[clug] Anyone keep their SSH keys on a USB flash drive or in an encrypted filesystem?

David Deaves David.Deaves at dd.id.au
Mon Oct 7 02:06:37 MDT 2013


Just create your keys with a password.  
Then use  ssh-agent  to manage unlocked keys and make sure you start ssh-agent 
using the '-t 300' so that a key expires after 5 minutes, or stick with the 
default of no-lifetime, and setup your machine to run  ssh-add -D  when you 
lock your screen.

Not exactly what you were after, but I figured a reasonable approximation 
functionally atleast.

I use this to trap screen lock/unlock  -  it also logs the times, very handy 
for doing your timesheets.  And kills of  Figaro Password Manager if left open.

# Get the log into the NFS cache
sum ~/ScreenSaver.log > /dev/null

dbus-monitor --session 'interface=org.gnome.ScreenSaver,member=ActiveChanged' |
 while IFS='' read j
    if expr "$j" : ' ' >/dev/null
        # Continuation line
        echo -n " :$j"
        # Initial line
        echo -n "$TS $j"
    if expr "$DATA" : '.*ScreenSaver.*boolean true'
        # Screen locked
        ssh-add -D >/dev/null
        fuser -k -TERM /home/dave/.fpm/fpm*  >/dev/null 2>&1
  done >> ~/ScreenSaver.log

> I was wondering if anyone had experience in securely storing the
> contents of ~/.ssh:
>  - on a desktop/laptop machine
>  - on servers you administer
> For a desktop, farnarkling with a USB drive mounted onto ~/.ssh might
> work, but creates a problem of clear-text keys getting stolen.
> I was looking for a way to deny automatic SSH access if I wasn't at the
> keyboard...
> For servers, especially a central trusted cluster admin-host, I was
> wondering if creating a small, encrypted filesystem was easy or useful
> (has not to be readable by super-user when mounted).
> I've never used user-mounted encrypted filesystems, so no idea of how
> hard they might be...
> regards
> steve jenkin
> -- 
> Steve Jenkin, Info Tech, Systems and Design Specialist.
> 0412 786 915 (+61 412 786 915)
> PO Box 48, Kippax ACT 2615, AUSTRALIA
> sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list