SSH Agent on Windows Subsystem for Linux

KaiserThaws
KaiserThaws
Community Member

Hello,
First of all, thank you for this feature, I absolutely love it ! I'm using it both on my Windows and my Mac and it works like a charm. Excellent work guys :-)

I was wondering if it would be possible to have it work on WSL, any idea ?

Thanks !
Tristan


1Password Version: 8.7.0-2
Extension Version: 2.0.0
OS Version: Windows 11

Comments

  • mbessette
    mbessette
    Community Member

    Hey Tristan!

    I was actually working on this myself tonight, here's what I did.

    OS: Windows 11 21H2
    WSL 2 Ubuntu 20.04.3 LTS

    Big big big shoutout to https://1password.community/discussion/comment/629936

    1. Enable 1Password SSH as defined here for WINDOWS: https://developer.1password.com/docs/ssh/get-started#step-3-turn-on-the-1password-ssh-agent
    2. Install the .exe https://github.com/jstarks/npiperelay somewhere where your Windows PATH can see it (make sure it's accessible from ubuntu and powershell, might need to restart Windows Terminal completely)
    3. Update your .bashrc or .zshrc in ubuntu with:
    # Configure ssh forwarding
    export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock
    # need `ps -ww` to get non-truncated command for matching
    # use square brackets to generate a regex match for the process we want but that doesn't match the grep command running it!
    ALREADY_RUNNING=$(ps -auxww | grep -q "[n]piperelay.exe -ei -s //./pipe/openssh-ssh-agent"; echo $?)
    if [[ $ALREADY_RUNNING != "0" ]]; then
        if [[ -S $SSH_AUTH_SOCK ]]; then
            # not expecting the socket to exist as the forwarding command isn't running (http://www.tldp.org/LDP/abs/html/fto.html)
            echo "removing previous socket..."
            rm $SSH_AUTH_SOCK
        fi
        echo "Starting SSH-Agent relay..."
        # setsid to force new session to keep running
        # set socat to listen on $SSH_AUTH_SOCK and forward to npiperelay which then forwards to openssh-ssh-agent on windows
        (setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork &) >/dev/null 2>&1
    fi
    
    1. Restart the ubuntu terminal / resource the rc file.
    2. Test with ssh-add -l Should see your 1password ssh keys

    From here Git and SSH in your Ubuntu instance should default to the 1password ssh-agent, with fallback to id_rsa (or whatever is configured in ur /etc/ssh config file.

    Hope this helps!!
    Matt

  • steven_appleseed
    steven_appleseed
    Community Member

    I don't know how to upvote this, but honestly: this should be added to the 1password official documentation. Such a critical piece of information for devs who use WSL. Thank you so so much!

  • lafcadio
    lafcadio
    Community Member

    FYI for developers stumbling their way here:

    if you use the scoop package manager for Windows, you can now just install npiperelay using the extras bucket 😄

    scoop bucket add extras
    scoop install npiperelay
    

    would be great if someone can create an install for the native Windows package manager, winget 👌. No idea if WSL + 1Password will ever be a thing ;/

  • 0x6a6f73687561
    0x6a6f73687561
    Community Member
    edited October 2022

    This script works in Debian WSL, but, does not work on Rocky Linux 9 as a WSL instance. Every time I try to ssh to a remote server, I see error messages

    My commands are:

    sudo update-crypto-policies --set DEFAULT:SHA1 && \
    ssh MASKED
    

    The result is

    Load key "/home/MASKED/.ssh/MASKED.pub": error in libcrypto
    MASKED@MASKED: Permission denied (publickey).
    

    When I run ssh-add -l, then I got this error message.

    error fetching identities: communication with agent failed
    
  • yami759
    yami759
    Community Member

    I was able to get this working in Ubuntu WSL (with a very minor step added of creating a ~/.ssh folder if you don't already have one), and both ssh-add -l and ssh -T git@github.com work just fine. When I actually go to do an action in git however, I'm still prompted to log in. Does anyone know why that might be?

  • yami759
    yami759
    Community Member

    Update: I'm a dummy, this had nothing to do with 1Password. I was trying to use an HTTPS repo instead of an SSH one...

  • Hi @yami759:

    Glad to hear you were able to get it figured out. Feel free to get in touch if there's anything else we can help you with.

    Jack

  • robsonvn
    robsonvn
    Community Member

    After following the steps, make sure you have socat installed in your WSL machine

    sudo apt install -yyq socat

This discussion has been closed.