Caution! about SSH agent service in Windows

Caution:- about behaviour of ssh-agent in the native SSH client software in Windows 10 PowerShell and associated service.

I have been coming up to speed on use of SSH, with help from YouTube videos in both LTS and LearnLinuxTV. Below see something I thought was surprising.

About SSH client in Windows PowerShell

  • The SSH client was added to WIndows 10 PowerShell in the April 2018 release. (This is native to PowerShell, and different to any implementation in WSL2)
  • The commandline options in PowerShell provide similar functionality to what you have in Linux.
  • There is also a ssh-agent service which runs as a Windows service - named “OpenSSH Authentication Agent”. It is not enabled by default, but can easily be set to run automatically.

Behaviour of sww-agent, Linux vs Windows

This Windows “ssh-agent” behaves differently to the regular Linux implementation wrt persistence of private keys with pass phrases.

  • With Linux the ssh-agent keeps the unlocked private keys in memory associated with your current terminal session - and forgets when that session ends. In practical terms it means you have to enter your passphrase just once per session.
  • But with the Windows implementation of ssh-agent the unlocked private keys are saved to the Registry, and do not disappear at end of PowerShell session or if you log off. So you have to type your passphrase just once and never needed again on that workstation! Those private keys remain immediately available to you on that workstation whenever the ssh-agent service is running.

How Windows ssh-agent stores data.
Digging a bit deeper the agent stores data in the Registry in key:-
The items in the…/Keys folder are named like “SHA256:G84TfeXhm8JDw3qKh/SaftQjtcUcrccd6ozX1qJ+Hqc” - the registry key name used is the Fingerprint of the related SSH Key.

I found this closed issue in Github Powershell → Win32-OpenSSH, The response from the developers is that the persistent behaviour of ssh-agent is “as intended”

The blog cited below describes how you can reconstruct the original private key from these registry entries.

Brilliant! Glad I am a 99% *nix household. I’d be 100% if not for single app insisting on using .NET

I’ve been using Teraterm for this kind of stuff or Putty, didn’t even know that SSH had been enabled in powershell.

Does the ssh client from the old cmd.exe behave the same way?

I have checked and you can run SSH on WIndows 10 via any of:-

  • PowerShell as a tab within Windows Terminal (how I do things by default)
  • PowerShell standalone window
  • Command Prompt as a tab within Windows Terminal
  • Command Prompt standalone window


  • All options made use of the same set of keys, config file, known_hosts file
  • All options were running the same ssh.exe. Its info
    • Directory C:\Windows\System32\OpenSSH
    • Version
    • All executables show in screenshot below
    • Note that there seems to be no implementation in Windows of ssh-copy-id the command used to copy public keys to the authorized_keys file on servers