Automated ssh-agent locking with Win32-OpenSSH

Win32-OpenSSH logoFor the last two years, a PowerShell team at Microsoft have been working hard to bring OpenSSH into the world of Windows. As part of this process, their Win32-OpenSSH port turns both sshd and ssh-agent into native Windows services. For all these changes, though, some things just remain the same. Like on other platforms, ssh-agent doesn’t lock or remove stored identities when you lock the computer. And as a service, now it doesn’t even remove them when you log out! Fortunately, Windows Scheduled Tasks comes to our rescue.

The XML document below is a Scheduled Tasks document which automatically locks ssh-agent whenever you log out or lock the computer. It should also do its thing when the computer goes to sleep or shuts down (don’t quote me on that). You can’t import the task as-is, but with a few minor adjustments you can start resting easy about ssh-agent in Windows.

To use this task, first copy the contents of this file into your favourite text editor. You need to replace every instance of MACHINENAMEUserAccount with your machine/user name. If you run Windows 10, you can run whoami to get this info. You also need to replace MY_USER_SID with your SID, a semi-numeric identifier for your user account. It’s a bit more complicated so you might want to read this article to figure it out.

If instead of locking your identities you want ssh-agent to delete them, also change the Actions/Exec/Arguments tag value to -D. UPDATE (22 June 2017): It turns out that locking ssh-agent prompts for a password when locking, which you can’t enter when you lock the computer. For now, the only option is to use the -D argument. Hopefully Win32-OpenSSH will support locking with Windows credentials in the near future. Finally, save the file as LockSshAgent.xml (or some other name), then import it in Task Scheduler.

If you haven’t yet seen Win32-OpenSSH, you can give it a try with Chocolatey (install the openssh package), or just run the universal installer by Darwin Sanoy. Make sure to use the /SSHAgentFeature flag in order to install ssh-agent. Alternatively, if you’d like to run an SSH server on your computer, use /SSHServerFeature instead (it includes ssh-agent by default).