npiperelay icon indicating copy to clipboard operation
npiperelay copied to clipboard

Published 20 hours ago verified publisher icon jstarks

Nice idea missing for SSH_AUTH_SOCK

Open rstaveley opened this issue 4 years ago • 3 comments

There is something nice to do with npiperelay, if you are using the native OpenSSH ssh-agent in Windows 10.

Add this to ~/.bash_profile in WSL2 or WSL:

export SSH_AUTH_SOCK=/tmp/ssh-agent-$$.tmp

exec socat \
  UNIX-LISTEN:${SSH_AUTH_SOCK},umask=007,fork \
  EXEC:'npiperelay.exe -ep -s //./pipe/openssh-ssh-agent',nofork &

That way you can use the same agent in PowerShell, WSL2 and WSL, which seems like a nice thing to do, and may be a good enough reason to stop using PuTTY+Pageant.

Sorry to report this as an issue. I couldn't think of a better way of proposing this addition to the docs.

rstaveley avatar Aug 02 '20 15:08 rstaveley

You can then use SSH_AUTH_SOCK in docker.

Here's a silly illustration, checking out this repo into /tmp:

docker run --rm \
  --volume $SSH_AUTH_SOCK:/tmp/ssh-auth-sock \
  --volume /tmp:/data \
  --env SSH_AUTH_SOCK=/tmp/ssh-auth-sock \
  --env "GIT_SSH_COMMAND=ssh -o StrictHostKeyChecking=no" \
  --entrypoint git \
  --workdir /data \
  docker.io/alpine/git \
  clone ssh://[email protected]/jstarks/npiperelay.git

The real value is where docker is needed to build code and scripts require git+ssh to access private packages. That's my use case.

rstaveley avatar Aug 03 '20 06:08 rstaveley

Nice idea! It does break at least VSCode+WSL(2) for me as a shell from within VSCode does not start (waiting indefinitely) and at least one language server does not start, so be ware. I am using zsh instead of bash, though.

As a work-around I have created a script (ssh-agent-wsl) which I can easily run from within WSL2, like so:

❯❯❯ source ssh-agent-wsl

The script itself, called ssh-agent-wsl, placed somewhere in your PATH:

#!/usr/bin/env sh

# https://github.com/jstarks/npiperelay/issues/16
export SSH_AUTH_SOCK=/tmp/ssh-agent-$$.tmp
exec socat \
  UNIX-LISTEN:${SSH_AUTH_SOCK},umask=007,fork \
  EXEC:'/home/steven/bin/npiperelay.exe -ep -s //./pipe/openssh-ssh-agent',nofork &

StevenLooman avatar Oct 08 '20 12:10 StevenLooman

I've got a slightly different way of doing this using the new systemd integration from WSL.

There are two parts, the socket-activation file, ~/.config/systemd/user/ssh-auth.socket:

[Unit]
Description=SSH Agent socket relay to Windows via npiperelay

[Socket]
ListenStream=%t/ssh-agent.socket
SocketMode=0600
DirectoryMode=0700
Accept=True

[Install]
WantedBy=sockets.target

And then the service unit that spawns the npipe on demand: ~/.config/systemd/user/[email protected] (Since we are running in "Accept mode" we want this to be a template service run once per connection, that's what the the @ suffix means)

[Unit]
Description=SSH Agent relay to Windows via npiperelay

[Service]
ExecStart=/bin/bash -c 'export WSL_INTEROP="$(/bin/ls -tr1 /run/WSL/*_interop | head -n1)"; /mnt/c/Users/Ash/scoop/shims/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent'

StandardInput=socket
StandardOutput=socket
StandardError=journal

The one thing that needs a bit of explanation is the WSL_INTEROP env var -- needed to get this working when launched via systemd, else it can't run windows exe's.

And then somewhere in your shell init scripts you need to export SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}ssh-agent.socket"

ashb avatar Nov 25 '22 10:11 ashb