[英]Where does Windows OpenSSH ssh-agent service secretly store private keys
Got the Windows10 Pro additional feature "OpenSSH-Client" which includes ssh-agent functionality.获得了包含 ssh-agent 功能的 Windows10 Pro 附加功能“OpenSSH-Client”。 Keys can be added to the agent with ssh-add.
可以使用 ssh-add 将密钥添加到代理。 Much to my surprise this Windows implementation seems to store these private keys ON DISK - standard ssh-agent will only store them in RAM.
令我惊讶的是,这个 Windows 实现似乎将这些私钥存储在磁盘上 - 标准 ssh-agent 只会将它们存储在 RAM 中。 Just try this:
试试这个:
ssh-add <private key from thumbdrive>
## remove thumbdrive
## stop ssh-agent service
## start ssh-agent service
ssh-add -l
And, Lo and Behold, keys are still there;而且,你瞧,钥匙还在; even reboot won't wipe them!
即使重新启动也不会擦除它们!
So now my really, really secure private keys are somewhere on the system disk.所以现在我非常非常安全的私钥在系统磁盘的某个地方。 How can I erase them and any relics that might be still on disk?
如何擦除它们以及可能仍在磁盘上的任何遗物? Does anyone know the location where these are kept?
有谁知道这些保存的位置?
BTW.顺便提一句。 personally, I find this a bad feature extension to the original OpenSSH ssh-agent
就个人而言,我发现这是对原始 OpenSSH ssh-agent 的不良功能扩展
OK, answering my own question:好的,回答我自己的问题:
Short awnser: ssh-add -D
will delete the keys.... sort of. Short awnser:
ssh-add -D
将删除密钥.... 有点。
Keys are stored in the Registry under HKCU\Software\OpenSSH\Agent\Keys.密钥存储在 HKCU\Software\OpenSSH\Agent\Keys 下的注册表中。 Figured this out from the source at https://github.com/PowerShell/openssh-portable/releases/tag/v8.1.0.0 in file
contrib/win32/win32compat/ssh-agent/keyagent-request.c
从https://github.com/PowerShell/openssh-portable/releases/tag/v8.1.0.0文件
contrib/win32/win32compat/ssh-agent/keyagent-request.c
On the plus side, this implementation uses DPAPI on the private part of the stored key.从好的方面来说,这个实现在存储密钥的私有部分使用了 DPAPI。 On the other hand, with the right privilege, ImpersonateLoggedOnUser can be used to decrypt this stored key.
另一方面,如果有正确的权限,ImpersonateLoggedOnUser 可以用来解密这个存储的密钥。
Sadly, this implementation does not use the rigorous deleting method ( BN_clear_free
) as found in the original - a simple RegDeleteTreeA
is supposed to suffice.遗憾的是,这个实现没有使用原始的严格删除方法(
BN_clear_free
)——一个简单的RegDeleteTreeA
就足够了。 So for real removal tinkering with ntuser.dat.log would be needed.因此,对于真正的删除,需要修改 ntuser.dat.log。 The actual storage of the private keys on disk is NOT compliant with with the manpage for the original:
磁盘上私钥的实际存储与原始手册页不兼容:
The agent initially does not have any private keys.
Overall: although called the same, it is a very different thing.总而言之:虽然叫同名,却是截然不同的东西。 Some warnings about the use of this ssh-agent implementation:
关于使用这个 ssh-agent 实现的一些警告:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.