Wondering how create_rsa worked

[james-huang]

Hi!

I accidentally deleted my ssh keys, and I figured I could try to recover them from my ssh-agent. I came across your script, and the output public key I get from a generated private key does not match the one I have on file on services like github.

I know anything along the line could have failed, but the code right under the comment # FIXME: This needs to be cleaned up. in the python file seems the most obscure to me. How did you determine the offsets?

Other maybe useful info: My size variable reading memory after "ssh-rsa" from bytes 10-12 is currently 769.

• n size: 769
• e size: 0
• d size: 0
• c size: 0
• p size: 0
• q size: 0 I also noticed that the private key n slot contains the correct n+e data as I can verify that from my public key. Hmmmm Also, I'm actually on a mac, so I've been using vmmap and lldb instead of /proc/ and gdb.

[james-huang]

I found the location of the n and e keys in memory with your python script, and figured that if the 7 values weren't in continuous memory than at least the pointers to the missing 5 values should be in a struct (continuous in memory). Couldn't find pointers to them in the ssh-agent stacks I dumped, and I crashed the process trying to dump larger portions of memory. https://gist.github.com/james-huang/54fcf39cba1a9d8b827b leaving this here for what it's worth.

[soleblaze]

Thanks for the gist. The data is imported in ASN.1 format by ssh-add. The offsets are from that format. I believe that this data is freed, but not cleared so I could see part of it being overwritten, depending on how long your agent has been running. It's been awhile since I looked at the ssh-agent source code, so I don't remember exactly how it pulls the key into memory. This commit fixed the issue with the key staying in memory after being imported into the key chain.