Integration with bash on Windows 10 Preview

[katekarnage]

The good news is, this already works and should just need some documentation adding to tips and tricks.

Using the MSYSGIT socket functionality already provided, the bash/linux subsystem on windows 10 Preview can be made to use KeeAgent as it's ssh agent.

I managed to do it using socat (apt-get install socat within bash on windows) a script like the one below (pretty crude, ignores some things like proper host/network translation on the port number, because, well... the target architecture is known! and some cleanup could be added to .bash_logout etc)

# If MSYSGIT socket in keeagent is set as c:\Users/foo/Documents/ssh_auth_msysgit
SSH_AUTH_KEEAGENT_SOCK=/mnt/c/Users/foo/Documents/ssh_auth_msysgit
SSH_AUTH_KEEAGENT_PORT=`sed -r 's/!<socket >([0-9]*\b).*/\1/' ${SSH_AUTH_KEEAGENT_SOCK}`

#use socket filename structure similar to ssh-agent
ssh_auth_tmpdir=`mktemp --tmpdir --directory keeagent-ssh.XXXXXXXXXX`
SSH_AUTH_SOCK="${ssh_auth_tmpdir}/agent.$$"

socat UNIX-LISTEN:${SSH_AUTH_SOCK},mode=0600,fork,shut-down TCP:127.0.0.1:${SSH_AUTH_KEEAGENT_PORT},connect-timeout=2 2>&1 > /dev/null &

[dlech]

Nifty. I'll try this out when I get a chance.

[mendhak]

Thanks @katekarnage, never heard of socat until now.

I added this to my ~/.bashrc, seems to work well with KeeAgent on launching Bash on Win10.

#KeeAgent setup
SSH_AUTH_KEEAGENT_SOCK=/mnt/c/Temp/syslockfile
SSH_AUTH_KEEAGENT_PORT=`sed -r 's/!<socket >([0-9]*\b).*/\1/' ${SSH_AUTH_KEEAGENT_SOCK}`
ssh_auth_tmpdir=`mktemp --tmpdir --directory keeagent-ssh.XXXXXXXXXX`
export SSH_AUTH_SOCK="${ssh_auth_tmpdir}/agent.$$"
socat UNIX-LISTEN:${SSH_AUTH_SOCK},mode=0600,fork,shut-down TCP:127.0.0.1:${SSH_AUTH_KEEAGENT_PORT},connect-timeout=2 2>&1 > /dev/null &

On connecting via SSH I do see this error though, is it something we can safely ignore?

2016/08/20 12:08:46 socat[20] E write(4, 0xf24640, 5): Broken pipe

[dlech]

It looks like unix sockets are at least partially implemented. microsoft/WSL#134

This is really what should be used here instead of socat.

[FlorinAsavoaie]

Not extremely easy to implement the Unix sockets outside a WSL instance, as far as I can tell. Meanwhile I wrote this: https://gist.github.com/FlorinAsavoaie/8c2b6cb00f786c2caab65b1a51f4e847.

[h31]

A major upgrade for Linux subsystem was released
https://blogs.msdn.microsoft.com/commandline/2017/04/11/windows-10-creators-update-whats-new-in-bashwsl-windows-console/
Will it make things easier?

[rfnx]

Still not working for me, even with the new Creators update.

I tried to declare the socket in KeeAgent options (both types, msysGit and Cygwin) and then export "SSH_AUTH_SOCK" in bash, but maybe I'm doing it wrong ?

[dlech]

MSYS/Cygwin use TCP sockets, not Unix sockets, so they will not work with native Linux ssh programs. We need to figure out how to create a Unix socket from a Windows program (if that is even possible) or perhaps automate the socat tunnel that is described in the opening comment here.

[saxonww]

https://github.com/ionescu007/lxss might help answer this question.

I've spent less than 5 minutes looking at this, but it suggests that there is an 'ADSS bus' which is the bridge between the Win32 and WSL environments. It might not really be possible (yet) to just create a socket file from a Win32 program and have it be recognized as such by a WSL process; there would maybe need to be something like the lxext/lxexec method described in the readme for this repo.

