"Windows OpenSSH agent is already running"

[r2evans]

When I open KeePass > KeeAgent options (even if I make no changes), I see this:

I've been trying to get KeeAgent to work with WSL (still having problems with socat and related tools, not sure why), so I have tried several combinations of cywgin, msysgit, and windows ssh agent (showing all enabled here).

Basic functionality (in GfW bash, not wsl) still works. I don't know if this would preclude windows-ssh or indicates some other problems I might not (yet) be seeing.

win10_64, KeePass-2.39.1, KeeAgent-0.10.1.0, KeePassQuickUnlock-2.4.0.0, KeeTrayTOTP-0.9.4.0

Side note: there's an extra "s" in the source:

KeeAgent/KeeAgent/KeeAgentExt.cs

Line 316 in 9a47555

MessageService.ShowWarning("Windows OpensSSH agent is already running.",

perhaps it should be:

       catch (PageantRunningException) {
-        MessageService.ShowWarning("Windows OpensSSH agent is already running.",
+        MessageService.ShowWarning("Windows OpenSSH agent is already running.",
           "KeeAgent cannot listen for Windows OpenSSH requests.");
 }

[jacobblock]

Also having a similar issue. ssh-add -l indicates the keys are visible in WSL, but there is still some issue. It seems related to this warning. Below is the exception caught in error message you reference above.

StackTrace = "   at dlech.SshAgentLib.WindowsOpenSshPipe..ctor() in C:\\dev\\KeeAgent\\SshAgentLib\\SshAgentLib\\WindowsOpenSshPipe.cs:line 55\r\n   at dlech.SshAgentLib.PageantAgent.StartWindowsOpenSshPipe() in C:\\dev\\KeeAgent\\SshAgentLib\\SshAgentLib\\PageantAgent....

For the time being I am able to run pageant + keeagent in client mode + https://github.com/vuori/weasel-pageant and bypass this + correctly load keys.

[strarsis]

Edit: @r2evans, @jacobblock: It was able to get it working again by using weasel-pageant, as you recommended, and following this tutorial for setting it up: https://solariz.de/de/ubuntu-subsystem-windows-keepass-keeagent-pageant-linux-ssh.htm
The option Enable agent for Windows OpenSSH (experimental) wasn't necessary anymore and I disabled it to avoid the error message.

@dlech: Your plugin has been working really well for many years now, even seamlessly with FileZilla FTP (SFTP) and other clients that internally use SSH libraries. This is a new issue that became apparent today,
can I debug this somehow?
KeeAgent + msysgit2unix-socket.py correctly worked all the years and suddenly the setup failed. Is this caused by a new Windows update? Or by installing some *nix tool on Windows that also sets up SSH client/agent?

[Nama]

I used KeeAgent without that problem till 1809 and made a fresh install today to 1903 and this error pops up.
The ssh-agent is disabled and not even running, still I get this error. The first time I enabled OpenSSH-support it worked, but not after a restart.

OK, it was the environment variable SSH_AUTH_SOCK which broke everything. After deleting (and restarting) it works again!

[filviu]

For me is even weirder:

If I set SSH_AUTH_SOCK then ssh from powershell doesn't work. If I remove the environment variable then ssh starts working but git stops working! I can fix by adding SSH_AUTH_SOCK in git bash but in powershell I still can't use git.

Any ideas ?

[Nama]

You enabled in the options the experimental feature for OpenSSH?

[filviu]

Yes enabled. I think I found the fix. git (when installed from git for windows package) uses it's own embeded openssh distribution. All fine if you use the git bash terminal where it's safe to set SSH_AUTH_SOCK

For using git in powershell and vscode I set:

GIT_SSH=C:\WINDOWS\System32\OpenSSH\ssh.exe

and appears to be working now

[strarsis]

@silviuvulcan, @Nama: How have you configured it for WSL (Bash on Windows)?

[Nama]

I didn't.
And don't plan to.

[musm]

Make sure:

fixed it for me

[r2evans]

@dlech, I wonder if my original post on this issue is about the interface recognizing that the existing socket is its own, and it doesn't need to complain about it nor necessarily restart the service (though that is a different discussion).

[strarsis]

@r2evans, @silviuvulcan, @Nama: WSL 2 + KeeAgent works without issues using this HOWTO.

[r2evans]

Thanks @starsis, glad something is working. While I'm grateful for the update (really!), I wish it weren't based on tools that are explicitly no longer being supported/developed. I'll likely give it a try to start the migration of windows-to-wsl2 dev work, though, at least as a proof of multiple concepts. Thanks again!

[strarsis]

@r2evans: I hadn't tested yet whether Windows sockets are now finally supported on WSL 2 –
because then the msysgit conversion script wouldn't be needed anymore.

