Caution! about SSH agent service in Windows

Daksol · August 9, 2021, 5:41pm

Caution:- about behaviour of ssh-agent in the native SSH client software in Windows 10 PowerShell and associated service.

I have been coming up to speed on use of SSH, with help from YouTube videos in both LTS and LearnLinuxTV. Below see something I thought was surprising.

About SSH client in Windows PowerShell

The SSH client was added to WIndows 10 PowerShell in the April 2018 release. (This is native to PowerShell, and different to any implementation in WSL2)
The commandline options in PowerShell provide similar functionality to what you have in Linux.
There is also a ssh-agent service which runs as a Windows service - named “OpenSSH Authentication Agent”. It is not enabled by default, but can easily be set to run automatically.

Behaviour of sww-agent, Linux vs Windows

This Windows “ssh-agent” behaves differently to the regular Linux implementation wrt persistence of private keys with pass phrases.

With Linux the ssh-agent keeps the unlocked private keys in memory associated with your current terminal session - and forgets when that session ends. In practical terms it means you have to enter your passphrase just once per session.
But with the Windows implementation of ssh-agent the unlocked private keys are saved to the Registry, and do not disappear at end of PowerShell session or if you log off. So you have to type your passphrase just once and never needed again on that workstation! Those private keys remain immediately available to you on that workstation whenever the ssh-agent service is running.

How Windows ssh-agent stores data.
Digging a bit deeper the agent stores data in the Registry in key:-
HKEY_Current_User/Software/OpenSSH/Agent/Keys
The items in the…/Keys folder are named like “SHA256:G84TfeXhm8JDw3qKh/SaftQjtcUcrccd6ozX1qJ+Hqc” - the registry key name used is the Fingerprint of the related SSH Key.

I found this closed issue in Github Powershell → Win32-OpenSSH, The response from the developers is that the persistent behaviour of ssh-agent is “as intended”

github.com/PowerShell/Win32-OpenSSH

ssh-agent: permanent loaded ssh-key storage

opened 09:32AM - 29 Oct 19 UTC

mluypaert

Issue-Enhancement 0 - Backlog

**"OpenSSH for Windows" version** 7.7.2.2 **Server OperatingSystem** Irrel…evant **Client OperatingSystem** Windows 10 Home (18362.418) **The problem** I am using private SSH-keys encrypted with a passphrase. When using any SSH-agent, that means I have to provide my passphrase to be able to load the key and use it. I've used pageant before and there you load the key and provide the passphrase. Whenever pageant gets terminated (by shutdown, rebooting, ...) the key is removed from memory, and I have to provide my passphrase again the next time I want to use it. Every time, hence the security advantage of having an encrypted SSH key. With the windows openssh agent however, that's a different story. I have my agent set to automatically start with windows (I believe by running `Set-Service ssh-agent -StartupType Automatic`) just like I did with pageant. However, the windows openssh agent seems to permanently store my SSH key somewhere after loading it to the agent once (`ssh-add`), because when I run `ssh-add l` after a restart of my computer, they encrypted key which I loaded before the restart is automatically loaded again, without requiring my passphrase again. This completely voids the advantage of a passphrase-protected SSH key and to my opinion is a big security issue. **Proposed solution** Do not store my SSH key permanently when I load it into the agent, but only temporarily store it in the agent's memory. Or at least store it in it's passphrase-encrypted form and ask for my passphrase every time the key gets loaded.

The blog cited below describes how you can reconstruct the original private key from these registry entries.

elvisimprsntr · August 9, 2021, 6:04pm

Brilliant! Glad I am a 99% *nix household. I’d be 100% if not for single app insisting on using .NET

Greg_E · August 9, 2021, 8:57pm

I’ve been using Teraterm for this kind of stuff or Putty, didn’t even know that SSH had been enabled in powershell.

pjdouillard · August 15, 2021, 3:05pm

Does the ssh client from the old cmd.exe behave the same way?

Daksol · August 16, 2021, 1:40pm

I have checked and you can run SSH on WIndows 10 via any of:-

PowerShell as a tab within Windows Terminal (how I do things by default)
PowerShell standalone window
Command Prompt as a tab within Windows Terminal
Command Prompt standalone window

Observations

All options made use of the same set of keys, config file, known_hosts file
All options were running the same ssh.exe. Its info
- Directory C:\Windows\System32\OpenSSH
- Version 8.1.0.1
- All executables show in screenshot below
- Note that there seems to be no implementation in Windows of ssh-copy-id the command used to copy public keys to the authorized_keys file on servers