8
3
Is it somehow possible to automatically unlock my private keys forr ssh authentication at windows login and (un)lock them when (un)locking my session?
Currently I'm using msys' ssh-agent but could image using e.g. charade as wrapper to putty's pageant, too, if a better solution for that already exists.
Tobias Kienzler
Posted 2011-01-21T11:27:30.007
Reputation: 3 262
1
Grawity just has a password-less key encrypted with EFS, which is transparent to ssh-agent, so the key can be loaded automatically while remaining secure. He also suggests the following for Active Directory: If you don't have a certificate, cipher /k should create a new one, although it'll be self-signed.
Tamara Wijsman
Posted 2011-01-21T11:27:30.007
Reputation: 54 163
it's basically a good idea, but as mentioned encrypting files does not work. cipher /k runs fine, but I still get "Recovery policy configured for this system contains invalid recovery certificate", but fixing that (see here) requires admin priviledges... I guess I'll stick with hibernation or an unencryptet password-less key
@Tobias: What do you mean? You don't have admin privileges? You should use them or ask your system administrator to do it for you. If you don't have any way to access the administrator account, try to reinstall if it's your personal OS or stop trying if it's an enterprise OS. Perhaps consider using a Windows-based solution like Terminal Services... – Tamara Wijsman – 2011-08-26T14:10:32.490
it's at work and our admin (who won't give admin permissions to anyone) is busy enough maintaining our cluster compared to this just-for-convenience issue – Tobias Kienzler – 2011-08-26T14:15:42.273
1
You might be able to restore the state of the private keys being unlocked by hibernating the process in the state that the private keys are uncloked; then, every time you need it you could start the hibernated state you captured the first time. Technically, it could work...
If not, try setting a script up (AutoIt based, perhaps) to do the thing you would be doing manually.
Tamara Wijsman
Posted 2011-01-21T11:27:30.007
Reputation: 54 163
I don't like the idea of putting my password cleartext in a script, then I'd prefer a non-encrypted password-less key. But hibernation is a good idea, I could just hibernate windows instead of shutting it down which should keep the instance of ssh-agent.exe – Tobias Kienzler – 2011-08-26T08:01:20.017
1@Tobias: The point is, what you are asking is essentially binding the lock of your SSH agent to your Windows Login; the only way you can do that is by Task Scheduler scripts for the log-in, lock and log-out events. You could make the script only readable by the user you've configured in the Task Manager and you could store the password in an encrypted way and decrypt it when you need it. The only thing left here is someone stealing your hard drive, but that's why EFS and TrueCrypt were invented. You either enter your password OR you get it done automatically by storing it somewhere... – Tamara Wijsman – 2011-08-26T14:09:09.450
1that's true. I'll accept your/grawity's EFS answer, since that's the solution I would use if it worked. Actually I consider just using a non-encrypted key file (with exclusive permissions) since anyone capable of accessing the respective hard drive would be in the same room as the machine I ssh into anyway :-/ thanks for both your answers! – Tobias Kienzler – 2011-08-26T14:13:05.210
2I just have a password-less key encrypted with EFS, which is transparent to
ssh-agent, so the key can be loaded automatically while remaining secure. – user1686 – 2011-01-21T12:32:20.850@grawity: thanks, that's even easier! if you post this as an answer I'll accept it edit correction, I can't since my admin didn't setup EFS properly :( – Tobias Kienzler – 2011-01-21T12:49:46.890
On an Active Directory domain? (If you don't have a certificate,
cipher /kshould create a new one, although it'll be self-signed.) – user1686 – 2011-01-21T13:31:49.787@grawity: thanks. I tried it, but nothing changed. I started a new question for this issue: Cannot encrypt files (using EFS) on a domain
– Tobias Kienzler – 2011-01-21T14:11:29.520