Edit:
When setting SSH_AUTH_SOCK environment variable directly to the socket files created by KeeAgent, there is a permission denied error when trying to connect to it in WSL 2:

$ nc -U "$SSH_AUTH_SOCK"
nc: unix connect failed: Permission denied

It is possible to cat the socket files, something is indeed returned:

$ cat "$SSH_AUTH_SOCK"
!<socket >4296 s 0E03AC97-4718E915-B5A23FB4-96F9EF2B

[strarsis]

So I got it finally working on WSL 2 (yes, there were indeed issues!).
Thanks to the instructions for WSL 2 of the wsl-ssh-agent project it works now: https://github.com/rupor-github/wsl-ssh-agent#wsl-2-compatibility

[Bond246]

Hello @strarsis
could you tell me how you've done that with WSL2?
I followed the instructions in rupors git but... WSL don't access the keys from in windows running Keepass/KeeAgent.
The KeeAgent Options and startup of Keepass brings the error message "Windows OpenSSH ... already running".

• My OpenSSH Authentication Agent Service in Windows is running.
• The KeeAgent Option "Enable agent for Windows OpenSSH (experimental)" is ticked.
• In addition i created the msysGit socket file (don't know if its needed; it was also not working with disableing that)
• wsl-ssh-agent-gui.exe is started with socket file same like mysisGit socket path configured in KeeAgent
• .bashrc is configured like in #wsl-2-compatibility code example pointing to the socket-file and to npiperelay.exe
• trying to ssh-add -l brings error fetching identities: communication with agent failed

Don't know what to do.
Best way for me would be to go back to wsl1 where everything was really easy to set up. But i need some network-tools from wsl2.

My only target is to access remote machines from wsl via ssh. Nothing else, no git-communications or something else.

Thanks for support!

[strarsis]

@Bond246:

1. For me, the OpenSSH Authentication Agent service in Windows is stopped/disabled!
2. This is in my .bashrc:

# KeeAgent
export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock
ss -a | grep -q $SSH_AUTH_SOCK
if [ $? -ne 0   ]; then
    rm -f $SSH_AUTH_SOCK
    ( setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork & ) >/dev/null 2>&1
fi

(Don't forget to source the .bashrc or restart the shell).
3. The npiperelay.exe Windows executable is inside the PATH, under /usr/local/bin/npiperelay.exe.
4. KeeAgent socket files are disabled, they are not needed as OpenSSH Authentication Agent is used by KeeAgent instead.

Note: When saving the KeeAgent options, I get the following error message:

Windows OpenSSH agent is already running.

KeeAgent cannot listen for Windows OpenSSH requests.

However, it still works great!

[Bond246]

Thanks for your fast response!

it's working now :-)

Maybe you can describe the whole workflow for Keepass with KeeAgent and all the stuff in your howto.md...
The latest updates and links are not working or are old already.

Documentations like that helped me in past to configure this stuff :-)

[strarsis]

@Bond246: I updated the Howo gist: https://gist.github.com/strarsis/e533f4bca5ae158481bbe53185848d49

[dlech]

This should be fixed by dlech/SshAgentLib@55ffc83.

Can you please try https://github.com/dlech/KeeAgent/suites/5172458555/artifacts/156862998 to confirm?

[r2evans]

Sorry to say @dlech that that version of the plgx completely hangs my KeePass2.

My steps:

1. Closed KP2 completely.
2. Moved old KeeAgent.plgx out of the way, unzipped new into place.
3. Opened KP2, it prompts for my usual kdbx password. The interface does not show the usual entries, it stays white and hangs.
4. Force-kill KP2. Try to flush the PluginCache in %APPDATA%, cannot due to Input/Output error. Find an zombie process via taskmgr (Details tab), kill it, then can remove the cache.
5. Restart KP2, same thing, it hangs. After letting it sit for many minutes, it is still hung.
6. Force-kill KP2. Remove all %APPDATA% files (no zombie process this time). Confirm my agent sock file is not present (it is not present) just to be sure.
7. Move old plgx back into place, starts up normally, no delays.

Currently: win11, KP-2.50 (64-bit) portable installation. Plugins: KeeAgent-0.12.1.0 (before this attempt) and KeePassQuickUnlock-2.4.0.0.

[dlech]

Yikes! Now that you mention it, I recall a few times that I had a "zombie process"-like problem while working on this in Visual Studio and had to restart Visual Studio to get it to compile again. Was the process "keepass.exe" or something else? There were some other major changes that could be contributing to the issues you are seeing too. Can you create a new database file with some test keys to reproduce the problems you are seeing?

[r2evans]

I'm not sure where the problem starts, all I can say are the symptoms: KP2 accepted my password but never really finished painting its canvas, becoming unresponsive. I tried with a fresh kdbx and it did not hang, which is promising.

The Journey

More troubleshooting

So:

• closed the kdbx, closed KP2, removed KPQU, restarted KP2 on new kdbx, it works; opened my normal kdbx, locked up
• closed/exited; moved my KeePass.config.xml out of the way, restarted KP2, loaded new kdbx worked; loaded normal kdbx, locked up

So I started fishing around in the kdbx itself. I did the following actions:

• emptied the "Recycle Bin"
• deleted the contents of "Backup"
• deleted the "AutoOpen" folder (that was empty and not being used)

After that, it opened without hanging. It gets better.

Old issue fixed, a new break

I then restored to the previous version of the kdbx (undoing each of those three steps above), and again removed all PluginCache (literally every time in between attempts). So with the same kdbx that hung before, it now opens without issue. But now I cannot re-enable KPQU, it complains about incompatibility. Ugh.

