How to store SSH keys?
E.g. if I have multiple machines, I'd need to duplicate private keys, which I think is undesirable.
No, actually you don't. If you have multiple machines, you just create a separate private key on each one. For each private key, just upload the corresponding public key to GitHub using the same process.
Also, if my HDD go kaput, I'll lose my private key, which (I guess) is undesirable as well.
Not really; if you lose your private key, just generate a new one and upload the corresponding public key.
For what it's worth, you're right that duplicating a private key is highly undesirable. Ideally, a private key should be generated in one file (~/.ssh/id_rsa
for example) and should never leave that file - that is, it should never be copied, moved, and especially not transferred over a network. (e.g. I exclude them from backups) Because of the nature of asymmetric authentication protocols, you only need to worry about keeping your private key out of the hands of others. If you go a bit overboard and you lose track of it yourself, it's generally not a big deal. (This is not to be confused with asymmetric encryption private keys, e.g. GPG keys, which you probably want to hold on to.)
There is a very nice tool named KeePass2 (http://keepass.info/) with the extension (http://lechnology.com/software/keeagent/)
You can store there Passwords, SSH Keys, and a lot more(on the official KeePass page are a lot more usefull extensions)
If you want to login automaticaly with your SSH Keys, you just need to install PuTTY, Pageant and KeePass with KeeAgent. If you are configuring it correctly you dont have to setup the Keys in PuTTY, Pageant or FileZilla.
I use it myself and i'm pretty happy about it. I have over 30 VPS and Root Server with a certain amount of different SSH Keys and the only thing i have to do ist open KeePass(Its not my primary Password Safe) and then i just need to type in the console my passphrase.
I would add that ~/.ssh/ is readable by your browser if you are using the same user account to run both.
Try it! Point your browser to your private key in your home directory. It's fun.
So I would recommend storing ssh-keys in the home directory of another user account.
a word on passphrase protecting keys
- These days, cracking non-randomized passwords is super fast . Check out hash cat
- ( Though random and long 12+ char passwords still take reasonably long to brute force)
- So AES encrypted ssh keys are uncrackable for the foreseeable future as long as you use good long passphrases. See github recommendations
- So some website can guess-grab your key w/o JavaScript . And then brute-force the key offline.
- And browsers can look into your Clipboard w/ JS too. So copy-pasting very long passphrases also puts you at risk from the more sophisticated javascript attacks.
look_at_keys.html
9 <HTML>
10 <HEAD>
11 <TITLE>look at keys</TITLE>
12 </HEAD>
13 <FRAMESET cols="20%, 80%">
14 <FRAMESET rows="100, 200">
15 <FRAME src="/Users/yourname/.ssh/stuff.pem">
16 <FRAME src="blah.html">
17 </FRAMESET>
18 <FRAME src="contents_of_frame3.html">
19 </FRAMESET>
20 </HTML>
I would recommend storing private keys:
- offline (not in the cloud)
- in more than one place
- apart from anything it's related to, e.g. a key for your encrypted data, store it in a separate place from the data
I'd say, the best place would be:
- an external hard drive
- a flash key
- a computer not plugged into the internet
Even better, just print it out, and put it in a fire proof safe.
You can store your ssh keys in a separate directory inside an encrypted partition. Then you can use ssh pointing to that directory with -i
:
ssh -i identity_file [email protected]
Full description (man ssh
):
-i identity_file
Selects a file from which the identity (private key) for public key authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file.
It is possible to have multiple -i options (and multiple identities specified in configuration files). If no certificates have been explicitly specified by the CertificateFile directive, ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.
My approach to security is that I divide information into private and general. I don't want to encrypt my whole home partition, that's why I copy secret files (like those in ~/.ssh
) into an encrypted partition.
I think this gives some rather efficient security, because malware won't find anything in ~/.ssh, and probably it won't scan your whole system or shell profiles to find that location.
-F configfile
sets path to config file.
P.S. I would create an alias alias ssh='ssh -i ... -F ...'
and put it into your profile.
P.P.S. I didn't check this yet, and I don't know how other programs (like git) will work with these ssh settings.