0

tldr; Does OpenSSH integrate with Windows, so that on unlocking Windows ssh-agent will "unlock" its password-secured private keys?

On macOS and in Linux you usually have some kind of keychain handler that will integrate with ssh-agent (somehow) and unlock password enabled private keys automatically after only unlocking the keychain itself. It caches the passwords once and reuses them. On Windows you seem to have something similar: when 1Password has been unlocked once on the computer you only need to supply the Windows user PIN to unlock it the next time it is locked. So there is some kind of integration between Windows and 1Password. I was wondering if there was something that made use of some similar tech to make ssh-agent interface with Windows? I would like to unlock some keychain once and have it automatically supply passwords for all my secured private keys.

oligofren
  • 1,188
  • 21
  • 38
  • Are you asking about the ssh-agent that comes built in as part of Windows 10 OpenSSH packaging, or about a different version? – u1686_grawity Apr 19 '21 at 14:07
  • Does this answer your question? [How do I use KeePassXC as an SSH agent?](https://superuser.com/questions/1595123/how-do-i-use-keepassxc-as-an-ssh-agent) – gronostaj Apr 19 '21 at 14:21
  • @user1686 I was unaware that was special in some regard. TBH I currently just use ssh via WSL2, but I could probably install the Windows OpenSSH version and integrate with its `ssh-agent` using some symlink or something. edit: Oh, I just saw that you answered this now. – oligofren Apr 20 '21 at 10:21
  • 1
    It's slightly special, yes. Unlike original OpenSSH ssh-agent, which only stores keys in memory and requires an external keychain to re-load them upon every startup, the Microsoft port directly uses the registry as persistent storage. – u1686_grawity Apr 20 '21 at 10:23
  • @gronostaj Thank you for that link, but no, I was not thinking of adding a specific third-party password manager for this. I was wondering if there was some built-in integration in `ssh-agent` – oligofren Apr 20 '21 at 10:24
  • 1
    (Also: You don't strictly _need_ to install the Windows OpenSSH client, as it's already present by default, but I would still recommend upgrading it to the latest release from Microsoft's GitHub page, as the one that's bundled is a bit old and is missing some Windows-specific integration, such as the ability to use mouse via SSH.) – u1686_grawity Apr 20 '21 at 10:26

1 Answers1

2

On Linux and (I believe) macOS, the keychain is by default set up to directly use your login password as the keychain password as well.

Microsoft's port of OpenSSH to Windows already does the same, only the "keychain" is even more tightly integrated to your Windows account. The version of ssh-agent distributed with Windows uses the Data Protection API to encrypt the private keys which are stored in the Registry (though, oddly, not in the cryptographic key store provided by CAPI/CNG).

The DPAPI master key is itself protected using your Windows login password (which is why Windows warns you about data loss when forcing a password reset).

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966