Windows 10 - Using GPG for SSH authentication. Win32-OpenSSH Edition.

A few years ago I wrote about Using GPG for SSH authentication on Windows. With newer versions of Windows 10 shipping with Win32-OpenSSH it's even easier to use than before. In addition, using native SSH instead of PuTTY means you don't have to connect to servers with PuTTY first.

Installation

Make sure OpenSSH is installed. As of this writing, Windows 10 ships with version 7.7p1. This has been working fine for me, but there are newer versions that can be installed in other ways if desired.

In addition, you will need:

• gpg - both plain gpg and Gpg4Win should work
• wsl-ssh-pageant - this creates a named pipe for gpg to communicate with ssh
• cmdow - optional

All of these packages are available through scoop>.

Configuration

gpg

Add the following line to <gpghome>/gpg-agent.conf:

enable-putty-support

git

git on Windows uses its own bundled gpg & ssh, so direct it to use gpg in .gitconfig:

[gpg]
	program = <path_to_gpg_bin>/gpg.exe

And set your environment to your Win32-OpenSSH directory:

GIT_SSH=C:\\Windows\\System32\\OpenSSH\\ssh.exe

Startup

You need to start gpg-connect-agent & wsl-ssh-pageant. If you want to start these on login, there are a few ways to do this, but the easiest is to just drop shortcuts in your startup directory (shell:startup).

gpg-connect-agent:

gpg-connect-agent.exe /bye

wsl-ssh-pageant:

cmdow.exe /run /hid wsl-ssh-pageant.exe -winssh ssh-pageant

Environment

Finally, ensure ssh knows about the authentication socket. Set your environment to point to the pipe created by wsl-ssh-pageant:

SSH_AUTH_SOCK=\\.\pipe\ssh-pageant

Usage

Everything should now 'just work'. If you have a smartcard for gpg it should correctly prompt for the pin and work as normal.