[saxonww]

Also fwiw I have been using a modified version of @FlorinAsavoaie's python thing for several months. It works as well or better than the socat method, with the one downside being if I try to close my WSL window(s) while keepass is locked, I get into a db unlock loop that is really hard to get out of.

[h31]

https://github.com/ionescu007/lxss might help answer this question.

WSL from Creators update allows to run arbitrary Linux command from the Windows executable. There's no need to use unofficial tools.

[saxonww]

Does this new capability extend to reading and writing from an Linux socket file?

[h31]

Haven't heard about such possibilities. I've posted a link above, maybe it will help.

[strarsis]

I use this now in .bashrc:

# KeeAgent
export SSH_AUTH_SOCK="/tmp/.ssh-auth-sock"
~/bin/msysgit2unix-socket.py /mnt/d/pass/keeagent-msysgit:$SSH_AUTH_SOCK

It uses the msysgit2unix-socket python script, a recent fork you can find here:
https://gist.github.com/duebbert/4298b5f4eb7cc064b09e9d865dd490c9

[saxonww]

https://blogs.msdn.microsoft.com/commandline/2017/12/19/af_unix-comes-to-windows/ !!

Doesn't interop with WSL yet, apparently, but the blog makes it sound like it will soon-ish, and it's listed in the WSL release notes for 17063...

[strarsis]

Currently working howto: https://gist.github.com/strarsis/e533f4bca5ae158481bbe53185848d49

[strarsis]

What is cool is that it also works with FileZilla Normal login and some other SSH clients on Windows.
They seem to share the same library.

[pscheit]

if [ ! -f /tmp/ssh-agent-pipe ]; then
sudo socat UNIX-LISTEN:/tmp/ssh-agent-pipe,fork,group=yourusernamegroup,umask=007 EXEC:"npiperelay.exe -ep -s //./pipe/openssh-ssh-agent",nofork &
fi

and enable the experimental open ssh support
https://github.com/jstarks/npiperelay

after reading this thread i should've known, that there is already a tcp socket available to bind with socat, but leaving this here for someone who's interested ..

[strarsis]

@pscheit: Where do I have to enable the experimental open ssh support?
Is this a npiperelay option or a KeeAgent option?

[pscheit]

jip

[strarsis]

@pscheit: How can I avoid sudo prompt at the beginning of each shell session?
Besides this issue, typing in terminal becomes strange sometimes.
When using Ctrl+C in shell, the command exits with code 130.

[reynoldsbd]

Hello! I am not a KeeAgent user, but I got a tip that folks here might be interested in wsl-agent-bridge. In short, it allows WSL to transparently use the Windows port of ssh-agent via an AF_UNIX socket.

[BWibo]

This works fine for me.
https://solariz.de/de/ubuntu-subsystem-windows-keepass-keeagent-pageant-linux-ssh.htm
It uses weasel-pagent.

Win10 version:
Win10 x64, Version 1803, Build 17134.590

WSL version:
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.6 LTS
Release:        14.04
Codename:       trusty

I had to make some some minor modifications to the script loading weasel-pagent from .bashrc.

#!/usr/bin/env bash

# using pagent / Keepass for Authentication
# see: https://solariz.de/de/ubuntu-subsystem-windows-keepass-keeagent-pageant-linux-ssh.htm

# config
WEASELPAGENTVERSION=1.2
WEASELPAGENTDIR=/path/to/weasel-pageant-$WEASELPAGENTVERSION

# killing old running socket
echo -n "pageant:"
$WEASELPAGENTDIR/weasel-pageant -k >/dev/null 2>/dev/null
eval $($WEASELPAGENTDIR/weasel-pageant -r -a "/tmp/.weasel-pageant-$USER") >/dev/null 2>/dev/null
sleep .5
sshkeysloaded=$(ssh-add -l|grep -c RSA)
if [[ $sshkeysloaded -gt 0 ]] ; then
    echo -e "\e[92m OK, ready for Agent forward, loaded $sshkeysloaded keys."
 else
    echo -e "\e[91m Fail, no keys found or pageant connection failed. "
fi
echo

[r2evans]

@BWibo, I found the link you provided to be stale, I think the updated links are de
and en (the "de" version says that the "en" page is an updated version, not sure, I don't know German and have not otherwise translated the page).

