I’ve been working on a Windows‑native SSH agent to address a long‑standing gap in the Windows ecosystem: reliable smartcard support (CNG/KSP + PKCS#11) for SSH, Git, WSL2, and PuTTY, without external middleware or additional tools.

Most existing solutions rely on vendor PKCS#11 DLLs, Pageant bridges, or npiperelay hacks. This project tries to provide a clean, unified, minimal alternative using only Windows native crypto APIs.

Key features Full PKCS#11 module (RSA, RSA‑PSS, ECDSA incl. Brainpool, Ed25519, Ed448)

Native CNG/KSP backend (PIV, GIDS, YubiKey, Nitrokey, Windows minidrivers)

SSH‑agent interface compatible with Git, Visual Studio, OpenSSH, WSL, WSL2

Native Pageant server (PuTTY)

Built‑in WSL2 TCP bridge (no npiperelay)

Optional Windows service mode (SYSTEM) with isolated userland helper

RDP‑friendly PIN prompts (native Windows UI)

Single binary, no DLLs, no CRT, no dependencies

Security model All signatures via NCryptSignHash

Private keys never leave the smartcard

PIN handled only by Windows native UI

Secure pipes (DACL + per‑session GUID)

Why I built this Smartcard support on Windows for SSH has historically been fragmented across multiple tools and middleware stacks. I wanted something minimal, auditable, and predictable that works across Git, WSL2, VSCode, and RDP without hacks.