A native Windows SSH agent using CNG/KSP, with no dependencies, smartcard support, and full RDP compatibility
Source: Dev.to
Overview
SRO PKCS11 – SSH Agent CNG is a single Windows executable that unifies:
- a complete PKCS#11 module (compatible with Firefox, OpenSC,
ssh -I) - an OpenSSH‑compatible SSH agent
- a Pageant‑compatible server for PuTTY
- a CNG/KSP backend for smartcards, TPM, Windows Hello, and enterprise certificates
- a WSL2 TCP listener
It has no external dependencies, no CRT, no DLLs, and no middleware. It works in RDP, RemoteApp, Citrix, multi‑session, and hardened environments.
Repository: (link not provided in the original text)
The problem: Windows cannot use enterprise identities for SSH
Enterprise certificates cannot be used for SSH
OpenSSH for Windows cannot use:
- non‑exportable keys
- ADCS‑issued certificates
- TPM‑backed keys
- Windows Hello keys
- Smartcards using CNG/KSP
This forces administrators to generate private keys on disk, a regression compared to enterprise identity standards.
Pageant is not SSH‑native
- Requires a hidden window to function
- Limited to PuTTY solutions
gpg‑agent is not Windows‑native
It does not support:
- CNG/KSP
- Windows smartcard minidrivers
- Enterprise certificates
- Non‑exportable keys
- Multi‑session environments
PKCS#11 modules do not integrate with the Windows Certificate Store
OpenSC cannot access:
- TPM‑backed keys
- Windows Hello keys
- ADCS certificates
- Virtual smartcards
Consequently, existing tools cannot use the identities that Windows already manages securely.
The solution: a unified, native, dependency‑free agent
The project provides a single executable that exposes:
- a full PKCS#11 module
- an SSH agent
- a Pageant server
- a WSL2 TCP bridge
- a CNG/KSP cryptographic backend
All cryptographic operations are delegated to Windows. Private keys never leave the KSP, and PIN entry is handled by the native Windows UI.
Key properties
- Native CNG/KSP integration
- Works in RDP and multi‑session environments
- No dependencies, no CRT, no external DLLs
- Supports smartcards, TPM, Windows Hello, ADCS certificates
- Supports RSA, ECDSA, Ed25519, Ed448, Brainpool
- Supports PKCS#11 with 14 mechanisms
- Compatible with OpenSSH, Git for Windows, Visual Studio, PuTTY, WSL, WSL2
- Optional Windows service mode for hardened environments
Why this is the best option on Windows today
- Full CNG/KSP support using
NCryptSignHashand the Windows Certificate Store - Private keys are never exported or transmitted through the agent; they remain inside the KSP at all times
- PIN handling is performed entirely by Windows
- RDP‑safe and multi‑session safe: works in RDP, RemoteApp, Citrix, multiple sessions, and non‑interactive sessions
- Single binary: no DLLs, no runtime, no external libraries, no registry pollution
Complete PKCS#11 implementation
Compatible with:
- Firefox
pkcs11-toolssh -I- Any PKCS#11‑enabled product
Supports RSA, ECDSA, EdDSA, Brainpool, and PSS.
Complete SSH agent
Compatible with:
- OpenSSH
- Git for Windows
- Visual Studio / VSCode Remote
- WSL / WSL2 (via TCP
127.0.0.1:10022)
Pageant compatibility
PuTTY, plink, pscp, and psftp all work.
Optional Windows service mode
For hardened or multi‑user environments:
- Service runs in session 0
- Helper runs in the user session
- PIN UI appears in the correct session
- Strict isolation between service and crypto operations
Example: using an ADCS certificate for SSH
-
Install the certificate in the Windows Certificate Store (non‑exportable key).
-
Start the agent.
-
Export the public key:
ssh-agent.exe -exportkey id.pub -
Add
id.pubtoauthorized_keyson the server. -
Connect:
ssh user@server
No private key file, no token, and no additional configuration are required.
Where this agent is most useful
- RDP / RemoteApp / Citrix environments
- Windows jump hosts
- PKI / ADCS administrators
- DevOps using Windows + WSL2
- Enterprises using smartcards (PIV/GIDS/YubiKey)
- Enterprises using TPM or Windows Hello
- Hardened workstations
- Windows‑based CI pipelines