Introduction
Introduction Statistics Contact Development Disclaimer Help
----------------------------------------
ssh keys
April 14th, 2019
----------------------------------------
I'm listening to Go Go Penguin's tiny desk concert [0] right now
while I type this little phlog. You should join me if you can.
They're incredible.
[0] Go Go Penguin Tiny Desk Concert
Yesterday I got snookered into starting up a new tilde [1] server
called tilde.black. My reasoning was pretty simple: gopher.black
is literally the only .black TLD site I know. I can't have someone
else starting tilde.black! It must be me.
[1] The Tildeverse
So I was going to spin up a general purpose thing in Ubuntu 18.04
cause that's what I know best, but again I let myself get talked
into doing more. So, the machine is running OpenBSD 6.4. It's
going to be focused on privacy, anonymity, and security once
I open her up to new members. And I was close today! I had web
& gopher set up, lets encrypt all configured, tor worked on web,
gopher and even SSH. All was glorious. But then something wonky
happened with rcctl and a forum post I read recommended tossing
some config line in place and restarting the box. Big. Mistake.
So it didn't come back up and now I'm starting over. This time
around though I wanted to give some time and consideration to my
ssh keys and how I'm managing all that gibberish. One thing led to
another and Michael W. Lucas's SSH Mastery book kept slapping me
in the face. The way I had my keys set up was criminally simple
and insecure. I needed to do something before I launch a project
with security in the goals.
So, I bit the bullet and dove in to posts on ssh-agent and using
gpg-agent to interface with ssh and a host of other things. I can
now say with the confidence of a person who skimmed web pages for
an hour that all that shit needs some work. In fact, I hope it's
something the community on tilde.black will do eventually. There
should be simple guides for new people on these topics. There
should be examples, recommendations, watch-outs, and more. Instead
there's aging stack-exchange posts with scripts that throw errors
in modern ssh-agent, hordes of contradictory blog posts, and
worse. This is fundamental stuff for terminal work, guys! We can
do better. The knowledge is in our circle, lets share it, okay?
In the meantime I did what I always do. I said "eff it, I'll roll
my own solution with a shell script". And I did! You can see it
over here [2] if you want. Here's the gist:
1) Every service gets its own ssh key. Period.
2) Every ssh key gets a password.
3) These passwords are not all the same thing.
4) Simple script to enable/disable the keys when I need them
without having to memorize all the passwords.
[2] lssh
What I wrote is a wrapper around Lastpass, the password manager
I use. Lastpass has a cli tool called lpass which is great.
I added entries in Lastpass for each of my ssh keys' passwords,
placed them into a sync folder using Spideroak (my preferred
secure sync solution) and made an easy shell wrapper to activate
whichever one I need. The activated key goes into ssh-agent. I can
easily clear ssh-agent with ssh-add -D, so that didn't need any
special wrapping (though I may add a quick switch to my script
anyway for that purpose). It's all very basic stuff, again, but it
works well and brings me closer to "safe" for my threat level.
I'd like to clean the script up more and put some bells & whistles
on it, but that will come with time.
Next week it's back to the grindstone at work, but after Friday
I have a week off. My mother-in-law is in town and there's some
things I really need to focus on for the move, though, so this
break probably won't mean great investments of time into tildes or
even writing on Cosmic Voyage. There's a couple more months of
this ahead, and then craziness once we arrive in Iceland.
Hopefully I'll be slowing down a notch or two mid-August. :)
You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.