Windows OpenSSH ssh-agent 服务在哪里秘密存储私钥 [英] Where does Windows OpenSSH ssh-agent service secretly store private keys

问题描述

获得 Windows10 Pro 附加功能OpenSSH-Client"；其中包括 ssh-agent 功能.可以使用 ssh-add 将密钥添加到代理.令我惊讶的是，这个 Windows 实现似乎将这些私钥存储在磁盘上 - 标准 ssh-agent 只会将它们存储在 RAM 中.试试这个:

Got the Windows10 Pro additional feature "OpenSSH-Client" which includes ssh-agent functionality. Keys can be added to the agent with ssh-add. Much to my surprise this Windows implementation seems to store these private keys ON DISK - standard ssh-agent will only store them in RAM. Just try this:

ssh-add <private key from thumbdrive>
## remove thumbdrive
## stop ssh-agent service
## start ssh-agent service
ssh-add -l

而且，瞧，钥匙还在那里；即使重新启动也不会擦除它们！

And, Lo and Behold, keys are still there; even reboot won't wipe them!

所以现在我的非常非常安全的私钥在系统磁盘的某个地方.如何擦除它们以及可能仍在磁盘上的任何遗物?有谁知道这些东西的存放位置吗?

So now my really, really secure private keys are somewhere on the system disk. How can I erase them and any relics that might be still on disk? Does anyone know the location where these are kept?

顺便说一句.就个人而言，我发现这是对原始 OpenSSH ssh-agent 的一个糟糕的功能扩展

BTW. personally, I find this a bad feature extension to the original OpenSSH ssh-agent

推荐答案

好的，回答我自己的问题:

OK, answering my own question:

Short awnser:ssh-add -D 将删除键......排序.

Short awnser: ssh-add -D will delete the keys .... sort of.

密钥存储在注册表中的 HKCU\Software\OpenSSH\Agent\Keys 下.从 https://github.com/PowerShell/openssh-portable/releases/tag/v8.1.0.0 文件 contrib/win32/win32compat/ssh-agent/keyagent-request.c

Keys are stored in the Registry under HKCU\Software\OpenSSH\Agent\Keys. Figured this out from the source at https://github.com/PowerShell/openssh-portable/releases/tag/v8.1.0.0 in file contrib/win32/win32compat/ssh-agent/keyagent-request.c

从好的方面来说，此实现在存储密钥的私有部分使用 DPAPI.另一方面，如果有正确的权限，可以使用 ImpersonateLoggedOnUser 来解密这个存储的密钥.

On the plus side, this implementation uses DPAPI on the private part of the stored key. On the other hand, with the right privilege, ImpersonateLoggedOnUser can be used to decrypt this stored key.

遗憾的是，这个实现没有使用原始的严格删除方法 (BN_clear_free) - 一个简单的 RegDeleteTreeA 应该就足够了.因此，对于真正的删除，需要修改 ntuser.dat.log.私钥在磁盘上的实际存储与原始联机帮助页不符:

Sadly, this implementation does not use the rigorous deleting method (BN_clear_free) as found in the original - a simple RegDeleteTreeA is supposed to suffice. So for real removal tinkering with ntuser.dat.log would be needed. The actual storage of the private keys on disk is NOT compliant with with the manpage for the original:

The agent initially does not have any private keys.

总体来说:虽然叫法一样，但是是很不一样的东西.关于使用此 ssh-agent 实现的一些警告:

Overall: although called the same, it is a very different thing. Some warnings about the use of this ssh-agent implementation:

• 它将密钥存储在磁盘上 - 从不在共享或访客情况下使用
• (痕迹)密钥在删除后仍保留在磁盘上
• 此实现在安全的关键方面不符合 openssh 手册页 ssh-agent.1.

这篇关于Windows OpenSSH ssh-agent 服务在哪里秘密存储私钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！