Regardless, though, it appears that weasel-pageant is self-deprecated (and now past end-of-life). Some preferences include WinCryptSSHAgent or wsl-ssh-pageant, though I think only the latter might be compatible with KeeAgent.

It's been a year since you provided that script. Are you still using these methods? Have you shifted to something else? I've just updated to wsl2, and I'm trying to determine my options for having a unified windows/GfW/wsl2 ssh experience. Thanks!

[BWibo]

Hey there, I can confirm this working with Ubuntu 20 on WSL 1. However, I have had some issues every now and then, but it works in general.

This link works and contains some updates as well:
https://tcpip.wtf/en/linux-ubuntu-subsystem-windows-keepass-keeagent-pageant.htm

This is what I currently use:

#!/usr/bin/env zsh
# see: https://tcpip.wtf/en/linux-ubuntu-subsystem-windows-keepass-keeagent-pageant.htm

# config
WEASELPAGEANTVERSION=1.4
WEASELPAGEANTDIR="$HOME/.weasel-pageant/weasel-pageant-$WEASELPAGEANTVERSION"

echo "WeaselPAgeant v$WEASELPAGEANTVERSION"

# run weasel-pagent
echo -n "pageant:"
eval $("$WEASELPAGEANTDIR/weasel-pageant" -r -b -a "$HOME/.wslsock")

sleep .1
sshkeysloaded=$(ssh-add -l | egrep -c "RSA|ED|SHA" )
if [[ $sshkeysloaded -gt 0 ]] ; then
    echo -e "\e[92m OK, ready for Agent forward, loaded $sshkeysloaded keys."
 else
    echo -e "\e[91m Fail, no keys found or pageant connection failed. "
fi
echo

[r2evans]

Thanks @BWibo! (I had hoped you were on wsl2 and had found a worthy successor to weasel-pageant.)

[musm]

So how can I use KeeAgent within WSL2 ? There's a lot of conflicting results/methods. Thanks

[r2evans]

I haven't found a working solution yet. I suspect I'm mis-using socat and/or npiperelay, so I don't know if it's a problem with WSL2 or with my attempts.

[BWibo]

One of the reasons I haven't switched to WSL2 is that there is no working KeeAgent integration jet...

[strarsis]

Thanks for the information! I use KeePass + KeeAgent intensively and having issues on WSL 2 would be a blocker, hence I will wait with migration to WSL 2.

[strarsis]

Thanks to the instructions for WSL 2 of the wsl-ssh-agent project it works now: https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility

[musm]

Thanks to the instructions for WSL 2 of the wsl-ssh-agent project it works now: https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility

Wow awesome ! Tested and totally works. Just at tip for others trying to make it work on WSL 2 using this guide. Extract npiperelay from https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility to a Windows path, e.g.: C:\Tmp\npiperelay.exe then modify the text there and set in your bashrc file

export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock
ss -a | grep -q $SSH_AUTH_SOCK
if [ $? -ne 0   ]; then
    rm -f $SSH_AUTH_SOCK
    ( setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"/mnt/c/Tmp/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork & ) >/dev/null 2>&1
fi

In the original guide it says to extract npiperelay.exe to $HOME/winhome/.wsl/npiperelay.exe but that didin't work

[strarsis]

Howto: https://gist.github.com/strarsis/e533f4bca5ae158481bbe53185848d49

[leonard84]

@BWibo just for completeness sake, weasel-pagent works just fine with WSL 2. It is still deprecated, but so far it is IMHO the easiest solution until keeagent somehow gets direct WSL(2) support.

[strarsis]

@leonard84: Not trying to be bragging here, but you should check out this HOWTO: Howto: https://gist.github.com/strarsis/e533f4bca5ae158481bbe53185848d49
👍

[dlech]

I've just merged a change to allow KeeAgent to work directly with WSL1 and opened a new issue to document the WSL2 workaround (#339).