Thanks to the instructions for WSL 2 of the wsl-ssh-agent
project, KeeAgent works great in WSL 2 now:
https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility
The approach uses minimal and well maintained tools.
- Install the KeeAgent plugin for KeePass (2.x).
- The
OpenSSH Authentication Agent
Windows service must be stopped. For being sure that it stays stopped, even after rebooting, disable the service (when it is stopped). - Open the KeeAgent options via KeePass Menu -> Tools -> Options -> KeeAgent Tab.
Enable the option
Enable agent for Windows OpenSSH (experimental)
A possible error messageWindows OpenSSH agent is already running. KeeAgent cannot listen for Windows OpenSSH requests.
can be ignored, everything will still work fine. No socket files need to be created, the options can be left disabled. - Necessary step (thanks @jacobblock):
socat
must also be installed:
sudo apt install socat
- Place the
npiperelay.exe
under/usr/local/bin/npiperelay.exe
inside your WSL 2 installation. It must be on the devfs filesystem, see https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility. Download instructions (thanks @musm; thanks @dmwyatt):
wget https://github.com/rupor-github/wsl-ssh-agent/releases/download/v1.5.2/wsl-ssh-agent.zip -P /tmp
sudo 7z e -y /tmp/wsl-ssh-agent.zip -o/usr/local/bin/
sudo chmod +x /usr/local/bin/npiperelay.exe
rm /tmp/wsl-ssh-agent.zip
- Create a new script file
~/bin/wsl-ssh-agent-forwarder
(thanks @r2evans) with the following contents:
#!/bin/bash
# Usage: wsl-ssh-agent-forward [ -k | -r ]
# Options:
# -k Kill the current process (if exists) and do not restart it.
# -r Kill the current process (if exists) and restart it.
# Default operation is to start a process only if it does not exist.
export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock
sshpid=$(ss -ap | grep "$SSH_AUTH_SOCK")
if [ "$1" = "-k" ] || [ "$1" = "-r" ]; then
sshpid=${sshpid//*pid=/}
sshpid=${sshpid%%,*}
if [ -n "${sshpid}" ]; then
kill "${sshpid}"
else
echo "'socat' not found or PID not found"
fi
if [ "$1" = "-k" ]; then
exit
fi
unset sshpid
fi
if [ -z "${sshpid}" ]; then
rm -f $SSH_AUTH_SOCK
( setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"/usr/local/bin/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork & ) >/dev/null 2>&1
fi
- Make the script executable:
chmod +x ~/bin/wsl-ssh-agent-forwarder
- Add the following line to your
.bashrc
(~/.bashrc
) to execute the script above:
# KeeAgent
. ~/bin/wsl-ssh-agent-forwarder
It is important that the script is sourced (.
is shorthand for source
), not just executed inside .basrc
,
as otherwise the exported environment variables would be used for the child process.
The VSCode terminal is a case for this.
- Important: Ensure the socket file exists (even just as an empty placeholder file)!
mkdir -p $HOME/.ssh
touch $HOME/.ssh/agent.sock
- (Tip) Reload .bashrc config in current bash session:
$ source ~/.bashrc
- You can check the key agent functionality by either connecting via SSH or listing the keys with
ssh-add -l
(thanks @jacobblock). KeePass should automatically show the authentication prompt and/or notify that SSH keys have been accessed. Note: The KeePass program must be running when KeeAgent should be used. Turning on KeePass autostart could be a good idea.