Windows Subsystem for Linux: never prompt your ssh passphrase again

How to configure a passphrase-less ssh setup for wsl — windows subsystem for linux —basing on keychain, credentials manager, task scheduler and a bunch of scripts.

Requirements

This is the list of the requirements:

• windows 10 home or superior;
• wsl version 2 (should work with 1 as well but I have not tested);
• a wsl distribution including keychain;
• powershell script running enabled for your user ;
• credentialManager module for powershell installed.

The scripts

keychain.ps1

$credentials = Get-StoredCredential -Target sshpassphrase                       
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credentials.Password)
$passphrase = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)                       
C:\Windows\System32\wsl.exe -u [YOUR_WSL_USERNAME] -d [YOUR_DISTRIBUTION] /home/[YOUR_WSL_USERNAME]/wslu/keychain.sh $passphrase

keychain.sh

#!/bin/bash
SSH_ASKPASS_SCRIPT=/tmp/ssh-askpass-script
cat > ${SSH_ASKPASS_SCRIPT} <<EOL
#!/bin/bash
echo "$1"
EOL
chmod u+x ${SSH_ASKPASS_SCRIPT}
export DISPLAY="0"
export SSH_ASKPASS=${SSH_ASKPASS_SCRIPT}
/usr/bin/keychain --clear id_rsa
rm ${SSH_ASKPASS_SCRIPT}

The scripts are hosted on public gist. There are two of them a poweshell script called keychain.ps1 which:

• get credential from windows credential;
• launches the second script keychain.sh, passing your passphrase, in your wsl distribution.

Please substitute [YOUR_DISTRIBUTION] with the name of your current distribution and [YOUR_WSL_USERNAME] with the name of your wsl user.

The second script, called keychain.sh, does:

• create a tmp/ssh-askpass-script and give it the right permissions;
• set the SSH_ASKPASS environment variable;
• launch keychain;
• deletes the temporary script.

Configuration

Copy the two scripts in your wslu folder in you home directory and give the right execution permissions.

1)Credential manager

• Launch credential manager;
• Click on windows credentials;
• Click on add a generic credential;
• Insert sshpassphrase in the internet or network address and username fields;
• Insert the value of your ssh passphrase in the password field.

2)Task scheduler

• Launch task scheduler;
• Click on create basic task;
• Insert a name for your task — Launch Keychain — then click next;
• Choose when I log on and click next;
• Choose start a program and click next;
• Insert powershell in the program/script field and insert -File C:\Users\[YOUR_WINDOWS_USER]\wslu\keychain.ps1 in the add arguments field, then click next
• Click on finish

3)Bash/Zsh configuration

Add the following to your ,bashrc/.zshrc: test -f /usr/bin/keychain && eval $(/usr/bin/keychain --eval --quiet id_rsa)

Conclusion

When you reboot and logon the powershell script shoud run.

It will recover you passphrase from windows credential and pass it, trough the SSH_ASKPASS environment variable, to keychain and you should never prompt it again.