Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
837 views
in Technique[技术] by (71.8m points)

encryption - How to extract private keys from an ssh-agent?

ssh-add -l displays that I have 3 RSA keys added to my SSH agent.

ssh-add -L displays those public keys.

How do I get the private keys as well, so that I can save them to a file? Or is it by design that this is impossible? How does it work then?

Can ssh-agent be asked to do operations using the private key? How can I ask it to encrypt/decrypt a number for me?

It's OK that I have to write code for this (the programming language doesn't matter), but I'd prefer using an existing tool or a library.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

It's not possible to get the private key or to perform encryption using the protocol between ssh and ssh-agent, but it's possible to get the private key by dumping the memory of the ssh-agent. On Linux you have to be root to do the memory dump.

I've just found a very good explanation about how ssh-agent works: http://www.unixwiz.net/techtips/ssh-agent-forwarding.html . This partially answers some of my questions.

  • One of the more clever aspects of the agent is how it can verify a user's identity (or more precisely, possession of a private key) without revealing that private key to anybody.

  • One of the security benefits of agent forwarding is that the user's private key never appears on remote systems or on the wire, even in encrypted form.

Thus the protocol between the SSH client and the ssh-agent proviedes no way in SSH1 or SSH2 to get out the private keys from an ssh-agent.

However, as root you can get a memory dump of ssh-agent, and try to extract the private key from there. https://blog.netspi.com/stealing-unencrypted-ssh-agent-keys-from-memory does exactly that, and there are other pieces of software mentioned in the comment section of that page. However, the software on that page didn't work for me on Debian buster: the memory dump didn't contain any keys, even though ssh-add -l has displayed an RSA key.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...