S /.ssh/sshauthsock ; then eval `ssh-agent` ln -sf '$SSHAUTHSOCK' /.ssh/sshauthsock fi export SSHAUTHSOCK=/.ssh/sshauthsock ssh-add -l /dev/null ssh-add This should only prompt for a password the first time you login after each reboot. If the key is not registered with ssh-agent, it must be specified on the command line to login: ssh -i.idrsa DefaultAccount@host If the private key is registered with ssh-agent, then you only need to specify DefaultAccount@host: ssh DefaultAccount@host The first time you connect you see a. Don't use a password. Generate a passphraseless SSH key and push it to your VM. If you already have an SSH key, you can skip this step Just hit Enter for the key and both passphrases. The ssh-agent program is an authentication agent that handles passwords for SSH private keys. Use ssh-add to add the keys to the list maintained by ssh-agent. After you add a private key password to ssh-agent, you do not need to enter it each time you connect to a remote host with your public key.

-->

Secure Shell (SSH) allows you to remotely administer and configure your Windows IoT Core device

Using the Windows 10 OpenSSH client

Important

The Windows OpenSSH client requires that your SSH client host OS is Windows 10 version 1803(17134). Also, the Windows 10 IoT Core device must be running RS5 Windows Insider Preview release 17723 or greater.

The OpenSSH Client was added to Windows 10 in 1803 (build 17134) as an optional feature. To install the client, you can search for Manage Optional Features in Windows 10 settings. If the OpenSSH Client is not listed in the list of installed features, then choose Add a feature.

Next select OpenSSH Client in the list and click Install.

To login with a username and password use the following command:

Where host is either the IP address of the Windows IoT Core device or the device name.

The first time you connect you see a message like the following:

Type yes and press enter.

If you need to login as DefaultAccount rather than as administrator, you will need to generate a key and use the key to login. From the desktop that you intend to connect to your IoT Device from, open a PowerShell window and change to your personal data folder (e.g cd ~)

Register the key with ssh-agent (optional, for single sign-on experience). Note that ssh-add must be performed from a folder that is ACL'd to you as the signed-in user (BuiltinAdministrators and the NT_AUTHORITYSystem user are also ok). By default cd ~ from PowerShell should be sufficient as shown below.

Ssh

Tip

If you receive a message that the ssh-agent service is disabled you can enable it with sc.exe config ssh-agent start=auto

To enable single sign, append the public key to the Windows IoT Core device authorized_keys file. Or if you only have one key you copy the public key file to the remote authorized_keys file.

If the key is not registered with ssh-agent, it must be specified on the command line to login:

If the private key is registered with ssh-agent, then you only need to specify DefaultAccount@host:

The first time you connect you see a message like the following:

Type yes and press enter.

You should now be connected as DefaultAccount

To use single sign-on with the administrator account, append your public key to c:dataProgramDatasshadministrators_authorized_keys on the Windows IoT Core device.

You will also need to set the ACL for administrators_authorized_keys to match the ACL of ssh_host_dsa_key in the same directory.

To set the ACL using PowerShell

Note

If you see a REMOTE HOST IDENTIFICATION CHANGED message after making changes to the Windows 10 IoT Core device, then edit C:Users<username>.sshknown_hosts and remove the host that has changed.

See also: Win32-OpenSSH

Using PuTTY

Download an SSH client

In order to connect to your device using SSH, you'll first need to download an SSH client, such as PuTTY.

Connect to your device

  • In order to connect to your device, you need to first get the IP address of the device. After booting your Windows IoT Core device, an IP address will be shown on the screen attached to the device:

  • Now launch PuTTY and enter the IP address in the Host Name text box and make sure the SSH radio button is selected. Then click Open.

  • If you're connecting to your device for the first time from your computer, you may see the following security alert. Just click Yes to continue.

  • If the connection was successful, you should see login as: on the screen, prompting you to login.
    Enter Administrator and press enter. Then enter the default password p@ssw0rd as the password and press enter.

    If you were able to login successfully, you should see something like this:

Update account password

It is highly recommended that you update the default password for the Administrator account.

