1

tldr; Does OpenSSH integrate with Windows, so that on unlocking Windows ssh-agent will "unlock" its password-secured private keys?

On macOS and in Linux you usually have some kind of keychain handler that will integrate with ssh-agent (somehow) and unlock password enabled private keys automatically after only unlocking the keychain itself. It caches the passwords once and reuses them. On Windows you seem to have something similar: when 1Password has been unlocked once on the computer you only need to supply the Windows user PIN to unlock it the next time it is locked. So there is some kind of integration between Windows and 1Password. I was wondering if there was something that made use of some similar tech to make ssh-agent interface with Windows? I would like to unlock some keychain once and have it automatically supply passwords for all my secured private keys.

oligofren
  • 1,426
  • 1
  • 25
  • 41

1 Answers1

3

On Linux and (I believe) macOS, the keychain is by default set up to directly use your login password as the keychain password as well.

Microsoft's port of OpenSSH to Windows already does the same, only the "keychain" is even more tightly integrated to your Windows account. The version of ssh-agent distributed with Windows uses the Data Protection API to encrypt the private keys which are stored in the Registry (though, oddly, not in the cryptographic key store provided by CAPI/CNG).

The DPAPI master key is itself protected using your Windows login password (which is why Windows warns you about data loss when forcing a password reset).

grawity
  • 501,077