Ryan M (@fak3r) just posted a great writeup on a new product he’s written called “IRSYNC” (https://www.rfxn.com/projects/irsync-incremental-rsync/). It’s a totally dope looking project and I look forward to implementing it. In his latest blog post (https://www.rfxn.com/irsync-limiting-passwordless-ssh-keys/), he advocates for limiting password less SSH keys. I’ll take that one step further and say that they should be avoided completely. For anyone who hasn’t attended one of my “Advanced SSH” sessions here at HacDC, there are a lot of great utilities shipped with OpenSSH that are designed to make your life as easy as possible. I’ll cover a few of them quickly….
ssh-copy-id
This utility exists to propagate your public keys in a secure way (potentially even setting up the infrastructure for you). This is a quick hit blog post, so read the man page and start using this utility you probably didn’t know existed.
ssh-agent
This utility keeps your (unlocked) private key in resident memory so that I can be automagically used for accessing remote machines. Best part? You still have to enter a password to initially unlock the key, but after that you can set an expiration (4 hours? 8 hours? lifetime for daemons?). Think of it like a password on your x509 certs (you DON’T remove those just so Apache will load properly… right?). You have something similar to mod_nss which secures the whole system and raises the bar a little bit. Lazy and STILL don’t want to enter a password? Use GNOME on linux & set the password on your key to the same as your system password. GNOME will contact SeaHorse and attempt to unlock your key and load it into ssh-agent all in one go.
Some of this not making sense? Join us in IRC: #hacdc on freenode and ask away!