Windows Subsystem for Linux: never prompt your ssh passphrase again

How to configure a passphrase-less ssh setup for wsl — windows subsystem for linux —basing on keychain, credentials manager, task scheduler and a bunch of scripts.

Giuseppe Sorrentino
2 min readMar 7, 2020



This is the list of the requirements:

The scripts


$credentials = Get-StoredCredential -Target sshpassphrase                       $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credentials.Password)$passphrase = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)                       C:\Windows\System32\wsl.exe -u [YOUR_WSL_USERNAME] -d [YOUR_DISTRIBUTION] /home/[YOUR_WSL_USERNAME]/wslu/ $passphrase

echo "$1"
export DISPLAY="0"
/usr/bin/keychain --clear id_rsa

The scripts are hosted on public gist. There are two of them a poweshell script called keychain.ps1 which:

  • get credential from windows credential;
  • launches the second script, passing your passphrase, in your wsl distribution.

Please substitute [YOUR_DISTRIBUTION] with the name of your current distribution and [YOUR_WSL_USERNAME] with the name of your wsl user.

The second script, called, does:

  • create a tmp/ssh-askpass-script and give it the right permissions;
  • set the SSH_ASKPASS environment variable;
  • launch keychain;
  • deletes the temporary script.


Copy the two scripts in your wslu folder in you home directory and give the right execution permissions.

1)Credential manager

  • Launch credential manager;
  • Click on windows credentials;
  • Click on add a generic credential;
  • Insert sshpassphrase in the internet or network address and username fields;
  • Insert the value of your ssh passphrase in the password field.

2)Task scheduler

  • Launch task scheduler;
  • Click on create basic task;
  • Insert a name for your task — Launch Keychain — then click next;
  • Choose when I log on and click next;
  • Choose start a program and click next;
  • Insert powershell in the program/script field and insert -File C:\Users\[YOUR_WINDOWS_USER]\wslu\keychain.ps1 in the add arguments field, then click next
  • Click on finish

3)Bash/Zsh configuration

Add the following to your ,bashrc/.zshrc: test -f /usr/bin/keychain && eval $(/usr/bin/keychain --eval --quiet id_rsa)


When you reboot and logon the powershell script shoud run.

It will recover you passphrase from windows credential and pass it, trough the SSH_ASKPASS environment variable, to keychain and you should never prompt it again.