I have downloaded Sourcetree lately which comes with puttygen, plink and pageant.
I have set up an SSH public and private key, with a non-empty passphrase.
I was prompted for this passphrase when I added the private key to the Pageant key list. However, when I restart my machine and re-open Sourcetree I am re-prompted for this passphrase.
1). Should Pageant or Sourcetree be saving this passphrase, so I am not prompted every time I wish to use Sourcetree?
2). If so, how?
Pageant keeps decrypted key in memory only. It does not save the passphrase or the decrypted key anywhere.
Saving the passphrase would be almost as insecure as saving the key unencrypted. While it would be a solution for you, it's really not recommendable!
Quote from Security considerations section of Pageant documentation:
Using Pageant for public-key authentication gives you the convenience of being able to open multiple SSH sessions without having to type a passphrase every time, but also gives you the security benefit of never storing a decrypted private key on disk. Many people feel this is a good compromise between security and convenience.
It is a compromise, however. Holding your decrypted private keys in Pageant is better than storing them in easy-to-find disk files, but still less secure than not storing them anywhere at all.
Related
I already have an SSH key, it is I use it with GitHub, but they have provided me with another one to enter a server on AWS, a RedHat 7.
It was actually a .ppk to use with PuTTY, but with the generator I converted it to an SSH key.
I have added it and it worked correctly, the problem is that every time I want to use it I have to add it again, and I don't know why I forgot it.
Thank you very much.
I have to add it again
It depends by what you mean by "add it".
If it is ssh-agent add, you only need to do that when the private key is passphrase protected.
if it is "adding to the remote server ~/.ssh/authorized_keys", you only need to do that once, with the public key associated to/derived from the private key.
I use console2 in combination with git bash in order to interact with my local git repositories and by extension several github and bitbucket repositories also.
I use an ssh key pair to authenticate myself to these services, howevermy ssh key pair has an associated password.
This morning I found that I was no longer required to enter this password n my laptop in order to complete the authentication process.
I did some testing and it seems that the same key present on my desktop machine still requires me to enter my password.
So my question is.... why am I no longer required to enter my password on my laptop in order to authenticate with these servers?
Sounds like you have ssh-agent (sshagent.exe) running.
It is a small utility which allows you to enter your key's passphrase once and it then holds it "unlocked" for further use without you needing to re-enter the passphrase each time. Killing it will cause the original behaviour.
ssh-agent comes along with ssh in a standard msysgit installation. I'm not sure if something's changed that now means it's used by default or not though. Another explanation as to why it's running might be if you've installed posh-git and ran a Powershell session. By default (I believe - it's been a while), it'll run at the start of the session and ask for your key's passphrase. I use it every single day with this configuration as my passphrase is quite long... :-)
Something to do with having git-credential-winstore installed on your laptop?
When I import a public/private pair into windows certificate store, Windows does not require any password of any kind to encrypt the keys.
From that I conclude that if it is a user's store, it uses the user's password (or probably the user's hashed password) to encrypt the private key, and, if it is the local machine store, it is probably some kind of hardware-based key to encrypt the private key.
Did I get it right???
And if I did, what is the point of non-exportable keys if I can decrypt the keys???
And last question - If I got it right up to here, what are the alternatives?
As "SLanks" link explains, the private keys are encrypted with the user's password or the machines's password (depends on the location of the keys in the store).
Therefore, anyone who can log to the machine can obtain to this user's keys and anyone who has access to the machine can obtain keys stored for the local machine.
I'm trying to figure out how to Windows credential roaming is implemented. I have found that it will roam certs that have been strongly protected with a password (optional entropy to CryptProtectData()).
I can't see how this could be done unless Windows keeps a copy of the password somewhere when the cert is imported. Copying the files in %APPDATA%/Crypto/RSA{UserSID} to another machine would not work as the keys are encrypted with the users DPAPI master key and optionally a password.
Other than using ProcMon and I have no idea what else to try or look at in order to figure this out. Any pointers to help figure this out would be much appreciated!
CryptProtectData does a little something more that makes the whole thing possible.
DPAPI will generate a key for encryption. The DPAPI key will then be encrypted with another key derived from your password.
What is sent in credential roaming is the DPAPI key, not your password.
It is the same thing that also allows DPAPI to keep working (locally) when you change your password. Otherwise, Windows would have to track DPAPI encrypted blobs stored everywhere (files, registry keys, etc.) to encrypt to the new password derived key. There is an infinite number of applications, making it impossible.
Instead, the key is in one well known and well hidden location, never seen by the user. Windows can easily rencrypt the DPAPI with the new password, shielding applications using it from password changes.
The same mechanism is also used by credential roaming to stay indenpendent of the user's password.
This website has code to extract the SYSTEM's account DPAPI key, and some information about the structure, it might help you debugging.
How would I go about doing this on the terminal?
sftp then asks me for a password. how do I include my DSA key so that I do not have to use the password?
As sftp uses SSH protocol for communication, you may generate private/public key pair using ssh-keygen (read everything their!). Then read this HOWTO about how to transfer your key to remote server. If you need more, read more detailed description of OpenSSH Public Key Authentication.
If you setup your key correctly, and remove SSH server is configured to use key authentication, you will be granted the access without additional password.
If you have ssh-agent running, holding the key to the site, it will handle authentication for you.