Starting / Using the SSH-Agent

I am quite new to the “SSH-topic”, maybe someone could give me some information I was not able to find by searching:

  1. To start the SSH-agent, I have to start the Bitwarden desktop app manually. For a simple connection to a server, this is just one additional step - i.e. this makes sense only if you connect regularly / often to many servers, right?
  2. The only difference then is that without Bitwarden, I have to type the (long) passphrase, while with Bitwarden I only have to type the Bitwarden Master-Password. However, according to several statements in the Internet, the passphrase is preferable in terms of security …
    Any comments are welcome, thanks!

This comes up more often with TOTP. The risk factor is primarily about how much you trust your device(s) to remain uncompromised and if a compromise would affect just one vault. There are two schools of thought:

  1. Keeping all your credentials in one vault increases convenience and therefore makes you more willing to use stronger credentials both to protect the vault and your logins.
  2. Separating credentials into multiple vaults decreases the impact is one of the vaults is compromised.

Both positions have their pros/cons and both are a pretty good choice. Only you can decide which one works best for you. The one thing everyone seems to agree with is that the two schools will not reach consensus.

Thanks for the explanation, but this was not exactly what I meant - maybe I was a bit short, I’ll give some more details:
I have been using Bitwarden for some time, a single vault, I just use the Browser plugin to connect to websites. Now I have to connect to a server via SSH, so I did some search in the Internet about security and learned:

  • Password authentication is bad, one should use keys. So I generated keys and switched password authentification off.
  • The key should be protected by a passphrase, which should comprise te least 5 words, special characters, numbers… I created this. Result: each time I log into my server via ssh I have to type a long passphrase, of course repeatedly because of typing errors etc.
  • I then read Bitwarden now supports SSH keys and hoped this would help and have imported the keys with passphrases to Bitwarden. But now:
    The Browser plugin does not help. The agent only runs when the desktop app is started (what I normally never do). So instead of connecting directly and typing my passphrase, I have to start Bitwarden, type my Bitwarden password and connect then. And additionally: the passphrase is stored in Bitwarden and protected by a normal password, so the additional security of the passphrase is lost. I could also directly define only a relatively short password for my key and login directly.
    Therefore I wonder whether I misunderstand the complete Bitwarden / SSH concept, or whether it is simply not useful in my case.

The idea with the agent is that you have the desktop app auto-start in the background. In the settings you can set the desktop app to start automatically on system start, and to start with the window hidden. Then, the agent is always available.

Ah yes, ok, completely forgot about this possibility. Thanks!

What do you mean by this? Is your Bitwarden vault password not strong (>50 bits of entropy)?

My Bitwarden password has 14 digits, letters, special characters, numbers. So I suppose sufficiently strong. Anyway, in the Internet I found the opinion that passphrases are even better, and when I create an SSH key, it offers to create a passphrase, not a password. So the question is why should I create a passphrase instead of a password, simply to replace it afterwards via Bitwarden again by a password.

Don’t blindly trust opinions found on the internet.

Comparing password (random character strings) and passphrases (random word sequences) can be like comparing apples and oranges. The relative strength of each depends on the number of characters and size of the character set (for passwords) or on the number of words and size of the dictionary (for passphrases).

Using Bitwarden’s password generator with settings that maximize complexity, a 14-character password would have an entropy (strength) of approximately 86 bits. For a passphrase to have comparable strength, it would need to contain 6–7 random words (corresponding to 76–90 bits of entropy). A 5-word passphrase (even with numbers and special characters added) will not be as strong as a random 14-character password.

The benefit of using passwords is that for a given strength (entropy), it is more compact (approximately 25% the length of a comparably strong passphrase). The benefit of using a passphrase is that for a given strength (entropy), it is easier to memorize and to manually type (and to communicate verbally).

Thus, you should generally use passphrases only when they secret has to be memorized or manually typed (or verbally communicated), and use random-string passwords for everything else. For this reason, it is recommended that your Bitwarden account password should be a random passphrase consisting of at least 4 words.

Furhtermore, please note that the required length (number of characters or number of words) will depend on what type of hashing or KDF algorithm is used during the authorization/decryption process. Bitwarden vault passwords are generally considered sufficiently strong with only 50 bits of entropy, because Bitwarden’s authorization/decryption processes uses a very slow KDF algorithm (which increases cracking resistance).

I’m not that familiar with SSH, so @Quexten (or somebody else) can correct me if I’m wrong. However, I think that the idea with Bitwarden’s SSH agent is that it directly [signs the authentication challenge with] provides* the SSH key when logging in to the server, no passphrase required. You could (should!) use a passphrase as the master password for your Bitwarden account, but once your Bitwarden app has been logged in and unlocked, then only the SSH key is used, not a second passphrase.


*Edited to correct the original inaccurate description of SSH authentication.

It is right from the user’s perspective, you only need an unlocked desktop client; on the technical level “provides the key” may be misleading to some. Just like passkeys, a challenge is signed. In Bitwarden’s case using ed25519. (Or if you imported a legacy RSA key, that can be used too). The private signing key never leaves the application. With passwords, a compromised server may listen to the password you give it, and use it to authenticate against other servers in case you re-used the password. With ssh keys, a compromised server can do nothing to steal and replay your authentication means.

when I create an SSH key, it offers to create a passphrase

This is only valid for keys generated and stored outside of Bitwarden. If you store a private key to disk, much like a Bitwarden vault, you want it protected. Openssh and pkcs8, two formats for storing private keys, internally use a KDF to apply some work to your password before decrypting the key. Upon entering it, when using the systems own ssh agent, the decrypted copy is stored in ram of the ssh agent process, while your system is unlocked. Heprotectedre the same rules about password strength apply that would for your master password.

Importing it to Bitwarden however, you enter your passphrase / password once, and the files password protection is stripped. Your vault contains the unencrypted (with respect to Openssh / pkcs8) private key, but of course is encrypted by your vault’s encryption key. Now, only your master password (or other unlocking means, PIN, biometrics) are required.

1 Like

Thanks for the clarification! I have now updated my previous comment, to hopefully make it more accurate. The main point was that the passphrase used by @xwr111 protect their SSH key should not be be used if they plan to use Bitwarden’s SSH agent.

1 Like