Unable to run `onlykey-agent` on Windows WSL & Cygwin

I am using Ubuntu 20.04 in one computer, Windows 10 in another.
On Ubuntu onlykey-agent works nicely.

On Windows 10, I have WSL 2 activated and can run docker and debian on WSL.
I didn’t have a problem with cygwin as well

I followed the instructions without problems. (Edit: except restarting udevadm)

With WSL the onlykey-agent cannot connect to the OnlyKey. After googling it seems that WSL and docker cannot use USB devices on the host.

With Cygwin onlykey-agent <my-identity@my.email.com> returns ffffffecbf000105000000000000000000000000000000000000000000000000 as the public key regardless of which identity I use.

I can run the script with verbose flags for more logs (sans personal info)

Thanks for your support in advance.

Unfortunately this is not working right now, WSL2 as you found doesn’t support USB lots of rants here - https://github.com/microsoft/WSL/issues/5158. Some people got it working with USB over IP but thats not ideal. For right now if Windows is needed a Linux VM or using this with OnlyKey would work best - OpenSSH | Docs

I do think at some point WSL will have to support USB (WSL1 did). There may be other solutions or workarounds I am not aware of any ideas would be great.

Thank you for the quick response!

For future reference for Windows spectators: prepare to do some non-trivial work.
It seems that SSH with FIDO2 works on OpenSSH v8.2+
On Windows 10 native OpenSSH is v7.7 as of the time of writing.
The one in Git and the one in Cygwin are both v8.4, SSH with smartkey ecdsa-sk is there as an option,
but trying it does not work for some reason.
I’ll get back to this after I get some time. (Take this as a no)

Were there any reports on the following issue on Cygwin?
On Cygwin at least it seems to connect okay.
Any pointers to how I might debug this issue would be a thank-you as well.

Cygwin isn’t supported currently but it may be possible to get it to work. As WSL does not have USB support on their roadmap this may be the best option for Windows support.

I tried this a while back for a Windows user and Git for Windows ships a later version of OpenSSH - https://gitforwindows.org/

As per here I could get the key-gen to interact with the key and that worked fine but when trying to login it never asks to tap on the key.

EDIT: further testing and this does work but both client and server need to be OpenSSH >8.2 so older servers won’t be accessible.

– bvs

Interesting, so OnlyKey agent is working with OpenSSH >8.2? It hasn’t been tested on Windows but if this is working we should be able to add official support.

Yes, using the packaged SSH binary in Git for Windows. Windows 10 still doesn’t have 8.2 support directly, and even now it looks like only 8.1 is available. You can get and install 8.2 from their Github but it clearly states no FIDO key support so they must have built without it.

So using Git bash tried connecting to a CentOS 7 server but that only supports OpenSSH 7.4 and also Debian 10 but that’s OpenSSH 7.9.

Once I connected to a Ubuntu VM with 8.6 it worked perfectly.

– bvs

There is a workaround released by MS for windows 11:

However, I can’t get this to work with the onlykey. Maybe something to look into supporting…

I got some time to test this and can confirm it’s working on Windows in WSL2. I’ve not tested all of the features, as it was primarily for SSH usage from Windows.

Here are the steps and resources for those interested.

Installation resources for the below here, here and here.

Install WSL2

1. Open Powershell as admin an run:

   wsl --install
   

   Which should install Windows Subsystem for Linux, Virtual Machine Platform Components, and Ubuntu.

2. You may be asked to restart, if not, do so.

3. When complete you should be greeted with a Ubuntu terminal window asking you to set a username and password.

Install OnlyKey

1. Once in Ubuntu you can proceed to install OnlyKey as usual, as per the OnlyKey docs.

   sudo apt update && sudo apt upgrade
   sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
   pip3 install onlykey-agent
   wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
   sudo cp 49-onlykey.rules /etc/udev/rules.d/
   sudo udevadm control --reload-rules && udevadm trigger
   

   ** NOTE: You will get an error with the last command but you can ignore this for now.

Install usbipd-win

1. Back in Windows install the usbipd-win program from the repo in the link above

2. Insert the OnlyKey

3. Open Powershell and run;

   usbipd wsl list
   

   The device may show as unknown but you should be able to determine it by process of elimination.

4. Take the busid from the first column and run;

   usbipd wsl attach --busid
   

Confirm Running in Ubuntu

1. Back in Ubuntu, list USB devices with;

   lsusb
   

2. You should now see the OnlyKey passed through.

3. Now restart udev and reload the rules with;

   sudo service udev restart
   sudo udevadm control --reload-rules && udevadm trigger
   

That’s it. It should work. You can test with;

onlykey-agent username@host.com

@t11 it may be worth confirming and updating the documentation below.

Windows Install with dependencies

Currently Windows is not supported directly but may be used with a Linux virtual machine. Another alternative is to use OpenSSH v8.2 which supports OnlyKey as a FIDO security key. We are working on additional options for Windows support.

– bvs

Thanks for the detailed write up, I will test this out.

unfortunately didn’t work for me on win11 - neither with onlykey nor w/ yubikey.
i can attach the usb device to WSL and can see it with usb but can’t interact with it.

@bugrasan Can you provide the error you got?

I have put together instructions here for setting this up here Using OnlyKey with Windows Subsystem for Linux | Docs

One improvement is you don’t have to guess which USB device, you can attach my hardware-id instead of busid:

usbipd wsl attach --hardware-id=1d50:60fc

@bettyvschmartz Let me know if this works for you. I have also put the setup into a powershell script, hopefully we can get this working reliably and add support for onlykey-agent on WSL.