[kwlug-disc] SSH hygiene suggestion
Hubert Chathi
hubert at uhoreg.ca
Thu Jan 10 15:46:52 EST 2019
On Thu, 10 Jan 2019 11:18:32 -0500, Chris Irwin <chris at chrisirwin.ca> said:
> On Thu, Jan 10, 2019 at 03:10:51AM -0500, tomg at sentex.ca wrote:
>> It looks like this SSH worm can only spread if a) the use of
>> authorized_keys is in place and b) the private SSH key is not
>> password-encrypted. So, my suggestion is, to the Linux world, please
>> encrypt your private SSH key.
> For most users, an encrypted ssh key only protects it on-disk. The
> decrypted key is cached via any number of ssh-agents (like the
> gnome-keyring) after used for the first time in a session.
When you add a key to ssh-agent, you can tell it to require confirmation
whenever the key is used (using "ssh-add -c ..."). I don't know if
gnome-keyring has something similar. Then when you ssh into a host, it
will ask you whether you want to allow using the key, but without having
to type in the passphrase every time.
On Thu, 10 Jan 2019 11:26:38 -0500, Khalid Baheyeldin <kb at 2bits.com> said:
> On Thu, Jan 10, 2019 at 11:19 AM Chris Irwin <chris at chrisirwin.ca> wrote:
>> On Thu, Jan 10, 2019 at 03:10:51AM -0500, tomg at sentex.ca wrote:
>> I can't imagine having to type my ssh key 1000 times a day.
>>
> Me neither.
> Not to mention the tens of scripts that rely on ssh access without
> having to type in a passpharse or whatnot.
If you have scripts that use passphrase-less ssh keys, I would strongly
suggest limiting what commands that key can be used to execute by using
the "command=..." option in the authorized_keys file if possible.
See https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT
(also apply other restrictions as appropriate)
Hubert
More information about the kwlug-disc
mailing list