bash and run wsl.exe -t Ubuntu so that the distro is really terminated. You can then start Ubuntu bash again

What are your hacks for using ssh in WSL?