I then started over:

• started with a fresh install of KP2 (portable, 64bit)
• unzipped your new KeeAgent.plgx into Plugins
• copied a re-downloaded KPQU into Plugins
• purged PluginCache (again, I'm sure KP2 is getting tired of recompiling all the time)
• copied (unchanged) my previous KeePass.config.xml file into place (I like my integrations :-)
• it opened fine, KPQU works, KA works

So ... what changed?

For grins, I then tried to see what had changed, in case something corrupted the original KP binaries/libraries.

$ cd /mnt/c/PortableApps/KeePass2
$ find . -type f -print0 | xargs -0 -I{} -n1 diff -q {} ../KeePass2.broken/{}
Files ./Plugins/KeeAgent.plgx and ../KeePass2.broken/./Plugins/KeeAgent.plgx differ

$ cd/mnt/c/PortableApps/KeePass2.broken
$ find . -type f -print0 | xargs -0 -I{} -n1 diff -q {} ../KeePass2/{}
diff: ../KeePass2/./KeeAgent.plgx.new: No such file or directory
diff: ../KeePass2/./KeeAgent.plgx.orig: No such file or directory
diff: ../KeePass2/./KeePass.config.xml.bak: No such file or directory
diff: ../KeePass2/./KeePassQuickUnlock.plgx: No such file or directory
Files ./Plugins/KeeAgent.plgx and ../KeePass2/./Plugins/KeeAgent.plgx differ
diff: ../KeePass2/./saved/KeePass.config.xml: No such file or directory
diff: ../KeePass2/./saved/KeePass.exe.config: No such file or directory

Most of the diff: lines are because I had copied versions of several files out of the way. The KeeAgent.plgx difference is between I left the .broken app in the state of using the original KA plgx. That is all.

Bottom line

(waaaay too long to get here)

The new plgx you provided (still reports0.12.1.0) works. I no longer get the agent is already running popup that started the issue 2+ years ago. And I confirmed that the agent is working. My KP2 (portable, 64-bit) is no longer hanging using your new plgx. I am using yesterday's kdbx with no changes saved.

I hate windows.

[r2evans]

Scratch that ... it works the first time, but on the next attempt to connect it does not function.

r2@local$ ssh remote
## it works
r2$remote$ ^D   # logout

r2@local$ ssh remote
r2@remote's password:

SSH_AUTH_SOCK is still set, the files are still there.

If I lock/unlock KP2, it still does not work.

If I exit/restart KP2, it works fine. Once.

If I exit KP2, then copy the original (not-alpha) KA plgx (and purge the PluginCache), it works.

r2@local$ ssh remote
## it works
r2$remote$ ^D   # logout

r2@local$ ssh remote
## it works
r2$remote$

[dlech]

Hi @r2evans, thanks for testing. I'm going to go ahead and close this issue since it seems the original issue is resolved. Can you open a new issue for the new problems you are seeing? I'm not able to reproduce any of the problems you are seeing now, so will need some sort of test database and config file that can reproduce the problem.

[r2evans]

I do not see how the new problem is unrelated: discarding the "hang" issues I had (that I've put behind me), the plgx you provided me fixes the popup problem but renders the plgx almost useless by requiring me to exit and restart KP2 every time I want to use KeeAgent's functionality. Doesn't that suggest that your fix for the original problem is incomplete?

[dlech]

There have been quite a few other change too, so it is hard to say. This issue is getting quite long anyway, which is part of the reason why I suggested starting a new issue.

[dlech]

Does ssh-add -l still work when ssh no longer works?

[dlech]

Also today's latest build: https://github.com/dlech/KeeAgent/suites/5186479235/artifacts/157740356

It has more changes/fixes but I don't expect it to fix the problems you are seeing.

[strarsis]

I encountered this issue again today. And I noticed this happened after updating TortoiseSVN/TortoiseGIT.
Those also install Pageant - which version may be incompatible or block the KeeAgent SSH agent instead.

@dlech: With the KeeAgent build you linked I noticed the new WSL compatible socket option in KeeAgent options. That's great!
Edit: The WSL socket file is empty and SSH can't use it (SSH_AUTH_SOCK env points to it with a WSL path) - in contrast to the two socket files of other type (msysgit / Cygwin). The socket file can only be created on the host file system (not on the WSL file system), I guess this is correct.

[musm]

I haven't followed this full discussion. KeeAgent used to work without any errors until I recently upgraded to the latest version. Now I am seeing the same issue everytime I restart Windows.

[dlech]

This issue is closed, so I would suggest starting a new issue with full details on how the reproduce the issue using the latest release.

[airtonix]

is there a way to solve this problem without having to install keepassx (or whatever it's called) ?

seems very strange to have to install a password manager. are we expected to store our ssh key in keepass thing?

I dont want to as I have yubikey that does this.

asking because every single article/issue says "lol install this keepass thing and do stuff".

[Nama]

My solution was following:

OK, it was the environment variable SSH_AUTH_SOCK which broke everything. After deleting (and restarting) it works again!

Look for it in PATH of Windows.