derivepassphrase.git

@@ -18,12 +18,14 @@

 ## Configuring `derivepassphrase vault` to use an SSH key

 Assuming the prerequisites are satisfied, ensure that the SSH agent is

-running, the SSH key is loaded into the agent, and the `SSH_AUTH_SOCK`

-environment variable is correctly set up.

+running, the SSH key is loaded into the agent, and, on UNIX systems,

+that the `SSH_AUTH_SOCK` environment variable is correctly set up.

 The exact commands depend on the SSH agent in use.

 === "OpenSSH"

+    === "on UNIX"

+

         ~~~~ console title="Typical setup commands: starting the agent and setting up SSH_AUTH_SOCK"

         $ eval `ssh-agent -s`

         Agent pid 12345

@@ -42,29 +44,95 @@ The exact commands depend on the SSH agent in use.

         (Your key filename and key comment will likely differ.)

+    === "on Windows"

+

+        ([Using OpenSSH on Windows is possible, but currently *not

+        recommended*; we recommend Pageant

+        instead.][OPENSSH_ON_WINDOWS_LIMITATIONS]

+        Pageant has priority over OpenSSH: if both are running,

+        `derivepassphrase vault` will connect to Pageant.)

+

+        The agent is started as a system service.

+        This only needs to be set up once.

+

+        <small>([Source: OpenSSH-on-Windows

+        documentation][OPENSSH_ON_WINDOWS_DOC].)</small>

+

+        ~~~~ pwsh-session title="Typical setup commands (PowerShell, as Administrator): starting the agent"

+        PS> Get-Service ssh-agent | Set-Service -StartupType Automatic

+        PS> Start-Service ssh-agent

+        ~~~~

+

+        Load the keys into the agent.

+        This only needs to be done once.

+        The agent stores the key material in a reusable, per-user

+        Windows security context.

+        Unlike on UNIX, the Windows port of OpenSSH does not support key

+        timeouts or key usage confirmation prompts.

+

+        ~~~~ pwsh-session title="Further setup commands (Powershell, as User): loading the key into the agent"

+        PS> ssh-add "C:\Users\YourUsernameHere\Documents\my-vault-ed25519-key"

+        Enter passphrase for C:\Users\YourUsernameHere\Documents\my-vault-ed25519-key:

+        Identity added: C:\Users\YourUsernameHere\Documents\my-vault-ed25519-key (vault key)

+        ~~~~

+

+        (Your key filename and key comment will likely differ.)

+

+        [OPENSSH_ON_WINDOWS_LIMITATIONS]: ../reference/prerequisites-ssh-key.md#agent-specific-notes

+        [OPENSSH_ON_WINDOWS_DOC]: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement#user-key-generation

+

 === "PuTTY"

+    === "on Windows"

+

+        Start Pageant; this adds the Pageant icon to the Windows task

+        bar.

+        Then add the key via the right-click context menu, "Add key" or

+        "Add key (encrypted)".

+

+        Adding the key via "Add key (encrypted)" makes the key material

+        manually "lockable" and "unlockable" by decrypting and

+        re-encrypting it, meaning that the key cannot be used by

+        malicious clients while encrypted.

+        This can be used to partially alleviate the lack of support for

+        the "key timeout" constraint.

+        The "Add key (encrypted)" mode is thus *recommended*.

+

+    === "on UNIX"

+

         ~~~~ console title="Typical setup commands: starting the agent and loading the key"

         $ eval `pageant -T ~/.ssh/my-vault-ed25519-key.ppk`

         Enter passphrase to load key 'vault key': 

         ~~~~

         (Your key filename and key comment will likely differ.

-    The agent should automatically shut down once this terminal session

-    is over.)

+        The agent should automatically shut down once this terminal

+        session is over.)

 === "GnuPG"

+    === "on UNIX"

+

         ~~~~ console title="Typical setup commands: enabling SSH agent support in GnuPG"

         $ # This is equivalent to passing --enable-ssh-support upon agent

         $ # startup.

         $ echo enable-ssh-support:0:1 | gpgconf --change-options gpg-agent

         ~~~~

+    === "on Windows"

+

+        ~~~~ pwsh-session title="Typical setup commands (PowerShell): enabling SSH agent support in GnuPG"

+        PS> # This is equivalent to passing --enable-ssh-support upon agent

+        PS> # startup.

+        PS> echo enable-ssh-support:0:1 | gpgconf --change-options gpg-agent

+        ~~~~

+

     (Loading native SSH keys into `gpg-agent` requires a separate SSH

     agent client such as OpenSSH; see the [agent-specific notes in the

     prerequisites][PREREQ_AGENT_SPECIFIC_NOTES].)

+    === "on UNIX"

+

         ~~~~ console title="Typical setup commands: loading the key into the agent with the OpenSSH tools"

         $ ssh-add -c ~/.ssh/my-vault-ed25519-key

         Enter passphrase for /home/user/.ssh/my-vault-ed25519-key (will confirm each use): 

@@ -72,6 +140,15 @@ The exact commands depend on the SSH agent in use.

         The user must confirm each use of the key

         ~~~~

+    === "on Windows"

+

+        ~~~~ console title="Typical setup commands (PowerShell): loading the key into the agent with the OpenSSH tools"

+        $ ssh-add "C:\Users\YourUsernameHere\Documents\my-vault-ed25519-key"

+        Enter passphrase for C:\Users\YourUsernameHere\Documents\my-vault-ed25519-key (will confirm each use): 

+        Identity added: C:\Users\YourUsernameHere\Documents\my-vault-ed25519-key (vault key)

+        The user must confirm each use of the key

+        ~~~~

+

     (Your key filename and key comment may differ.)

