[clug] Anyone keep their SSH keys on a USB flash drive or in an encrypted filesystem?

Scott Ferguson scott.ferguson.clug at gmail.com
Mon Oct 7 00:06:37 MDT 2013

On 07/10/13 15:44, steve jenkin wrote:
> I was wondering if anyone had experience in securely storing the
> contents of ~/.ssh:
>  - on a desktop/laptop machine
>  - on servers you administer

Yes. As securely as I can - how secure that is I don't know.

# nano /etc/ssh/sshd_config

uncomment /PasswordAuthentication no/ to disable clear text passwords

# nano /etc/ssh/sshd_config

set ''PubkeyAuthentication yes''

Apply changes:-

# /etc/init.d/ssh restart

$ nano ~/.ssh/config
        HostName *
        Cipher blowfish-cbc

Additionally you might consider:-
;wipe bash history
;banning ssh root logins (su -c ain't hard)
;fail2ban and fwknop.* (with GPG)
;some level of monitoring to attempt to detect when the security is
> For a desktop, farnarkling with a USB drive mounted onto ~/.ssh might
> work, but creates a problem of clear-text keys getting stolen.

It's not telnet! Why would you use clear-text keys? :o

scp -R mystorage:/.ssh ./
scp mystorage:/.bash*
. .bashrc

You can use .bash_aliases to manipulate .ssh/config - I prefer to use
aliases to call konsole profiles which then use the .ssh/config entries
(more flexibility with X forwarding, reverse tunnels etc, and easier
(for me) to visually identify which ssh session is which. It's also nice
to hotkey either the aliases or the konsole profiles.
alias sshdev='konsole --profile dev'

Font=Oxygen Mono,12,-1,5,50,0,0,0,0,0
Command=ssh -t sd screen -dR
RemoteTabTitleFormat=Dev : %u

# Development server
Host sd
        HostName someserver.somewhere
        User scott

I was looking for a way to deny automatic SSH access if I wasn't at the

What's wrong with the ssh-keygen passphrase?  :)

> For servers, especially a central trusted cluster admin-host, I was
> wondering if creating a small, encrypted filesystem was easy or useful
> (has not to be readable by super-user when mounted).

You 'could' (possibly) use recursive sshfs trickery (then ssh -i -f that)

> I've never used user-mounted encrypted filesystems, so no idea of how
> hard they might be...

Easy to do...  hard (impossible?) to secure if you are not the only one
with root access though.

> regards
> steve jenkin

Kind regards

More information about the linux mailing list