How to secure stored SSH-keys as much as possible

Question

I keep several SSH keys, I want to secure them as much as possible. Lie in ~/.ssh .

Is it possible (and it is necessary) to do something to increase the safety of their storage, for example, from cases of unauthorized access to the computer.

Obfustsirovat names so that it was unclear what is suitable for what?
Move to another place?
?

I use OS X and Ubuntu.

And if you make scripts for this, they can see and learn the ways.
For the time being, one way came to my mind - to write a kernel module, a file system that even when mounted it would give access to files only N minutes after launching some kind of utility that asks the password :)))
Or make friends ssh with a token that stores keys and is included in USB ... I don’t know if she’s ready for this, but maybe even then this is the right choice of paranoid, the main token should not be forgotten on the computer
I came up with such a solution here - to negotiate with the admins so that I could get my user on the right servers, and then register my own key with passphrase there.

aleksandr barakin aleksandr barakin 56.8k 13 48 172 · Accepted Answer · 2015-11-25T10:16:23

There is nothing to do with the public part of the key (stored in the same ~/.ssh ). except perhaps to delete (if you really want to) - it is easily recovered from the secret part:

 $ ssh-keygen -y -f секретная-часть > публичная-часть

the secret part can (and, perhaps, should) be encrypted with a password:

 $ ssh-keygen -p -f секретная-часть

and in order not to enter the password every time you need to use the key, use ssh-agent .

In modern versions of the popular gnu / linux operating system distributions, ssh-agent is usually already installed and even (by default) running as a “padding” between the x-server and the user x-session . Due to this, the environment variables of all x-clients (including terminal x-emulators ) contain SSH_AGENT_PID and SSH_AUTH_SOCK , which allows all interested programs to communicate with the ssh-agent process.

the task of this agent is to keep the decrypted secret key (s) in memory and, when accessing it, encrypt / decrypt the transmitted information with this key. Explicitly, the agent does not “give away” the decrypted key (s).

To view the list of keys currently stored (in memory) by the agent, you can use the command

 $ ssh-add -l

you can delete all keys from memory with the command:

 $ ssh-add -D

specific key:

 $ ssh-add -d /путь/к/секретной-части

add a key (you will need to enter a password to decrypt, if the file is encrypted, as suggested above), you can:

 $ ssh-add /путь/к/секретной-части

if the path is not specified, the keys stored in the files ~/.ssh/id_rsa , ~/.ssh/id_dsa , ~/.ssh/id_ecdsa , ~/.ssh/id_ed25519 and ~/.ssh/identity will be added by default.

but perhaps it is also better to add the key only for the specified period of time:

 $ ssh-add -t время /путь/к/секретной-части

time can be specified as described in the time formats section of man sshd_config . for example, 600 or 600s - for 600 seconds, 1h30m - for an hour and a half.

after a specified period of time, this key will be automatically “forgotten” by ssh-agent .

“Binding” to ssh-agent can be passed “inside” ssh connections using the -A option of the ssh program, or the configuration option forwardagent yes in the appropriate “host” section of the ~/.ssh/config file (or globally, if used before first "host" section).

Thanks to this “transfer inside the connection”, it is possible (using the same ssh-agent instance) to organize a passwordless authentication chain. Of course, on the condition that the appropriate public part of the key is “registered” on all the machines in the chain.

see more in:

 $ man ssh $ man ssh-keygen $ man ssh-agent $ man ssh-add $ man ssh_config

How to secure stored SSH-keys as much as possible

1 answer 1

More articles: