removing ssh access in an emergency
Ian Malone
ibmalone at gmail.com
Wed Aug 30 22:06:51 UTC 2006
Mikkel L. Ellertson wrote:
> Ian Malone wrote:
>> This occurred to me this morning:
>>
>> I log into my home machine remotely using an ssh
>> authorised key which I keep on a USB stick. In the
>> event it was lost or stolen it's pretty unlikely anyone
>> would use it to try to break into my machine, but
>> ideally you would want a remote way to disable the key.
>> Has anyone thought about this?
>>
>> My first thought was a user account with password
>> authentication that instead of a login shell would run a
>> program which deleted the authorized_keys file in
>> question. Is this open to exploitation? (other than
>> running the risk that someone cracks the password
>> and prevents me logging in)
>>
> Well, if you have a good pass phrase on the private key on the USB
> stick, it will take them a while to break it and be able to use the
> key. This should give you more then enough time to remove the public
> key of the key pair from the authorized key file on the machines in
> question. If you have ether a second authorized key for that
> account, or another account with a different authorized key, you can
> use that to remove the first key. Just make sure that you do not
> keep both private keys on the same media, or stored together in a
> way that would result in someone getting both keys at the same time.
> It is also a good idea to use a different pass phrase for each key.
>
To be honest, what I would actually do is just generate a new key
when I got home and I tend to use seemingly random long alpha-numeric
mixed case strings with punctuation as passwords. I was wondering
if there was a neater solution than using another key.
--
imalone
More information about the fedora-list
mailing list