TIL: You can use 1Password's SSH Agent in WSL, and it's not that complicated.
I've been using Windows + WSL as my main driver for a few weeks, and one of the things I missed the most was the ease of setup of the 1Password's SSH agent and Linux or macOS.
After searching for a while, I found one thread in the 1Password Community forum that linked to a post containing the steps to forward the SSH Agent requests from WSL to the Windows' SSH agent.
Amazingly, you don't have to do anything extra to make it work with 1Password SSH agent, and I'll write the steps I did to activate it below.
Enable 1Password SSH Agent
If you have not created or imported your SSH keys into 1Password, you can do it by following this article.
To activate 1Password's SSH agent, you must have Windows Hello activated. You can learn more about Windows Hello in this article.
Open your 1Password settings and go to the “Developer” section. You need to check the “Use the SSH agent” checkbox.
That's all we need to do to activate the SSH agent.
Download npiperelay
To communicate between WSL and the 1Password SSH agent, we'd need to use npiperelay. This tool allows WSL to communicate with Windows' named pipes.
To install it, we need to open the GitHub repository and download the latest release. At the time of writing this post, the latest release is v0.1.0 from July 2, 2020.
Unzip it, and paste the npiperelay.exe file in any folder that's configured in your system's PATH.
If you don't know how to modify your system's PATH, you can learn how to do it in this article.
Connect WSL with 1Password's SSH agent
Now that we have the prerequisites fulfilled, we can connect our WSL distro with the SSH agent.
I'm using Ubuntu as my WSL distro, this may change if you're using another distro.
We need to install socat which is a utility to transfer data between channels, this tool will use npiperelay to then communicate with the named pipes.
sudo apt install socat
In your WSL terminal, create a new folder named .1password in your home directory:
mkdir $HOME/.1password
Create a new file named .agent-bridge.sh in your home directory. You can name this file whatever you want, this naming was just a personal preference from me.
touch $HOME/.agent-bridge.sh && chmod +x $HOME/.agent-bridge.sh
And add the following content to the newly created file:
# Code extracted from https://stuartleeks.com/posts/wsl-ssh-key-forward-to-windows/ with minor modifications
# Configure ssh forwarding
export SSH_AUTH_SOCK=$HOME/.1password/agent.sock
# need `ps -ww` to get non-truncated command for matching
# use square brackets to generate a regex match for the process we want but that doesn't match the grep command running it!
ALREADY_RUNNING=$(ps -auxww | grep -q "[n]piperelay.exe -ei -s //./pipe/openssh-ssh-agent"; echo $?)
if [[ $ALREADY_RUNNING != "0" ]]; then
if [[ -S $SSH_AUTH_SOCK ]]; then
# not expecting the socket to exist as the forwarding command isn't running (http://www.tldp.org/LDP/abs/html/fto.html)
echo "removing previous socket..."
rm $SSH_AUTH_SOCK
fi
echo "Starting SSH-Agent relay..."
# setsid to force new session to keep running
# set socat to listen on $SSH_AUTH_SOCK and forward to npiperelay which then forwards to openssh-ssh-agent on windows
(setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork &) >/dev/null 2>&1
fi
Open .bashrc (or your shell's configuration file if you don't use BASH), and add the following line at the end of the file:
source $HOME/.agent-bridge.sh
Reset your Windows Terminal, and you should be able to see your keys imported into 1Password when listing the keys added to the agent.
You won't have to repeat this process again, as long as you don't remove any configuration we created.
--
I'm happy to have found a way to use my SSH keys stored in 1Password when using WSL, it eases the things a bit for me as I haven't used Windows in at least a decade. I'm still trying to make myself comfortable in this operating system, but I guess time will tell what happens.
Nevertheless, WSL has been an amazing tool, and I'd like to thank everyone involved on it.
Top comments (8)
This worked for me, thanks. I did have to reboot before it actually worked.
Hey @rfay, I'm glad it worked! One question about the rebooting, in which step you had to reboot, or you rebooted after following all the steps before it was missing something? (I want to update the post to reflect that if neccesary)
I've loved this, but the reboot has been required more than once now, I haven't figured out why yet. It seems to be when the WSL2 distro is terminated, it doesn't come back up right; Even
wsl --shutdowndoesn't fix it. My bet right now looking at the script is that npiperelay.exe has to be terminated for the script to work right when the script is re-run perhaps. In this situation ALREADY_RUNNING finds that npiperelay.exe is still running.. but maybe it's orphaned?I think what has to happen is kill the orphaned socat process in this situation. There are also problems going on right now with WSL2 not doing
wsl --shutdowncorrectly, so that's probably related. I'll keep chasing it, but I do think it's the socat process.I know I might be late to the party, but I just had to reset my windows host so that my PATH changes updated. This might be what they were talking about.
Did you find out how to kill the orphan properly, we have the execat same issue here. Already tried killing the process which works for the terminal but not VS Code...
This worked for me, thanks for sharing!
This was awesome thanks!