Skip to main content

SSH Agent

An SSH agent acts as a program that holds a set of private keys and provides a way to sign challenges with those keys, without ever letting the private keys leave the vault. These challenges can be sign-in requests for logging into a server and in newer SSH versions they can also be used to sign arbitrary data e.g. Git commits, but also regular files.

OS interface

On Unix-like systems (Mac, Linux, BSDs) the ssh-agent is provided via a Unix domain socket. The agent provides this socket and any application that wants to use the agent connects via this socket. This is done by getting the socket path from the SSH_AUTH_SOCK environment variable.

On Windows the agent is provided via a global named pipe at \\.\pipe\openssh-ssh-agent. Since only a single application can act as the pipe server, the OpenSSH agent service first needs to be disabled in Windows, after which the desktop app can start the agent listening on this pipe.

SSH agent Protocol

The ssh-agent protocol is specified as a spec however the desktop app only implements a subset of this protocol, specifically the sign and list operations. List operations are always allowed by default while sign operations require user verification.

Signing during login

When logging into a server the client and server first exchange the set of algorithms they support for key exchange and signing. The server has a host key which is saved locally. In contrast to TLS, we don't have central authorities proving the authenticity of a server; the first time connecting to a server the client will ask the user to verify the fingerprint of the server, saving it subsequently to the known_hosts file. In subsequent authentication requests the client will compare the fingerprint against the saved one, to prevent subsequent machine-in-the-middle attacks.

The client and server then agree on authentication methods that they can continue with e.g. public key, password. For public keys the client then offers the public keys to the server and the server will reply which keys it accepts. To prevent leaking the set of keys the client has they can additionally configure to offer specific keys to a specific server.

The SSH client then for all accepted keys, one by one, asks the agent to sign the login request for that specific key. This means that if a server accepts multiple keys the agent might be asked multiple times to provide UV with different keys. These might be detectable by parsing the login request to sign since it contains the user and server host key. The sign request does not contain the IP or hostname of the server but this could be inferred using the known_hosts file.

Only if public key authentication fails will it fall back to password.

Agent forwarding

Any clients can access the agent via the socket / pipe. Furthermore, SSH supports a feature called agent forwarding -- forwarding can be used to log into a remote server A and allow that server to access server B and authenticate to it without ever giving the keys to server A. While convenient care has to be taken, both about which servers the agent is forwarded to, but also to always require user verification for signing operations.

SSH signatures

The SSH agent can not only sign login requests but also arbitrary data. The format for these signature requests is specified at Protocol.sshsig. During a signature request the desktop app detects SSHSIG requests and parses the namespace, passing it on to the UI to present.

Verifying SSH client processes

In order to present details about which application is requesting access to the any SSH key, information about the connecting process is gathered. On *nix this works via the SO_PEERCRED socketopt; this provides the PID of the connecting process. On Windows, GetNamedPipeClientPRocessId is used.

Using the process ID further information about the process (process name, signature, application name, and application logo) can be acquired, but for now just the process name is used. Depending on the client application the process hierarchy might look different and the process connecting might be a one-time child process of the application that the user expects to connect.

When agent forwarding is used an EXTENSION command is sent to the client with the extension_name set to session-bind@openssh.com. This is detected and noted on the connection so that the clients can handle this appropriately.

Architecture in the desktop app

The desktop app provides an ssh-agent implementation that provides signing functionality to applications running on the system. Since the applications running on the system and remote applications when forwarding the agent are untrusted, the agent requires user verification for signing operations. In total, the SSH agent feature consists of multiple components:

  • Desktop Native: the agent itself, handling the socket / pipe and signing requests.
  • Desktop Native: a key store that holds the private keys and corresponding cipher IDs for the keys of the active and unlocked account.
  • Desktop Native and Electron: a communication layer that allows the native module to show UV prompts in the UI.
  • Desktop Electron: a UI component that shows the UV prompts and allows the user to accept or deny the signing request.

The key store is synced on an interval from the renderer process and receives the decrypted private keys from the vault ciphers. When locking / changing users the private keys of the keystore are wiped. When locking the public keys are kept so that listing still works -- this means that when locked after unlocking once the correct SSH key for a server can be chosen and a signing request made; this then prompts the user to unlock their vault in order to approve the request.