Reputation: 87201
How to extract private keys from an ssh-agent?
ssh-add -l displays that I have 3 RSA keys added to my SSH agent.
ssh-add -L displays those public keys.
How do I get the private keys as well, so that I can save them to a file? Or is it by design that this is impossible? How does it work then?
Can ssh-agent be asked to do operations using the private key? How can I ask it to encrypt/decrypt a number for me?
It's OK that I have to write code for this (the programming language doesn't matter), but I'd prefer using an existing tool or a library.
Upvotes: 22
Views: 23648
Answers (5)
Reputation: 73
TLDR: Using this tool, you can automate the extraction of SSH private keys from an SSH agent memory dump (as root).
This tool can extract multiple SSH private keys from the ssh-agent at once. It supports SSH RSA and SSH ED25519 private key types.
It works, as described in the blogs posts mentioned above, by searching for a magic string in the memory, finding structures, parsing several structures to locate the shielded private key, and unshielded (decode) the private key memory bytes into an SSH format printed to the screen.
The private keys outputted from this tool are unencrypted and can be used directly to connect to your servers.
See the projects README file for more info.
https://github.com/Kracken256/ssh-keyfinder
Discloser: I am on author of this tool.
Upvotes: 2
Reputation: 16642
If on Windows 10, apparently the method described in this blog post worked in 2018. The author links to proof-of-concept code on github:
tl;dr
Private keys are protected with DPAPI and stored in the HKCU registry hive. I released some PoC code here to extract and reconstruct the RSA private key from the registry
Upvotes: 0
Reputation: 33402
You probably don't need to. Most likely you just want a public key:
ssh-add -L > ~/.ssh/id_rsa.pub
Upvotes: -11
Reputation: 87201
It's not possible to get the private key or to perform encryption using the protocol between ssh and ssh-agent, but it's possible to get the private key by dumping the memory of the ssh-agent. On Linux you have to be root to do the memory dump.
I've just found a very good explanation about how ssh-agent works: http://www.unixwiz.net/techtips/ssh-agent-forwarding.html . This partially answers some of my questions.
One of the more clever aspects of the agent is how it can verify a user's identity (or more precisely, possession of a private key) without revealing that private key to anybody.
One of the security benefits of agent forwarding is that the user's private key never appears on remote systems or on the wire, even in encrypted form.
Thus the protocol between the SSH client and the ssh-agent proviedes no way in SSH1 or SSH2 to get out the private keys from an ssh-agent.
However, as root you can get a memory dump of ssh-agent, and try to extract the private key from there. https://blog.netspi.com/stealing-unencrypted-ssh-agent-keys-from-memory does exactly that, and there are other pieces of software mentioned in the comment section of that page. However, the software on that page didn't work for me on Debian buster: the memory dump didn't contain any keys, even though ssh-add -l has displayed an RSA key.
Upvotes: 17
Reputation: 31
In my case I accidentally deleted the .ssh folder but my keys are loaded. But since I can't recover those from ssh-add so I had to use file recovery software.
Upvotes: 1
Related Questions
- Ssh fails to use private key from ssh-agent: communication with agent failed
- Using the ssh agent inside a python script
- Check if private ssh-key has been added to ssh-agent
- ssh: adding private key to ssh-agent before copying public key to remote server
- What should I do to private key after adding it to ssh-agent?
- Add certificate to ssh-agent for a key that's already inside the agent
- In which directory or filepath are you supposed to run eval ssh-agent?
- How do I generate the SSH agent sign response
- adding private key to ssh agent
- What mechanisms does ssh-agent use to keep unlocked private keys secure in memory?