| View previous topic :: View next topic |
| Author |
Message |
jevidl
Tux's lil' helper
Joined: 22 Jul 2004
Posts: 111
Location: Ann Arbor, MI
|
 Posted: Sat Nov 19, 2005 3:36 am Post subject: ssh private/public key question |
 |
|
I want to switch to private and public key access to ssh, but I have a question.
I know that I create both the private and public key. I know that the public key goes on the server I am connecting to. I know that the private key stays with me on the computer I am connecting from.
My main question is should I create a new private/public pair from each computer I connect from, or is it OK to carry my key on a USB stick so I can copy it to the computers I am copying from? |
|
| Back to top |
|
 |
mslinn
Apprentice
Joined: 24 Sep 2004
Posts: 206
Location: Half Moon Bay, CA
|
| Posted: Sat Nov 19, 2005 4:24 am Post subject: Key based access is more secure |
|
|
I've got 4 servers in a data center, and I see brute force attacks against them all day long, trying to guess userid/password combinations. Good thing ssh password access is disabled! The only authentication method allowed is key-based authentication.
A USB to store your keys sounds like a great idea. You could also create a mini-CD or mini-DVD, with a bootable image on it containing your keys. |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Sat Nov 19, 2005 5:56 am Post subject: |
|
|
| I use a different pair for each server I connect to. Limits my exposure in the event one gets compromised. USB key is great idea. You can passphrase protect your keys using a 'keyring' on your client machine and this is an extra layer of security. Type the passphrase once and it'll hold for the day (in fact until you stop the keyring program). |
|
| Back to top |
|
|
ticho
Tux's lil' helper
Joined: 23 Oct 2003
Posts: 138
Location: yes
|
| Posted: Sat Nov 19, 2005 5:19 pm Post subject: |
|
|
| magic919 wrote: | | I use a different pair for each server I connect to. Limits my exposure in the event one gets compromised. USB key is great idea. You can passphrase protect your keys using a 'keyring' on your client machine and this is an extra layer of security. Type the passphrase once and it'll hold for the day (in fact until you stop the keyring program). |
I guess you mean 'keychain' (emerge keychain). Or is there a ssh-agent wrapper called keyring as well?
As for the original question, I use separate DSA key for each server, and have this kind of entries in ~/.ssh/config:
| Code: | Host foo
HostName foo.server.net
User weirdo
IdentityFile /home/ticho/.ssh/foo.prv |
This way, I only have to type ssh foo in order to connect to foo.server.net as user weirdo, using the foo.prv ssh key.
_________________
The more you depend on forces outside yourself, the more you are dominated by them. |
|
| Back to top |
|
|
jevidl
Tux's lil' helper
Joined: 22 Jul 2004
Posts: 111
Location: Ann Arbor, MI
|
| Posted: Sun Nov 20, 2005 6:35 pm Post subject: |
|
|
| ticho wrote: | | magic919 wrote: | | I use a different pair for each server I connect to. Limits my exposure in the event one gets compromised. USB key is great idea. You can passphrase protect your keys using a 'keyring' on your client machine and this is an extra layer of security. Type the passphrase once and it'll hold for the day (in fact until you stop the keyring program). |
I guess you mean 'keychain' (emerge keychain). Or is there a ssh-agent wrapper called keyring as well?
. |
I also connect from win clients, which might limit my ability to use a keychain program. Does anyone know a good win or cross platform open source keychain project? Better yet, one that could run on windows off a USB stick like portable firefox or portable gaim?
| ticho wrote: |
As for the original question, I use separate DSA key for each server, and have this kind of entries in ~/.ssh/config:
|
I will be connecting only to one server, from potentially many clients. A better way to describe it might be to ask if I should have a different key pair for each client I use to connect to a single server. Or yet another way, should each client computer have a different private key, or should I carry one associated with me the user?
Hopefully I am wording my question clearly... |
|
| Back to top |
|
|
Monkeh
Veteran
Joined: 06 Aug 2005
Posts: 1656
Location: England
|
|
| Back to top |
|
|
ticho
Tux's lil' helper
Joined: 23 Oct 2003
Posts: 138
Location: yes
|
| Posted: Sun Nov 20, 2005 7:41 pm Post subject: |
|
|
| jevidl wrote: | | I will be connecting only to one server, from potentially many clients. A better way to describe it might be to ask if I should have a different key pair for each client I use to connect to a single server. Or yet another way, should each client computer have a different private key, or should I carry one associated with me the user? |
Definitely carry your key with you everywhere, but be sure to delete it from the client computer after you're done there (I think it's even possible to delete it from disk once the ssh connection is established, if you're that paranoid.). Oh, and beware of keyloggers installed on clients, someone might get your key passphrase that way.
_________________
The more you depend on forces outside yourself, the more you are dominated by them. |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Sun Nov 20, 2005 7:47 pm Post subject: |
|
|
| I think puTTY and pagent (the keychain bit) is good for Windows. I'd certainly password the key under those circumstances as I'm not sure you can persuade puTTY to store all its stuff on the USB. It uses the Windows registry a bit. |
|
| Back to top |
|
|
|
Networking & Security
