Install ssh keychain on Ubuntu with WSL

opensshserversshssh-agentwindows-subsystem-for-linux

Please help me understand how to install SSH keychain on my Ubuntu under WSL in order for me to be able to configure my .ssh/config to use it.

I'm taking some online training, and I've tried setting up my config file like the instructor (who is using Metatron CLI), using Usekeychain, but it does not recognise that as a valid setting:

Host*
    AddKeysToAgent Yes
    UseKeychain Yes
    IdentityFile ~/.ssh/[his githubfile]

But when I tried login into my server it said UseKeychain is not a command. Since then, I've since been trying to find how to add my key to my keychain and how to setup my config file.

Best Answer

Part of your problem, at least, is that UseKeychain is a MacOS-specific configuration option which instructs it to add the unlocked key to the MacOS Keychain (part of that OS that can store it securely). So we can assume that your instructor is on a Mac. It sounds like the Mac version of ssh will read the OS keychain, which is typically unlocked on first use across the whole OS. My understanding is that there are equivalents under Ubuntu, like Gnome Keyring, but this won't work under WSL.

So let's start with the fact that you'll need to remove that MacOS-specific configuration option under Ubuntu, at least.

If your instructor is providing that config file to students as an example, they really should do it properly with:

Host*
    IgnoreUnknown UseKeychain    
    AddKeysToAgent Yes
    UseKeychain Yes
    IdentityFile ~/.ssh/[his githubfile]

That would allow it to work both on a Mac as well as the (90%+) rest of the world.

Under WSL Ubuntu, you will need to enter the passphrase at least once in each session to add it to ssh-agent. If you run multiple shell instances, you'll typically need a new ssh-agent invocation in each shell.

Alternatively, you can install Funtoo keychain which can (more) easily set up the connection to ssh-agent in each shell instance. This can allow you to only need to enter the passphrase once as long as the WSL instance is working.

sudo apt-get install keychain

And add something like the following to your ~/.bashrc:

eval `keychain --eval --agents ssh id_rsa`

See the official keychain website for full instructions.

Please note, once the WSL Ubuntu instance terminates (wsl -l -v shows "Stopped") then the passphrase will need to be entered again on next use.

Related Solutions

Ubuntu – Does reinstalling openssh-server change the host key

Your original host keys would be deleted if you had purged openssh-server, using either apt-get purge openssh-server or apt-get remove --purge openssh-server. In this case the keys would be regenerated, and would naturally be different. If openssh-server was just removed, the key files should not have been touched on reinstallation.

The host keys do indeed only depend upon the files in /etc/ssh/, unless ssh is configured to look elsewhere. This would be evident by any unusual looking HostKey lines in /etc/ssh/sshd_config. The default HostKey lines are:

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

It is definitely worth checking the file to see whether you're using host keys from a non-standard location, as your key files appear not to have been modified.

If the keys on the server are as expected, the warning is most likely being generated at the client end of things. As Germar said, the problem could be caused by reuse of a dynamically assigned IP address which had previously been used by another server.

Best Answer

Related Solutions

Ubuntu – Does reinstalling openssh-server change the host key

Related Question