There are multiple, incompatible competing options for useful/working Windows SSH setups.
Windows Subsystem for Linux is not covered here (beyond a small section) and depending on the version you prefer (WSL1 or WSL2) you may run into various different problems with the options described below.
There are two options for FOSS based solutions around the KeePass password manager family available. One relies on Windows native OpenSSH fully (with its own caveats) and the other is a little more flexible but experimental and has other drawbacks such as no official browser support via the password manager.
KeeAgent is incompatible with the Windows OpenSSH agent because it supplies its
own SSH agent. However, KeeAgent is able to talk to both Windows OpenSSH and the
Git Bash bundled OpenSSH version after configuring the SSH_AUTH_SOCK.
- Install KeePass and the KeeAgent plugin.
- In KeePass > Tools > Options configure the KeeAgent plugin:
- Enable agent for Windows OpenSSH (experimental)
- Create a Cygwin compatible socket file with the path
%UserProfile%\.ssh\cygwin.socket - Create a msysGit compatible socket file with the path
%UserProfile%\.ssh\msysgit.socket
- In
%UserProfile%/.exportstoggle theSSH_AUTH_SOCKvariable (Cygwin should be fine), i.e. addexport SSH_AUTH_SOCK=~/.ssh/cygwin.socketto your%UserProfile%\.bashrcor%UserProfile%\.bash_profilefile
Optionally, remove the /c/Windows/System32/OpenSSH-prefix from %UserProfile%/.path to use Windows OpenSSH in
PowerShell and Git Bash bundled OpenSSH in Git Bash.
Windows ships its own OpenSSH binaries starting with Windows 10. See the official documentation for more details.
For this to work in Git Bash as expected as well, the $PATH has to be prefixed with the Windows OpenSSH binaries or
else Git Bash will prefer its bundled OpenSSH version that is incapable of talking to the Windows OpenSSH agent. These
dotfiles supply a $PATH already containing the correct path modifications (see %UserProfile%/.path).
The Windows OpenSSH client makes using KeePassXC to manage SSH keys on Windows within the Git
Bash possible.
Enable the OpenSSH Agent via the Windows Services management interface by setting the OpenSSH Authentication Agent
to automatic and starting it or alternatively via a PowerShell prompt with administrative permissions:
# By default the ssh-agent service is disabled. Allow it to be manually started for the next step to work.
# Make sure you're running as an Administrator.
Get-Service ssh-agent | Set-Service -StartupType Automatic
# Start the service
Start-Service ssh-agent
# This should return a status of Running
Get-Service ssh-agentWithin KeePassXC the SSH support has to be enabled in the KeePassXC settings along with the option to use OpenSSH instead of Pageant.
Windows OpenSSH has a number of unsolved (despite claims to the contrary in some cases) issues that make it unreliable bordering on unusable in some instances:
- Early EOF errors when running git fetch over ssh ( 2022-10-08)
- Support SSH_AUTH_SOCK Unix Domain Sockets for Windows (
2022-10-08)
- There is a PR#674 that attempts to address this and may solve the Git Bash integration woes.
- Windows OpenSSH is a system package and not regularly updated (Windows 10 21H2 shipping OpenSSH_for_Windows_8.1p1,
LibreSSL 3.0.2) (2022-10-08)
- Win32-OpenSSH update in Windows
- it may be feasible to replace the default package via winget & OpenSSH Version Directory, though
That means that while KeePassXC may be generally preferable because of its superior Browser integration (or other subjective reasons) the SSH integration on Windows is subpar and likely going to frustrate you at times. There is an open KeePassXC issue asking to support MSYS2 ssh-agent sockets on Windows (unresolved by 2023-02-13) that would improve the situation.
The OmniSSHAgent project appears to solve some of the cross provider and
consumer issues by providing the required interfaces to interact with Git Bash provided SSH (cygwin/MSYS2) and
Windows OpenSSH as well as the ability to provide SSH keys via KeePassXC. I haven't tested it though.
A commercial software alternative is 1Password that has built in SSH support starting with version 8.
Please check the official documentation for details. At this time (2023-02-13) this requires Windows Hello:
Requirements … Microsoft OpenSSH Windows Hello must be configured to unlock 1Password
A long-time favorite and previous de facto solution on Windows for enabling SSH is PuTTY with Pageant. KeePass with KeeAgent and KeePassXC both support Pageant and Git-Bash may also be able to consume SSH keys offered via Pageant managed in KeePass(XC). I have never used this, though.
BitWarden is a freemium solution similar to 1Password but does not offer SSH Agent integration at this time (2023-02-13) on its own. There are some workarounds for that such as Bitwarden SSH Agent, though. I have no experience with this, either.
Preface: I have no experience with this making OpenSSH keys available in WSL 1 or 2 from Windows hosts.
There's OmniSSHAgent as previously pointed out. This appears to solve many of the integration issues between various consumers of SSH keys and providers thereof. I haven't tested it, though.
Beyond that there some additional options for this that may or may not work based on arcane invocations of shell scripts, explore on your own. You may run into weird issues, though, because generally OpenSSH and OpenSSH Agent versions have to match and the WSL (1 and 2) OpenSSH binaries are updated and maintained separately from Windows.
You may want to take a look at wsl-agent-bridge and wsl-ssh-pageant or Sharing SSH keys between Windows and WSL 2.
Using jstarks/npiperelay you can forward the Windows OpenSSH agent into e.g. WSL 2. In particular PR#12 may be of interest.
Using rupor-github/wsl-ssh-agent you can forward the Windows OpenSSH into WSL 1.
Really? Well, that works, too. Whatever floats your boat: Manual (or semi-manual) setup it is.
Please read what GitHub has to say on the matter in their documentation.