20220512-distrust,_but_verify.md (2769B)
1 The other day I thought of a scenario that has kept my mind occupied ever since. 2 3 My phone had frozen causing me to reboot. This doesn't happen very often, it has been a long time since my phone had been off. On reboot I had to unlock the phone, the password I remembered. Then once the system had started I had to unlock the SIM card. I typed in the four digit passcode but it was incorrect. For codes like this I generally rely on muscle memory, this time my mind was blank. 4 5 I went over to my PC and checked my password manager. Thankfully the code was there and I unlocked the SIM. Normally when I am away from my PC I can access it remotely using a VPN and `ssh` on my phone (with [termux](https://termux.com/){target="_blank" rel="noreferrer"}). My password manager of choice is [pass](https://www.passwordstore.org/){target="_blank" rel="noreferrer"} and is stored as a git repository on one of my remote servers. If necessary I can clone the repository to my phone, my laptop, or even locally on the server. 6 7 This is where the problem scenario started to form in my mind. To access my VPN I need a certificate stored on my phone. These certificates are generated on the VPN system on a per device basis. 8 9 If my phone was off I wouldn't be able to access my home network. Some of my remote systems have firewall rules to only allow ssh traffic from my home network. For the couple that aren't I use ssh keys to authenticate, which you've guessed it are on my phone or PC. I wouldn't even be able to access the firewall settings as I would need a one-time passcode (OTP), which is provided by an app on my phone. 10 11 Let us say I am travelling, my phone dies or reboots and I have forgotten the passcode. I need to access one of my servers or my password manager. How would I do it? 12 13 For the password manager I could use a tool such as Bitwarden and be able to access it via the website using just a passphrase. This is clearly an obvious and probably quite sound solution. That little selfhosting devil on my shoulder isn't a fan though. 14 15 I could always allow password authentication in my ssh config on my servers, but this isn't as secure as using keys. I thought about storing an ssh key in Bitwarden so I could download and use it from an unknown system. Maybe have a few keys and make them one-time use by deleting the entry in ~/.ssh/authorized_keys after each use. 16 17 So you are stranded outside your network and systems with no certificates or keys, how would you solve this problem? Do you already have a solution for your own setup? Should I reduce security to allow for emergency access? I am open to any ideas or suggestions, contact details can be found on my [homepage](https://pyratebeard.net){target="_blank" rel="noreferrer"}.