3.13 Private Shell Key Agent

Private Shell Key Agent is the special utility from the Private Shell package intended for simplification of the key management, support of the Cryptographic tokens and temporary storing the master password. It is automatically installed along with the main program.

The main advantages of Private Shell Key Agent:

• You do not have to enter your key password each time the key is used but only when you add this key to the agent.
• You do not have to enter your master password each time an operation with a saved password is required.
• You can authenticate with hardware devices like USB tokens, smart cards, etc. which brings more security.

If you want to use Key Agent, first of all you have to start it. Open the "Start" menu, "Programs" (or "All Programs" if you are a Windows-XP user), "Private Shell", "Private Shell Agent". You will see the next window:

User keys in SSH Key Agent:

The keys that are added to the Agent are listed here. Key Agent can perform operations with these keys only.

Add Key

Use this button to add a new key to the agent. When you press it the key selection dialog appears. Select the key you want and click the "OK" button.

Remove key

If you do not want Key Agent to be able to perform operations with a certain key, you can remove it from the agent with this button. Select the key you want from the list above and click this button. Note that the selected key is not deleted from the Private Shell database but only removed from the agent. You can add it again when you will need it.

Unload agent

Press this button to unload Key Agent from the memory (normally when you press the close button on the window title or Alt-F4 on your keyboard, Private Shell Key Agent is not closed but minimized into the system tray where you can find it if you need to add or remove a key). Please note that you must have Key Agent running if you want it to perform operations with the keys.

Master password

Private Shell uses the master password to encrypt passwords saved in profiles. Click this button to open the master password options dialog:


Master password status displays the current master password status (i.e. whether it is entered and held in the agent).

When master password is held in the agent, you can click the Clear button to remove it from the agent, or click the Change button to change it. In the latter case, you will be asked to enter the current master password first to ensure that you are authorized to change the master password.

Master password is saved in the agent... defines how long Key Agent will hold the master password. You can enter the desired time in minutes in the field below or check the Forever box to hold the master password without any time limit. Warning! It is not recommended to keep the master password in the Key Agent for a long time (and especially forever) because anyone having local access to your computer can try to steal it.

Cryptographic token manager

Click this button to open Private Shell Cryptographic token manager:


Library to work with token - this is the place where you should choose the library which will be used to work with your token. If you are unsure about the library name, click the Search for library... button. This will open the library search dialog. Otherwise, enter the library name in the "PKCS#11 (Cryptoki) .dll" field and click the Apply button.



If you decide to perform a search for the library, select the library from the list, click the Select button to close the dialog and click the Apply button in the previous dialog.

Cryptographic token - here you can select which cryptographic token Private Shell will use. You can logout from token by clicking the Logout button.

Keys in token. Keys that are located in the selected token are shown here.

Working with tokens

There are three ways you can use your token with Private Shell.

1. Key is generated inside the token. This is the most recommended way since private key never leaves the token and it provides the highest level of security. Please note that your token must support RSA keys and this must be an RSA key.

Click the Generate button to generate a new key right inside the token. During the key generation, you will be asked if you want to export the public part of the key into Private Shell. You should answer yes or export the public key yourself later.

2. Your token already contains one or more generated keys. In this case you should only export the public part of desired key into Private Shell. Click the Export public key button to export the public part of the selected key into Private Shell.

3. Key is generated in Private Shell and then is imported into token. This way is not recommended since it provides less security than the previous variants. But it is the only one acceptable if your token does not support RSA at all. Click the Import key... button to import existing key into token.

If your token supports RSA, the imported key becomes hardware protected by the token and only the public part of it can be exported later. In this case you should better generate a new key (please, look at the first case described above).

But if your token does not support RSA or you imported a non-RSA key in it, the token plays role of pin-code protected storage medium.

The Delete button will allow you to delete a key from token.

Please note that regardless of whether you generated a new key in the token or exported the existing one, you have to manually upload this key to the SSH server. Please read the Upload public key to the server topic.

Start automatically with Windows

If you check this box, Private Shell Key Agent will be started automatically with Windows. Note that the agent does not automatically start after the installation of Private Shell, you have to start it manually for the first time and check this box instead.

Note:

Private Shell Key Agent is very convenient when you use password protected keys with scp.exe, ssh.exe or with third-party programs like CVS because you do not have to enter your key password each time the operation with the key is requested but only when you add a key to the agent. Please remember that you have to add keys to the agent every time it is started nevertheless (i.e. after every reboot, etc). This is because of security reasons.