[clug] Anyone keep their SSH keys on a USB flash drive or in an encrypted filesystem?
Scott Ferguson
scott.ferguson.clug at gmail.com
Mon Oct 7 00:06:37 MDT 2013
On 07/10/13 15:44, steve jenkin wrote:
> I was wondering if anyone had experience in securely storing the
> contents of ~/.ssh:
>
> - on a desktop/laptop machine
> - on servers you administer
Yes. As securely as I can - how secure that is I don't know.
# nano /etc/ssh/sshd_config
uncomment /PasswordAuthentication no/ to disable clear text passwords
# nano /etc/ssh/sshd_config
set ''PubkeyAuthentication yes''
Apply changes:-
# /etc/init.d/ssh restart
$ nano ~/.ssh/config
Patterns
HostName *
Cipher blowfish-cbc
Additionally you might consider:-
;wipe bash history
;banning ssh root logins (su -c ain't hard)
;fail2ban and fwknop.* (with GPG)
;some level of monitoring to attempt to detect when the security is
compromised
>
> For a desktop, farnarkling with a USB drive mounted onto ~/.ssh might
> work, but creates a problem of clear-text keys getting stolen.
It's not telnet! Why would you use clear-text keys? :o
scp -R mystorage:/.ssh ./
scp mystorage:/.bash*
. .bashrc
You can use .bash_aliases to manipulate .ssh/config - I prefer to use
aliases to call konsole profiles which then use the .ssh/config entries
(more flexibility with X forwarding, reverse tunnels etc, and easier
(for me) to visually identify which ssh session is which. It's also nice
to hotkey either the aliases or the konsole profiles.
e.g.:-
~/.bash_aliases
alias sshdev='konsole --profile dev'
~/.kde/share/apps/konsole/dev.profile
[Appearance]
ColorScheme=BlackOnLightYellow
Font=Oxygen Mono,12,-1,5,50,0,0,0,0,0
[General]
Command=ssh -t sd screen -dR
Icon=network-server
MenuIndex=3
Name=Dev
RemoteTabTitleFormat=Dev : %u
ShowNewAndCloseTabButtons=false
ShowTerminalSizeHint=false
StartInCurrentSessionDir=false
~/.ssh/config
# Development server
Host sd
HostName someserver.somewhere
User scott
I was looking for a way to deny automatic SSH access if I wasn't at the
keyboard...
What's wrong with the ssh-keygen passphrase? :)
>
> For servers, especially a central trusted cluster admin-host, I was
> wondering if creating a small, encrypted filesystem was easy or useful
> (has not to be readable by super-user when mounted).
You 'could' (possibly) use recursive sshfs trickery (then ssh -i -f that)
>
> I've never used user-mounted encrypted filesystems, so no idea of how
> hard they might be...
Easy to do... hard (impossible?) to secure if you are not the only one
with root access though.
>
> regards
> steve jenkin
>
Kind regards
More information about the linux
mailing list