Reuse in PowerShell a running PuTTY agent (pageant)

3.4k views Asked by At

Is there a way in PS 5.1 to reuse the PuTTY agent keys?

Now, the details.

enter image description here

To use key agents one has an Agent that holds the keys (left box), and Client Applications that delegate administration of the keys (right box). E.g., client application C1=putty can use its own agent A1=pageant, of course. Client application C2=winscp knows how to use directly A1.

Certain Clients cannot use certain Agents directly, but there are Proxy agents that bridge the gap. For instance to use A1 with C3, I need Proxy P1=ssh-pageant, see example below. This helps centralizing in a single Agent the keys for many Clients. Now I mean to use A1 for all my Clients (currently, only missing A1-C5 and A1-C6).

Is there a way in PS 5.1 to reuse the same PuTTY agent keys? (I.e., a Proxy Px to use A1 with C5)

Possibly helpful: https://superuser.com/a/1173570/245595


NOTES:

  1. I did not try it, but it seems like winssh-pageant is a Proxy to link A2 with Client applications that understand A1 directly.

  2. I am currently trying to use in PS the same ssh-pageant from msys2 (it is a Windows program in the end, and often times they do work), manually replacing what eval does in msys2 (so far with no luck, but I think this is fixable):

    > cd <dir where ssh-pageant is>
    > .\ssh-pageant -r -a "$env:USERPROFILE\tmp\.ssh-pageant-$env:USERNAME"
    SSH_AUTH_SOCK='C:\Users\USER1\tmp\.ssh-pageant-USER1'; export SSH_AUTH_SOCK;
    SSH_PAGEANT_PID=714; export SSH_PAGEANT_PID;
    echo ssh-pageant pid 714;
    > $env:SSH_AUTH_SOCK='C:\Users\USER1\tmp\.ssh-pageant-USER1'
    > $env:SSH_PAGEANT_PID=714
    > ssh myserver
    Enter passphrase for key 'C:\Users\USER1/.ssh/id_rsa':
  1. As an alternative workaround, is there a non-admin (I wouldn't want to interfere with it) way to load keys into a separate agent such that when I start a PS session it uses those other keys, and which allows me to keep working with my reused keys in msys2? This would perhaps amount to using a two different agents at the same time...

  2. weasel-pageant is such a proxy agent (based on Cygwin's ssh-pageant), for WSL (A1-C7)... still looking for a solution for PS.

  3. ssh-agent-wsl is a fork of weasel-pageant that includes support for using keys held by Microsoft's SSH Agent service (instead of PuTTY Pageant) (A2-C7... I guess it's remarkable that WSL needs a proxy to use Win OpenSSH agent).


Example on how to use "Proxy" agent ssh-pageant to link PuTTY pageant with Cygwin bash

The steps to achieve this are:

  1. When I start my session in Windows, the portable PuTTY agent (pageant) is executed, loading at the same time one key. For this, a shortcut pageant is added to C:\Users\USER1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, pointing at %myputty%\pageant.exe "%mykeys%\key1.ppk".
    This makes the key usable by PuTTY and WinSCP, e.g. But if I now enter a PS session, or an msys2/cygwin terminal, the keys would not be used, and I am asked for the password for the keys. So if I now
    $ ssh myserver
    Enter passphrase for key 'C:\Users\USER1/.ssh/id_rsa':
  1. In msys2/cygwin I can use ssh-pageant ("An SSH authentication agent for Cygwin/MSYS that links OpenSSH to PuTTY's Pageant"), such that it reuses whatever keys a previously loaded PuTTY agent has.
    For this purpose, I simply add eval $(/usr/bin/ssh-pageant -r -a "/tmp/.ssh-pageant-$USERNAME") to my ~/.bashrc of msys2. Now whenever I start an msys2 terminal, the link PuTTY's Pageant -> ssh-pageant is established, a couple of environment variables are created, and I can ssh without entering the password
    $ env | grep -i ssh
    SSH_AUTH_SOCK=/tmp/.ssh-pageant-USER1
    SSH_PAGEANT_PID=960
    $ ssh myserver
    Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
    ...
  1. Judging from this, it seems the same can be achieved for Git bash.

Related:

http://rabexc.org/posts/pitfalls-of-ssh-agents

How to check if ssh-agent is already running in bash?

https://superuser.com/questions/1327633/how-to-maintain-ssh-agent-login-session-with-windows-10s-new-openssh-and-powers

https://superuser.com/questions/1293725/gpg-agent-under-windows-as-ssh-agent-for-git-bash

1

There are 1 answers

0
sancho.s ReinstateMonicaCellio On BEST ANSWER

I made this work, using the same Cygwin tools (i.e., both ssh-pageant and Cygwin OpenSSH client) in a PS session.

So I would do (assuming ssh-pageant is already running from Msys2):

> cd <dir where ssh-pageant is>
> .\ssh-pageant -r -a "$env:USERPROFILE\tmp\.ssh-pageant-$env:USERNAME"
SSH_AUTH_SOCK='C:\Users\USER1\tmp\.ssh-pageant-USER1'; export SSH_AUTH_SOCK;
> $env:SSH_AUTH_SOCK='C:\Users\USER1\tmp\.ssh-pageant-USER1'
> .\ssh myserver
Logged in to myserver

I have added this to my profile.ps1 (again, it will work when ssh-pageant is already running when I start the PS session)

$env:MSYS2_DIR=<mydir>
# Assuming a proxy ssh agent is already running
$env:SSH_AUTH_SOCK="$env:MSYS2_DIR\tmp\.ssh-pageant-$env:USERNAME"
# We have to make sure we use Msys2 OpenSSH ssh client, not Windows OpenSSH ssh client 
function ssh_msys2 {
    & $env:MSYS2_DIR\usr\bin\ssh.exe $args
}

If an ssh-pageant is not yet active, this should work (not tested yet; the PID number may be different):

> cd <dir where ssh-pageant is>
> .\ssh-pageant -r -a "$env:USERPROFILE\tmp\.ssh-pageant-$env:USERNAME"
SSH_AUTH_SOCK='C:\Users\USER1\tmp\.ssh-pageant-USER1'; export SSH_AUTH_SOCK;
SSH_PAGEANT_PID=714; export SSH_PAGEANT_PID;
echo ssh-pageant pid 714;
> $env:SSH_AUTH_SOCK='C:\Users\USER1\tmp\.ssh-pageant-USER1'
> $env:SSH_PAGEANT_PID=714
> .\ssh myserver
Logged in to myserver

Still have to test a couple of points, and automate the operation.
In particular, executing ssh-pageant, detecting the PID # if it is returned, and setting environment variable SSH_PAGEANT_PID from PS if that is the case. This is a little bit more cumbersome than in Msys2, since ssh-pageant spits something directly executable by bash.