1

tldr; Does OpenSSH integrate with Windows, so that on unlocking Windows ssh-agent will "unlock" its password-secured private keys?

On macOS and in Linux you usually have some kind of keychain handler that will integrate with ssh-agent (somehow) and unlock password enabled private keys automatically after only unlocking the keychain itself. It caches the passwords once and reuses them. On Windows you seem to have something similar: when 1Password has been unlocked once on the computer you only need to supply the Windows user PIN to unlock it the next time it is locked. So there is some kind of integration between Windows and 1Password. I was wondering if there was something that made use of some similar tech to make ssh-agent interface with Windows? I would like to unlock some keychain once and have it automatically supply passwords for all my secured private keys.

oligofren
  • 1,349
  • Are you asking about the ssh-agent that comes built in as part of Windows 10 OpenSSH packaging, or about a different version? – u1686_grawity Apr 19 '21 at 14:07
  • Does this answer your question? How do I use KeePassXC as an SSH agent? – gronostaj Apr 19 '21 at 14:21
  • @user1686 I was unaware that was special in some regard. TBH I currently just use ssh via WSL2, but I could probably install the Windows OpenSSH version and integrate with its ssh-agent using some symlink or something. edit: Oh, I just saw that you answered this now. – oligofren Apr 20 '21 at 10:21
  • 1
    It's slightly special, yes. Unlike original OpenSSH ssh-agent, which only stores keys in memory and requires an external keychain to re-load them upon every startup, the Microsoft port directly uses the registry as persistent storage. – u1686_grawity Apr 20 '21 at 10:23
  • @gronostaj Thank you for that link, but no, I was not thinking of adding a specific third-party password manager for this. I was wondering if there was some built-in integration in ssh-agent – oligofren Apr 20 '21 at 10:24
  • 1
    (Also: You don't strictly need to install the Windows OpenSSH client, as it's already present by default, but I would still recommend upgrading it to the latest release from Microsoft's GitHub page, as the one that's bundled is a bit old and is missing some Windows-specific integration, such as the ability to use mouse via SSH.) – u1686_grawity Apr 20 '21 at 10:26
  • Just as a final side-note, these days I am using 1Password as my SSH Agent, as I could then use the same SSH keys on mac, Linux and Windows boxes. Works great with a bit of automated setup :) – oligofren Sep 04 '23 at 10:54

1 Answers1

2

On Linux and (I believe) macOS, the keychain is by default set up to directly use your login password as the keychain password as well.

Microsoft's port of OpenSSH to Windows already does the same, only the "keychain" is even more tightly integrated to your Windows account. The version of ssh-agent distributed with Windows uses the Data Protection API to encrypt the private keys which are stored in the Registry (though, oddly, not in the cryptographic key store provided by CAPI/CNG).

The DPAPI master key is itself protected using your Windows login password (which is why Windows warns you about data loss when forcing a password reset).

u1686_grawity
  • 452,512
  • Hmm ... this sound very promising! I would need to check this out before awarding you the answer, but definitely upvoting :) – oligofren Apr 20 '21 at 10:22
  • I think it's been long enough to award this the answer now! – ch4rl1e97 Jul 13 '23 at 23:09
  • Related SO thread. Judging from this open issue (in Sep 2023), using the built-in ssh-agent at all seems like a liability. I don't claim to be an expert here, but something about the bundled OpenSSH being badly out-of-date and having to side-load a version from GitHub to get updates skeeves me out. – Kevin E Sep 04 '23 at 00:17
  • @TheDudeAbides: I suppose it's the same situation as with e.g. Debian or Ubuntu, whose OpenSSH (and everything else) very quickly becomes badly out-of-date; the question is whether they deploy security fixes for the version they have or not. – u1686_grawity Sep 04 '23 at 11:26
  • @u1686_grawity: It's a distinct possibility that the bundled OpenSSH is now getting updates through the usual Windows update channels, and I am taking a four-year-old GitHub issue out of context. What concerns me more—if it even still does this—is the Windows ssh-agent's habit of storing of decrypted private keys in the registry. – Kevin E Sep 04 '23 at 18:35
  • Whatever the case, as long as your login password is at least as strong as your SSH private key password, this is better starting the ssh-agent service manually every time you log in, or unlocking your private key every time you use it, or (the horror) copy-pasting the password from an Excel spreadsheet on your desktop. – Kevin E Sep 04 '23 at 18:42