Experience Using Flash + USB For SSH Keys?

Alex Satrapa grail at goldweb.com.au
Mon Dec 2 23:47:42 EST 2002


I've been using a CF card + USB reader to store stuff to transport 
between machine for a few weeks now, and figured I'd share my 
experiences so far, and see if anyone has anything to contribute to my 
further learning in this arena.  The following are some random thoughts, 
in no particluar order.

First, there's the cost:
  - $50-$100 for the USB CF reader (usually a multiple device reader, 
eg: SmartMedia/CompactFlash/Memorystick)
  - around $2/MiB for the CF itself (eg: $100 for 64MiB)

Then there's the "convenience"
  - Installing drivers on Mac OS X, Windows etc for multi-function readers
  - Apparently pure CF readers don't need drivers, they look like USB 
storage devices
  - CF is slow compared to HDD or network

I've used CF to store:
  - SSH keys
  - PGP/GPG keys
  - SSH clients for various OSes
  - other files too big for floppy

What I can't use CF to store:
  - Drivers for CF readers (obvious reasons ;)

Using the one CF card for pictures in the digital camera, and SSH keys 
for the computer is fine - the digital camera file system resides under 
a folder for itself, which won't interfere with your other data.  The 
camera is smart enough to realise that disk space can be used up by 
stuff other than photos.

The CF must be formatted in the lowest common denominator file system - 
in my case, that's (V)FAT (otherwise the camera can't use it) - play it 
safe, if you have to share a CF with a camera, format the CF in the 
camera.  This means you have to fiddle with permissions at mount time, 
rather than on the file system itself eg in Linux, set one of the 
options in fstab to something like:
/dev/scsi/host1/bus0/target0/lun0/part1 /tanya/CF-Card  auto
rw,user,noauto,nodev,sync,nosuid,umask=0077   0   0

Otherwise other users have access to your key material.

You have to trust root on the system that you stick the CF card into.

You can carry around SSH clients for each platform, but you still have 
to trust root - eg: on a Windows box, you'd want to make sure there 
wasn't a virus infecting your Windows SSH client on the CF.  You don't 
want the admin of any other system running a keylogger shell around your 
program.  So using the SSH client on the CF is a matter of convenience, 
there's little or no security associated with carrying your own client 
around with you.  Storing the SSH client on CF has the added benefit of 
making things slower, since CF is much slower than a UDMA-100 hard drive.

Methods for mounting the CF under Linux include using "wmmount" or some 
similar mounting application running under your X session, or using 
automount to automatically mount the CF when accessed.

Typically under Linux you might mount the CF under a specific directory, 
then have a symlink from ~/.ssh -> /tanya/CF-Card for example.  Mount 
the CF as "umask=0077" to prevent other people getting access to it. 
Make sure the CF is mounted as the user who asked for it.

Storing keys on a CF is a means of denying access to your key material 
when you are not physically present (assuming you killed all the 
ssh-agents).  Storing keys on CF does not make keys magically secure - 
they are only as secure as your pocket, or your ssh-agent.

I'd love to see a modification to ssh-agent which will delete keys that 
it can no longer see (either during a regular poll, or when it's told a 
file system has been unmounted).

In terms of convenience, a USB flash key beats CF + reader hands down. 
Unless you already have the reader because you have a digital camera.

Digital cameras with USB connections generally don't let you access 
stuff other than the photos that that specific camera stored. ie: you 
can't hook up your Nikon Coolpix 995 and expect to recover your SSH 
keys.  This is good and bad - the digital camera with CF acts as a 
"covert channeL".  If you're responsible for IT security, your policy 
should be "check the CF" - not "check the camera".

When I Google for other opinions about SSH keys and flash, I keep 
getting some article about how applications should beep and flash and be 
generally annoying when "dangerous" stuff happens (eg: host key not 
already in known_hosts file).

Based on this rambling, does anyone know of lessons I have yet to learn?

Alex




More information about the linux mailing list