To do this, enter the following command in the PuTTY console, replacing [new password] with a strong password:

Configure your Windows IoT Core device

  • To be able to deploy applications from Visual Studio 2017, you will need to make sure the Visual Studio Remote Debugger is running on your Windows IoT Core device. The remote debugger should launch automatically at machine boot time. To double check, use the tlist command to list all the running processes from PowerShell. There should be two instances of msvsmon.exe running on the device.

  • It is possible for the Visual Studio Remote Debugger to time out after long periods of inactivity. If Visual Studio cannot connect to your Windows IoT Core device, try rebooting the device.

  • If you want, you can also rename your device. To change the 'computer name', use the setcomputername utility:

You will need to reboot the device for the change to take effect. You can use the shutdown command as follows:

Commonly used utilities

See the Command Line Utils page for a list of commands and utilities you can use with SSH.

Introduction

The SSH agent is a central part of OpenSSH. In this post, I’ll explain what the agent is, how to use it, and how it works to keep your keys safe. I’ll also describe agent forwarding and how it works. I’ll help you reduce your risk when using agent forwarding, and I’ll share an alternative to agent forwarding that you can use when accessing your internal hosts through bastions.

What is the SSH agent?

ssh-agent is a key manager for SSH. It holds your keys and certificates in memory, unencrypted, and ready for use by ssh. It saves you from typing a passphrase every time you connect to a server. It runs in the background on your system, separately from ssh, and it usually starts up the first time you run ssh after a reboot.

The SSH agent keeps private keys safe because of what it doesn’t do:

  • It doesn’t write any key material to disk.
  • It doesn’t allow your private keys to be exported.

Private keys stored in the agent can only be used for one purpose: signing a message.

But if the agent can only sign messages, how does SSH encrypt and decrypt traffic?

When first learning about public and private SSH keys, it’s natural to assume that SSH uses these key pairs to encrypt and decrypt traffic. That’s what I thought. But it’s not the case. An SSH key pair is only used for authentication during the initial handshake.

For example, here’s how a user’s key is verified during the SSH handshake, from the server’s perspective:

  1. The client presents a public key to the server.
  2. The server generates and sends a brief, random message, asking the client to sign it using the private key.
  3. The client asks the SSH agent to sign the message and forwards the result back to the server.
  4. The server checks the signature using the client’s public key.
  5. The server now has proof that the client is in possession of their private key.

Later in the handshake process, a set of new, ephemeral and symmetric keys are generated and used to encrypt the SSH session traffic. These keys may not even last the entire session; a “rekey” event happens at regular intervals.

The agent protocol

SSH uses a Unix domain socket to talk to the agent via the SSH agent protocol. Most people use the ssh-agent that comes with OpenSSH, but there’s a variety of open-source alternatives.

The agent protocol is so simple that one could write a basic SSH agent in a day or two. It only has a few primary operations:

  • Add a regular key pair (public and decrypted private keys)
  • Add a constrained key pair (public and decrypted private keys)
  • Add a key (regular or constrained) from a smart card (public key only)
  • Remove a key
  • List keys stored in the agent
  • Sign a message with a key stored in the agent
  • Lock or unlock the entire agent with a passphrase

🤔 What’s a constrained key? It’s usually a key that either has a limited lifetime or one that demands explicit user confirmation when it is used.

The ssh-add command is your gateway to the SSH agent. It performs all of these operations except for signing. When you run ssh-add without any parameters, it will scan your home directory for some standard keys and add them to your agent. By default, it looks for:

  • ~/.ssh/id_rsa
  • ~/.ssh/id_ed25519
  • ~/.ssh/id_dsa
  • ~/.ssh/id_ecdsa

Once you add keys to the keychain, they will be used automatically by ssh.

Ssh Agent Password Recovery

ssh-agent and the macOS Keychain

The ssh-agent that ships with macOS can store the passphrase for keys in the macOS Keychain, which makes it even easier to re-add keys to the agent after a reboot. Depending on your Keychain settings, you still may need to unlock the keychain after a reboot. To store key passphrases in the Keychain, run ssh-add -K [key filename]. Passphrases are usually stored in the “Local Items” keychain. ssh-agent will use these stored passphrases automatically as needed.

What is agent forwarding?

