WSL2 – How to Automate Starting SSH Agent and Adding Keys in Windows 11

sshssh-agentwindows-11wsl2

OS: Windows 11 Version 10.0.22621 Build 22621
WSL version: 1.2.5.0 (WSL 2)
Linux distro: Ubuntu 22.04.2 LTS

I run WSL2 on Windows 11 in a Windows Terminal window, and I often connect to a remote server through ssh key authentication. To do that, each time I open a new Windows Terminal window (or even just a new tab in an existing Terminal) I need to execute

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/my_key

(it's a key without a passphrase). This gets old very quickly. Is there a way that I can automate the launch of the ssh agent, and the addition of my key to it, every time I start a WSL2 session in the Windows Terminal?

Best Answer

Better Alternative (than original answer) based on having no passphrase on the keyfile

You asked about @u1686_grawity's comment:

If it's without passphrase, do you need the agent at all, as opposed to having the ssh client load it directly from a file?

@u1686_grawity makes a good point, and that's that most SSH clients will let you specify a keyfile directly without requiring an agent.

I often connect to a remote server through ssh key authentication.

You don't necessarily mention how you are connecting, but if it's with the stock ssh command, then you can simply specify your keyfile on the commandline with:

ssh -i ~/.ssh/my_key <username>@site

In that case, you don't need an ssh-agent running at all.

Even if you aren't using ssh-proper, most SSH tools that are based on OpenSSH will also use the same ~/.ssh/config, meaning you can even skip specifying the identity filename. For example, create a ~/.ssh/config with:

Host <whatever_you_want_to_call_it>
  Hostname <hostname_or_ip>
  User <optional_username_if_different>
  IdentifyFile ~/.ssh/my_key

Then you can simply ssh <whatever_you_want_to_call_it> and everything else will be pulled from the config. Other tools like sftp and scp will also act the same.

Old Answer (works as well, but required for keys will passwords):

@Kolkhis's answer will certainly work, but if you run multiple shells (e.g., under Tmux or Windows Terminal), it will invoke a new running instance of ssh-agent for each shell. In your case, that's not too bad since your key doesn't have a password (although I would caution against that as well, of course). However, for keys with passwords, you have to enter it again for each shell you run. It will also incur additional (albeit small) startup time and memory.

I recommend the keychain utility by Daniel Robbins (also the creator of Gentoo Linux). This small utility checks to see if there's an existing ssh-agent running, and if so, it simply sets the appropriate environment variables to point to that agent. Otherwise, on first launch, of course, it will start a new agent.

It's available in the default repositories of most distributions, including Ubuntu:

sudo apt install keychain

Then add the following to your ~/.bashrc:

eval $(keychain --eval my_key)

IIRC, you don't even need to specify the path to the key unless it isn't in the the default ~/.ssh/.

Related Solutions

Macos – How to use SSH private key to log in without entering passphrase every time on Mac OS X Lion

ssh-agent is the piece that you want to get working, as it does exactly what you're asking about. The agent runs as a daemon, and when you "add" a private key to it, it remembers that key and automatically provides it to the remote sshd during the initial connection. (ssh-add is simply the command you run to manually add a private key to ssh-agent).

In OS X, as of Leopard, you shouldn't ever have to run ssh-agent or ssh-add manually. It should "just happen" when you attempt to connect to a server. Once per key, it will prompt you with a UI password dialog, which (among other things) will allow you to automatically add the key to the ssh-agent so you never get prompted again.

This is handled by having a launchd configuration that listens for connections on the $SSH_AUTH_SOCK socket, and automatically launches ssh-agent when it first needs to; after that, ssh-agent prompts you for credentials only when it needs to open a new key.

If that's not working, make sure you have the correct launchd configuration file present:

/System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

If it's still not working for you for some reason, here's the "old" way of getting things running by hand:

http://timesinker.blogspot.com/2007/08/getting-ssh-agent-going-on-mac-osx.html

There is also this application, which I have stopped using since Leopard came out but basically did the same thing in previous versions of Mac OS X:

http://www.sshkeychain.org/

Linux – Windows 10 Linux subsystem ssh-agent not persisting added identities

And am curious to know what is it that makes it a one-time activity on Ubuntu machine and a repeated activity on Windows 10 Linux Subsystem.

Normally, the ssh-agent runs in your session so it does not close earlier than you logout from your account in Linux.

If you use it from WLS and close the (probably) last window, it does reasonable cleanup and probably stops your ssh-agent, which is reasonable and safe to remove sensitive data from memory.

My question is how can we make the ssh-add path/to/identity/file/custom-named action persistent like it happens on actual Ubuntu machine.

Just do not close that window (or leave one opened on background ... it might help too). Or configure ssh to do that step automatically when you use the key for the first time. Just write to your ~/.ssh/config

Host server-you-are-connecting.to
  IdentityFile path/to/identity/file/custom-named
  AddKeysToAgent yes