Clarification of the usage of winssh-pageant

[seism0saurus]

Hi,
Thank you for this project. It would be great to give the Windows users the possibility to use OpenSSH with FIDO2 support.
Could you help me with the configuration?

• I have downloaded and installed the 64-bit MSI package v8.9.1.0p1-Beta from Microsofts OpenSSH project without the server:
  msiexec /i OpenSSH-x64-v8.9.1.0.msi REMOVE=Server
• After that I switched to the installation folder of OpenSSH and created an ssh key with FIDO2:
  .\ssh-keygen.exe -t ecdsa-sk
• Now I downloaded and installed the MSI version v2.1 of winssh-pageant. The bridge is shown in the task manager in autostart.

How do I add my ssh key to putty? Selecting the private key in Connection -> SSH -> Auth -> Private key file for authentication does not work. I get the following error:
Unable to use key file "C:\Users\MyUserName\.ssh\id_ecdsa_sk" (OpenSSH SSH-2 private key (new format))

[ndbeals]

Hello, and thanks for asking this question. I've struggled with how to word the description/instructions, it can be confusing!

Addressing your points in order:

1. Absolutely correct. An additional, optional but highly recommended step: Add the OpenSSH directory to your SYSTEM PATH. This way you can use the OpenSSH programs from any location (a must-have for ssh-ing into remote boxes IMO).
2. Looks correct, But I don't use FIDO2. the Windows OpenSSH Wiki has a page about FIDO2: https://github.com/PowerShell/Win32-OpenSSH/wiki/FIDO---U2F-usage
3. Correct.

The key takeaway here is that winssh-pageant replaces the need for any of the PuTTY applications, especially pageant. Specifically, winssh-pageant.exe and pageant.exe are mutually exclusive, they both do the same thing and as such only one should be running.

How do I add my ssh key to putty?

You do not add your keys to PuTTY (pageant). You add them to the Windows OpenSSH Key Agent. Run this command:

ssh-add id_ecdsa_sk

That's assuming you've added the OpenSSH location to your System PATH, otherwise use the fully qualified path to the key.

Assuming the OpenSSH.msi install worked (I wasn't able to get REMOVE=Server to work for me but it appears to have worked for you). The installer should have added a new "OpenSSH Authentication Agent" windows service, you can confirm that by running services.msc and checking for that entry. Note, if you are looking in Task Manager -> Services tab, it's just named ssh-agent. Screenshots attached illustrating that.

The service should be added and already running. After you've ssh-add ed your keys once, they will always be loaded when you log in (the authentication is tied to your Windows account login).

Once that's all correct, any programs that "only talk to pageant", like WinSCP, will seamlessly use whatever keys you have loaded, no need to interact with PuTTY or Pageant again!

[seism0saurus]

Thank you very much for this project and your support. I got it running including 2FA with FIDO2.