Re: removing ssh access in an emergency

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ian Malone wrote:
> This occurred to me this morning:
> 
> I log into my home machine remotely using an ssh
> authorised key which I keep on a USB stick.  In the
> event it was lost or stolen it's pretty unlikely anyone
> would use it to try to break into my machine, but
> ideally you would want a remote way to disable the key.
> Has anyone thought about this?
> 
> My first thought was a user account with password
> authentication that instead of a login shell would run a
> program which deleted the authorized_keys file in
> question.  Is this open to exploitation? (other than
> running the risk that someone cracks the password
> and prevents me logging in)
> 
Well, if you have a good pass phrase on the private key on the USB
stick, it will take them a while to break it and be able to use the
key. This should give you more then enough time to remove the public
key of the key pair from the authorized key file on the machines in
question. If you have ether a second authorized key for that
account, or another account with a different authorized key, you can
use that to remove the first key. Just make sure that you do not
keep both private keys on the same media, or stored together in a
way that would result in someone getting both keys at the same time.
It is also a good idea to use a different pass phrase for each key.

Please keep in mind that the key has a pass phrase, and not a
password. This means you can use more then one word to protect the
key. For example, if I wanted to, I could use "Do not meddle in the
affairs of dragons" as a pass phrase to protect a key. Unless
someone knows my usual signature, they would have a hard time
guessing it. (Not that I would use that pass phrase, but it gives
you an idea of the type of thing you can use.) While a random
combination of letters, numbers, and spaces would give you a better
pass phrase, it would be hard to remember, and more likely to be
written down. So pick something you can remember, but would not
normally be associated with you.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux