KeeAgent (for KeePass) on Bash on Windows / WSL

howto.md

Update (Obctober 2020)

Thanks to the instructions for WSL 2 of the wsl-ssh-agent project, KeeAgent works great in WSL 2 now: https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility The approach uses minimal and well maintained tools.

Installation/setup

1. Install the KeeAgent plugin for KeePass (2.x).
2. The OpenSSH Authentication Agent Windows service must be stopped. For being sure that it stays stopped, even after rebooting, disable the service (when it is stopped).
3. Open the KeeAgent options via KeePass Menu -> Tools -> Options -> KeeAgent Tab. Enable the option Enable agent for Windows OpenSSH (experimental) A possible error message Windows OpenSSH agent is already running. KeeAgent cannot listen for Windows OpenSSH requests. can be ignored, everything will still work fine. No socket files need to be created, the options can be left disabled.
4. Necessary step (thanks @jacobblock): socat must also be installed:

sudo apt install socat

5. Place the npiperelay.exe under /usr/local/bin/npiperelay.exe inside your WSL 2 installation. It must be on the devfs filesystem, see https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility. Download instructions (thanks @musm; thanks @dmwyatt):

wget https://github.com/rupor-github/wsl-ssh-agent/releases/download/v1.5.2/wsl-ssh-agent.zip -P /tmp
sudo 7z e -y /tmp/wsl-ssh-agent.zip -o/usr/local/bin/
sudo chmod +x /usr/local/bin/npiperelay.exe
rm /tmp/wsl-ssh-agent.zip

6. Create a new script file ~/bin/wsl-ssh-agent-forwarder (thanks @r2evans) with the following contents:

#!/bin/bash
# Usage: wsl-ssh-agent-forward [ -k | -r ]
# Options:
#    -k    Kill the current process (if exists) and do not restart it.
#    -r    Kill the current process (if exists) and restart it.
# Default operation is to start a process only if it does not exist.

export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock

sshpid=$(ss -ap | grep "$SSH_AUTH_SOCK")
if [ "$1" = "-k" ] || [ "$1" = "-r" ]; then
    sshpid=${sshpid//*pid=/}
    sshpid=${sshpid%%,*}
    if [ -n "${sshpid}" ]; then
        kill "${sshpid}"
    else
        echo "'socat' not found or PID not found"
    fi
    if [ "$1" = "-k" ]; then
        exit
    fi
    unset sshpid
fi

if [ -z "${sshpid}" ]; then
    rm -f $SSH_AUTH_SOCK
    ( setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"/usr/local/bin/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork & ) >/dev/null 2>&1
fi

7. Make the script executable: chmod +x ~/bin/wsl-ssh-agent-forwarder
8. Add the following line to your .bashrc (~/.bashrc) to execute the script above:

# KeeAgent
. ~/bin/wsl-ssh-agent-forwarder

It is important that the script is sourced (. is shorthand for source), not just executed inside .basrc, as otherwise the exported environment variables would be used for the child process. The VSCode terminal is a case for this.

9. Important: Ensure the socket file exists (even just as an empty placeholder file)!

mkdir -p $HOME/.ssh
touch $HOME/.ssh/agent.sock

10. (Tip) Reload .bashrc config in current bash session:

$ source ~/.bashrc

11. You can check the key agent functionality by either connecting via SSH or listing the keys with ssh-add -l (thanks @jacobblock). KeePass should automatically show the authentication prompt and/or notify that SSH keys have been accessed. Note: The KeePass program must be running when KeeAgent should be used. Turning on KeePass autostart could be a good idea.

Note: Comments below may relate to the outdated Howto for WSL 1 and msysgit2unix-socket.py!