pyratelog

personal blog
git clone git://git.pyratebeard.net/pyratelog.git
Log | Files | Refs | README

commit ad71e0e08b80c6c9e49d477da739b305e95c9ac8
parent 23720a76211c73716b6de5d9a1a0cee6cd46d74c
Author: pyratebeard <root@pyratebeard.net>
Date:   Wed, 16 Nov 2022 17:30:04 +0000

where_the_sshadows_lie

Diffstat:
Mentry/where_the_sshadows_lie.md | 21+++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/entry/where_the_sshadows_lie.md b/entry/where_the_sshadows_lie.md @@ -1,23 +1,24 @@ -For as long as I can remember I have used one ssh key pair for each device. I know there are some who prefer to use a different key for different accounts as well. I tried this in the past but felt it didn't increase the security sufficiently enough to warrant the complexity in my use case. +For as long as I can remember I have used one SSH key pair for each device. I know there are some who prefer to use a different key for different accounts as well. I tried this in the past but felt it didn't increase the security sufficiently enough to warrant the complexity in my use case. -I have three main devices; my desktop PC, my laptop, and my phone. This means that any system I need to ssh on to requires three entries in the *authorized_keys* file. +I have three main devices; my desktop PC, my laptop, and my phone. This means that any system I need to `ssh` on to requires three entries in the *authorized_keys* file. I use `drist` for ensuring my keys are on my servers (see a [previous post](TK){target="_blank" rel="noreferrer"} about this tool), meaning I can connect from any of my devices. When I rebuilt my laptop recently I generated a new key pair, then updated my drist configuration and pushed it out to my systems. All was well until I wanted to connect to my account on [sdf.org](https://sdf.org){target="_blank" rel="noreferrer"}, and realised I had not pushed the updated public key for my laptop to my SDF account. -This got me thinking about alternative ways of ssh key management. With regards to a GPG key, we usually create one key that belongs to our identity. In my case [my key](TK){target="_blank" rel="noreferrer"} is used with my email, git commit signing, and other encryption to prove I am pyratebeard. The private key has been securely copied to my laptop and phone and imported into the GPG keyring. +This got me thinking about alternative ways of SSH key management. With regards to a GPG key, we usually create one key that belongs to our identity. In my case [my key](TK){target="_blank" rel="noreferrer"} is used with my email, git commit signing, and other encryption to prove I am pyratebeard. The private key has been securely copied to my laptop and phone and imported into the GPG keyring. -Could one ssh key pair for _my identity_ be enough? If the private key was securely copied to my devices, then my systems and any accounts that require ssh only need to know about one key. +Could one SSH key pair for _my identity_ be enough? If the private key was securely copied to my devices, then my systems and any accounts that require `ssh` only need to know about one key. -Of course this changes my threat model. If any of my devices are compromised I would have to replace the key on all of them. +To get an idea of how others work I put out [a poll](TK){target="_blank" rel="noreferrer"} on Mastodon. -When a GPG key is loaded into your keyring you don't have to keep the private key. With ssh keys there is no keyring, ssh uses the private key file when connecting. There is of course ssh-agent which can load the key in memory, but the private key still has to be read after a reboot. +![results](/img/sshkey_poll.png#fitwidth) -I know of GNOME keyring which can manage ssh keys, although I have not used it before. +It surprised me that an equal number of people use one key per device, and one key for all. -To get an idea of how others work I put out [a poll](TK){target="_blank" rel="noreferrer"} on Mastodon. +Maybe using one key isn't such a bad idea. Of course this changes my threat model. If any of my devices are compromised I would have to replace the key on all of them. -[results] +When a GPG key is loaded into your keyring you don't have to keep the private key. With SSH keys there is no keyring, `ssh` uses the private key file when connecting. There is of course `ssh-agent` which can load the key in memory, but the private key still has to be read after a reboot. This isn't ideal, so I went looking for a more secure way. + +As it turns out you can add an SSH key to a GPG key then `gpg-agent` will provide the authentication instead of `ssh-agent`, and more importantly you can delete you SSH private key. -It surprised me that an equal number of people use one key per device, and one key for all.