[clug] Anyone keep their SSH keys on a USB flash drive or in an encrypted filesystem?
David Deaves
David.Deaves at dd.id.au
Mon Oct 7 02:06:37 MDT 2013
Steve,
Just create your keys with a password.
Then use ssh-agent to manage unlocked keys and make sure you start ssh-agent
using the '-t 300' so that a key expires after 5 minutes, or stick with the
default of no-lifetime, and setup your machine to run ssh-add -D when you
lock your screen.
Not exactly what you were after, but I figured a reasonable approximation
functionally atleast.
I use this to trap screen lock/unlock - it also logs the times, very handy
for doing your timesheets. And kills of Figaro Password Manager if left open.
#!/bin/sh
# Get the log into the NFS cache
sum ~/ScreenSaver.log > /dev/null
dbus-monitor --session 'interface=org.gnome.ScreenSaver,member=ActiveChanged' |
while IFS='' read j
do
TS=`date`
if expr "$j" : ' ' >/dev/null
then
# Continuation line
echo -n " :$j"
DATA="$DATA$j"
else
# Initial line
echo
echo -n "$TS $j"
DATA="$j"
fi
if expr "$DATA" : '.*ScreenSaver.*boolean true'
# Screen locked
ssh-add -D >/dev/null
fuser -k -TERM /home/dave/.fpm/fpm* >/dev/null 2>&1
then
fi
done >> ~/ScreenSaver.log
> I was wondering if anyone had experience in securely storing the
> contents of ~/.ssh:
>
> - on a desktop/laptop machine
> - on servers you administer
>
> For a desktop, farnarkling with a USB drive mounted onto ~/.ssh might
> work, but creates a problem of clear-text keys getting stolen.
>
> I was looking for a way to deny automatic SSH access if I wasn't at the
> keyboard...
>
> For servers, especially a central trusted cluster admin-host, I was
> wondering if creating a small, encrypted filesystem was easy or useful
> (has not to be readable by super-user when mounted).
>
> I've never used user-mounted encrypted filesystems, so no idea of how
> hard they might be...
>
> regards
> steve jenkin
>
> --
> Steve Jenkin, Info Tech, Systems and Design Specialist.
> 0412 786 915 (+61 412 786 915)
> PO Box 48, Kippax ACT 2615, AUSTRALIA
>
> sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>
More information about the linux
mailing list