A native Windows SSH agent using CNG/KSP, with no dependencies, smartcard support, and full RDP compatibility

Windows ships with a strong cryptographic subsystem (CNG/KSP), a mature certificate store, and enterprise identity mechanisms such as ADCS, TPM, Windows Hello, and smartcards. Despite this, Windows still lacks a modern SSH agent capable of using these identities. Existing solutions fall short in real environments: OpenSSH for Windows cannot use CNG/KSP keys or enterprise certificates. Pageant does not work reliably in RDP or multi-session environments. gpg-agent is not native to Windows and cannot use CNG/KSP or smartcards. OpenSC PKCS#11 modules do not integrate with the Windows Certificate Store. WinCryptSSHAgent is incomplete and unstable under load. For an OS used heavily in enterprise environments, this gap has been present for more than a decade. This project implements the missing piece. Overview SRO PKCS11 – SSH Agent CNG is a single Windows executable that unifies: a complete PKCS#11 module (Firefox, OpenSC, ssh -I) an OpenSSH-compatible SSH agent a Pageant-compatible server f