I've come across some old info claiming that OpenSSH from Microsoft had stored SSH keys in the registry without encryption. That seemed alarming, but I haven't found any updates on how the security of OpenSSH has progressed since then. Right now, it's becoming a real issue for me because my VSCode isn't recognizing an alternative SSH implementation I've set up. Can anyone share what the current practices are regarding OpenSSH security? Have they resolved the previous issues?
3 Answers
I've heard that the keys aren't actually stored in the registry. They’re kept in the same way as they are on Unix systems—found in your user profile at ~.sshid_rsa. Yes, they are unencrypted, like in Linux, but you can always use BitLocker to encrypt them if you want.
I wasn't aware of the specific issue you mentioned, but OpenSSH generally looks for keys in ~.ssh. The real concern might be that Microsoft seems to lag in updates; I think the version included is only 9.5 right now.
I've always seen it use ~.ssh since the beta days of Windows 10, never in the registry.
You might want to use the OpenSSH Authentication Agent (ssh-agent) on Windows to securely store your passwords or keys. It's a handy tool for managing SSH keys without exposing them.
Yeah, they were behind on beta releases too. It's improving, but if you can, try to get the latest beta version. The one that comes with Windows is really outdated and poses several security risks that are already mitigated on Linux. I feel like Microsoft might phase out OpenSSH from Windows altogether since they don't seem committed to keeping it up-to-date.