ssh-agent
Developer(s) | The OpenBSD Project |
---|---|
Repository | github |
Written in | C |
Operating system | Unix, Unix-like, Microsoft Windows |
Type | Command |
License | BSD, ISC, public domain |
Website | www |
Secure Shell (SSH) is a protocol allowing secure remote login to a computer on a network using public-key cryptography. SSH client programs (such as ssh
from OpenSSH) typically run for the duration of a remote login session and are configured to look for the user's private key in a file in the user's home directory (e.g., .ssh/id_rsa
). For added security (for instance, against an attacker that can read any file on the local filesystem), it is common to store the private key in an encrypted form, where the encryption key is computed from a passphrase that the user has memorized. Because typing the passphrase can be tedious, many users would prefer to enter it just once per local login session. The most secure place to store the unencrypted key is in program memory, and in Unix-like operating systems, memory is normally associated with a process. A normal SSH client process cannot be used to store the unencrypted key because SSH client processes only last the duration of a remote login session. Therefore, users run a program called ssh-agent that runs beyond the duration of a local login session, stores unencrypted keys in memory, and communicates with SSH clients using a Unix domain socket.
Security issues
ssh-agent
creates a socket and then checks the connections from ssh
. Everyone who is able to connect to this socket also has access to the ssh-agent
. The permissions are set as in a usual Linux or Unix system. When the agent starts, it creates a new directory in /tmp
with restrictive permissions. The socket is located in this directory.
There is a procedure that may prevent malware from using the ssh-agent
socket. If the ssh-add -c
option is set when the keys are imported into the ssh-agent
, then the agent requests a confirmation from the user using the program specified by the SSH_ASKPASS
environment variable, whenever ssh
tries to connect.
Ssh-agents can be "forwarded" onto a server you connect to, making their keys available there as well, for other connections. On the local system, it is important that the root user is trustworthy, because the root user can, amongst other things, just read the key file directly. On the remote system, if the ssh-agent
connection is forwarded, it is also important that the root user on the other end is trustworthy, because it can access the agent socket on the remote (though not the key, which stays local).
Implementations
There are many different programs that perform the same functionality as the OpenSSH ssh-agent, some with very different user interfaces. PuTTY, for example, uses a graphical user interface in its bundled Pageant ssh-agent.
There are tools designed to provide key-agent functionality for both symmetric and asymmetric keys; these usually provide ssh-agent functionality as one of their application interfaces. Examples include GNOME Keyring and KWallet.
Some monolithic SSH clients include the ability to remember SSH passphrases across sessions. Examples include: SecureCRT.
Apple macOS
On the macOS operating system, ssh-agent has been integrated since Leopard, version 10.5 in 2007. Third-party open-source implementations of ssh-agent were available previously.[1]
Microsoft Windows
OpenSSH-based client and server programs have been included in Windows 10 since version 1803. The SSH client and key agent are enabled and available by default and the SSH server is an optional Feature-on-Demand.[2][3]
References
- ^ Dribin, Dave (21 August 2007). "SSHKeychain Warning". Dave Dribin's Blog.
- ^ "What's new for the Command Line in Windows 10 version 1803". 8 March 2018.
- ^ "Using the OpenSSH Beta in Windows 10 Fall Creators Update and Windows Server 1709". 15 December 2017.