SSH’s agent forwarding feature allows your local SSH agent to reachthrough an existing SSH connection and transparently authenticate on a more distant server. For example, say you SSH into an EC2 instance, and you want to clone a private GitHub repository from there. Without agent forwarding, you’d have to store a copy of your GitHub private key on the EC2 host. With agent forwarding, the SSH client on EC2 can use the keys on your local computer to authenticate to GitHub.

How agent forwarding works

First, a little background. SSH connections can have multiple channels. Here’s a common example: an interactive connection to a bastion host (jump box) runs on one channel. When agent forwarding is enabled for a connection (usually using ssh -A), a second channel is opened up in the background to forward any agent requests back to your local machine.

From ssh's perspective, there is no difference between a remote and a local ssh-agent. SSH always looks at the $SSH_AUTH_SOCK environment variable to find the Unix domain socket for the agent. When you connect to a remote host with agent forwarding enabled, SSHD will create a remote Unix domain socket linked to the agent forwarding channel, and export an $SSH_AUTH_SOCK pointing to it.

Agent forwarding comes with a risk

When you forward ssh-agent's Unix domain socket to a remote host, it creates a security risk: anyone with root access on the remote host can discreetly access your local SSH agent through the socket. They can use your keys to impersonate you on other machines on the network.

Here’s an example of how that might look:

How to reduce your risk when agent forwarding

Here are a few ways to make agent forwarding safer:

  • Don’t turn on ForwardAgent by default.

    Many guides on agent forwarding will suggest turning on ForwardAgent using the following configuration:

    We suggest not doing that. Instead, only use agent forwarding in circumstances where you need it. ssh -A turns on agent forwarding for a single session.

  • Lock your ssh agent when you use agent forwarding. ssh-add -x locks the agent with a password, and ssh-add -X unlocks it. When you’re connected to a remote host with agent forwarding, no one will be able to snake their way into your agent without the password.

  • Or use an alternative SSH agent that prompts you when it’s being used. Sekey uses Touch ID on macOS to store keys in the MacBook Pro’s security enclave.

  • Or don’t use agent forwarding at all. If you’re trying to access internal hosts through a bastion, ProxyJump is a much safer alternative for this use case. (see below)

Use ProxyJump: a safer alternative

When you want to go through a bastion host (jumpbox), you really don’t need agent forwarding. A better approach is to use the ProxyJump directive.

Instead of forwarding the agent through a separate channel, ProxyJump forwards the standard input and output of your local SSH client through the bastion and on to the remote host. Here’s how that works:

  1. Run ssh -J bastion.example.com cloud.computer.internal to connect to cloud.computer.internal via your bastion.example.com bastion host. cloud.computer.internal is a hostname that can be looked up using DNS lookup on bastion.example.com.
  2. Your SSH client uses keys from your agent to connect to bastion.example.com.
  3. Once connected, SSHD on the bastion connects to cloud.computer.internal and hands that connection off to your local SSH client.
  4. Your local SSH client runs through the handshake again, this time with cloud.computer.internal.

You can think of it as SSHing within an SSH session; except the ssh program never runs on the bastion. Instead, sshd connects to cloud.computer.internal and gives control of that connection (standard in and out) back to your local SSH, which then performs a second handshake.

Setting up ProxyJump

Let’s say my bastion host is bastion.example.com. I could set up my ~/.ssh/config file like this:

Then I just run ssh cloud.computer.internal to connect to an internal destination through the bastion—without agent forwarding.

If ProxyJump doesn’t work…

Older versions of SSH and SSHD (prior to 7.2, released in 2016) don’t support ProxyJump. But you can do an equivalent operation using ProxyCommand and netcat. Here’s an example:

The magic here is that SSH itself is the proxy you’re using for SSH. The nc %h %p part simply opens up a raw socket connection to cloud.computer.internal on port 22. The standard I/O of the parent ssh command is piped right into the ProxyCommand so that the parent ssh can authenticate to the internal host through the proxy connection.

Questions? Comments?

We love talking about all things SSH. Hit us up on Twitter if you have questions or feedback!

Unsubscribe anytime, see Privacy Policy

Git Ssh-agent Password

Experience SSH certificates for yourself in <5min⚡!