 Next, configure `derivepassphrase vault` to use the loaded SSH key.

@@ -10,27 +10,57 @@ Using `derivepassphrase vault` with an SSH key requires:

 ### A running SSH agent { #ssh-agent }

 SSH agents are usually packaged as part of SSH client distributions.

-`ssh-agent` from [OpenSSH][] and Pageant from [PuTTY][] are known to

-work.

+Pageant from [PuTTY][] is known to work, on both UNIX and Windows.

+`ssh-agent` from [OpenSSH][] is known to work well on UNIX, and

+somewhat poorly on Windows; see notes below.

 `gpg-agent` (v2) from [GnuPG][] is also known to work, but comes with

-caveats; see notes below.

+caveats; again, see notes below.

-If in doubt, we recommend OpenSSH because it is the <i>de-facto</i>

-canonical SSH agent implementation.

+If in doubt, we recommend OpenSSH on UNIX and Pageant on Windows,

+because they are the <i>de-facto</i> canonical SSH agent implementation

+on their respective operating system.

 !!! note "Agent-specific features"

     * OpenSSH's `ssh-agent` supports limiting the time the agent holds

-      the key in memory ("key lifetime").

+      the key in memory ("key lifetime"), on UNIX only.

       We recommend its usage.

     * `ssh-agent` and GnuPG's `gpg-agent` support requiring confirmation

       upon each use for a specific key.

+      (Again, for `ssh-agent` only on UNIX.)

       We recommend its usage as well.

 <section markdown id=agent-specific-notes>

 !!! note "Other agent-specific notes"

+    === "OpenSSH on Windows"

+

+        Using OpenSSH on Windows with `derivepassphrase vault` is

+        possible, but currently *not recommended*.

+        [The Windows port of OpenSSH lacks support for key constraints

+        [1]][OPENSSH_ON_WINDOWS_NO_KEY_CONSTRAINTS_1]

+        [[2]][OPENSSH_ON_WINDOWS_NO_KEY_CONSTRAINTS_2], which are the

+        main advantage OpenSSH had over Pageant.

+        Without this functionality, Pageant is the better choice: more

+        supported key formats, manually lockable and unlockable key

+        material in the agent, and no Administrator credentials needed

+        to configure the system.

+

+        Additionally, the ported SSH agent implements the agent

+        protocol incorrectly because it terminates the connection when

+        encountering an unsupported request, instead of returning an

+        error code.

+        (The original agent, on UNIX, implements the protocol

+        correctly.)

+        This makes it difficult for `derivepassphrase vault` to

+        correctly *detect* or *verify* that it is talking to the

+        OpenSSH agent on Windows, instead of merely *assuming* it is

+        doing so.

+

+        [OPENSSH_ON_WINDOWS_NO_KEY_CONSTRAINTS_1]: https://github.com/PowerShell/Win32-OpenSSH/issues/1056#issuecomment-362494167 "Issue #1056: ssh-agent should support '-c' and '-t' options of ssh-add"

+        [OPENSSH_ON_WINDOWS_NO_KEY_CONSTRAINTS_2]: https://github.com/PowerShell/Win32-OpenSSH/issues/2314#issuecomment-2529160589 'Issue #2314: Adding key with confirmation option to ssh-agent gives "agent refused operation"'

+

     === "GnuPG/`gpg-agent`"

         * `gpg-agent` v2.0 and later uses a *persistent* database of

@@ -97,30 +127,23 @@ canonical SSH agent implementation.

                 configuration file instead of being manually supplied on

                 the command-line.)

-                [This mode, sadly, is not currently

-                supported.](#python-support)

+                This mode is untested.

+                We, the `derivepassphrase` authors, do not know how to

+                run `gpg-agent` on Windows with masquerading as OpenSSH

+                enabled: the steps outlined in the official

+                documentation for `gpg-agent` do not work as advertised.

+                [We have asked for clarification on GnuPG's developer

+                mailing list.][GPG_AGENT_ON_WINDOWS_WTF]

+

+                [GPG_AGENT_ON_WINDOWS_WTF]: https://lists.gnupg.org/pipermail/gnupg-devel/2025-December/036116.html

 </section>

 ### A Python installation that can talk to the SSH agent { #python-support }

-!!! bug "Windows is currently *not* supported"

-

-    <i>→ Bug entry:</i> [Support PuTTY/Pageant (and maybe

-    OpenSSH/`ssh-agent`) on Windows][BUG_WINDOWS_SSH_AGENT_SUPPORT]

-

-    The two major SSH agents on Windows (PuTTY/Pageant and OpenSSH) use

-    <i>Windows named pipes</i> for communication, and Python on Windows

-    does not inherently support named pipes.

-    Since no comprehensive third-party Python modules to interface with

-    named pipes appear to exist, teaching `derivepassphrase` to use

-    Windows named pipes requires us developers to write the code to

-    interface the Windows system libraries ourselves.

-    Development on this started after the release of version 0.5, but

-    since this is not our area of expertise, and because the pre-0.5

-    design hard-codes the UNIX style of looking up and connecting to an

-    SSH agent, development progress on this front has been much slower

-    than usual.

+As of version 0.6, Windows is supported.

+[Your Python installation must support interfacing with the Windows

+system DLLs.][ctypes.WinDLL]

 On non-Windows operating systems, the SSH agent is expected to advertise

 its communication socket via the `SSH_AUTH_SOCK` environment variable,