---------------------------------------- | |
ssh keys | |
April 14th, 2019 | |
---------------------------------------- | |
I'm listening to Go Go Penguin's tiny desk concert [0] right now | |
while I type this little phlog. You should join me if you can. | |
They're incredible. | |
[0] Go Go Penguin Tiny Desk Concert | |
Yesterday I got snookered into starting up a new tilde [1] server | |
called tilde.black. My reasoning was pretty simple: gopher.black | |
is literally the only .black TLD site I know. I can't have someone | |
else starting tilde.black! It must be me. | |
[1] The Tildeverse | |
So I was going to spin up a general purpose thing in Ubuntu 18.04 | |
cause that's what I know best, but again I let myself get talked | |
into doing more. So, the machine is running OpenBSD 6.4. It's | |
going to be focused on privacy, anonymity, and security once | |
I open her up to new members. And I was close today! I had web | |
& gopher set up, lets encrypt all configured, tor worked on web, | |
gopher and even SSH. All was glorious. But then something wonky | |
happened with rcctl and a forum post I read recommended tossing | |
some config line in place and restarting the box. Big. Mistake. | |
So it didn't come back up and now I'm starting over. This time | |
around though I wanted to give some time and consideration to my | |
ssh keys and how I'm managing all that gibberish. One thing led to | |
another and Michael W. Lucas's SSH Mastery book kept slapping me | |
in the face. The way I had my keys set up was criminally simple | |
and insecure. I needed to do something before I launch a project | |
with security in the goals. | |
So, I bit the bullet and dove in to posts on ssh-agent and using | |
gpg-agent to interface with ssh and a host of other things. I can | |
now say with the confidence of a person who skimmed web pages for | |
an hour that all that shit needs some work. In fact, I hope it's | |
something the community on tilde.black will do eventually. There | |
should be simple guides for new people on these topics. There | |
should be examples, recommendations, watch-outs, and more. Instead | |
there's aging stack-exchange posts with scripts that throw errors | |
in modern ssh-agent, hordes of contradictory blog posts, and | |
worse. This is fundamental stuff for terminal work, guys! We can | |
do better. The knowledge is in our circle, lets share it, okay? | |
In the meantime I did what I always do. I said "eff it, I'll roll | |
my own solution with a shell script". And I did! You can see it | |
over here [2] if you want. Here's the gist: | |
1) Every service gets its own ssh key. Period. | |
2) Every ssh key gets a password. | |
3) These passwords are not all the same thing. | |
4) Simple script to enable/disable the keys when I need them | |
without having to memorize all the passwords. | |
[2] lssh | |
What I wrote is a wrapper around Lastpass, the password manager | |
I use. Lastpass has a cli tool called lpass which is great. | |
I added entries in Lastpass for each of my ssh keys' passwords, | |
placed them into a sync folder using Spideroak (my preferred | |
secure sync solution) and made an easy shell wrapper to activate | |
whichever one I need. The activated key goes into ssh-agent. I can | |
easily clear ssh-agent with ssh-add -D, so that didn't need any | |
special wrapping (though I may add a quick switch to my script | |
anyway for that purpose). It's all very basic stuff, again, but it | |
works well and brings me closer to "safe" for my threat level. | |
I'd like to clean the script up more and put some bells & whistles | |
on it, but that will come with time. | |
Next week it's back to the grindstone at work, but after Friday | |
I have a week off. My mother-in-law is in town and there's some | |
things I really need to focus on for the move, though, so this | |
break probably won't mean great investments of time into tildes or | |
even writing on Cosmic Voyage. There's a couple more months of | |
this ahead, and then craziness once we arrive in Iceland. | |
Hopefully I'll be slowing down a notch or two mid-August. :) |