How to extract private keys from an ssh-agent?

家住魔仙堡 提交于 2019-12-03 23:37:11

It's not possible to get the private key or to perform encryption using the protocol between ssh and ssh-agent, but it's possible to get the private key by dumping the memory of the ssh-agent. On Linux you have to be root to do the memory dump.

I've just found a very good explanation about how ssh-agent works: http://www.unixwiz.net/techtips/ssh-agent-forwarding.html . This partially answers some of my questions.

  • One of the more clever aspects of the agent is how it can verify a user's identity (or more precisely, possession of a private key) without revealing that private key to anybody.

  • One of the security benefits of agent forwarding is that the user's private key never appears on remote systems or on the wire, even in encrypted form.

Thus the protocol between the SSH client and the ssh-agent proviedes no way in SSH1 or SSH2 to get out the private keys from an ssh-agent.

However, as root you can get a memory dump of ssh-agent, and try to extract the private key from there. https://blog.netspi.com/stealing-unencrypted-ssh-agent-keys-from-memory does exactly that, and there are other pieces of software mentioned in the comment section of that page. However, the software on that page didn't work for me on Debian buster: the memory dump didn't contain any keys, even though ssh-add -l has displayed an RSA key.

In my case I accidentally deleted the .ssh folder but my keys are loaded. But since I can't recover those from ssh-add so I had to use file recovery software.

You probably don't need to. Most likely you just want a public key:

ssh-add -L > ~/.ssh/id_rsa.pub
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!