Re: removing ssh access in an emergency

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ian Malone wrote:
> This occurred to me this morning:
> 
> I log into my home machine remotely using an ssh
> authorised key which I keep on a USB stick.  In the
> event it was lost or stolen it's pretty unlikely anyone
> would use it to try to break into my machine, but
> ideally you would want a remote way to disable the key.
> Has anyone thought about this?
> 
> My first thought was a user account with password
> authentication that instead of a login shell would run a
> program which deleted the authorized_keys file in
> question.  Is this open to exploitation? (other than
> running the risk that someone cracks the password
> and prevents me logging in)
> 
Well, if you have a good pass phrase on the private key on the USB
stick, it will take them a while to break it and be able to use the
key. This should give you more then enough time to remove the public
key of the key pair from the authorized key file on the machines in
question. If you have ether a second authorized key for that
account, or another account with a different authorized key, you can
use that to remove the first key. Just make sure that you do not
keep both private keys on the same media, or stored together in a
way that would result in someone getting both keys at the same time.
It is also a good idea to use a different pass phrase for each key.

Please keep in mind that the key has a pass phrase, and not a
password. This means you can use more then one word to protect the
key. For example, if I wanted to, I could use "Do not meddle in the
affairs of dragons" as a pass phrase to protect a key. Unless
someone knows my usual signature, they would have a hard time
guessing it. (Not that I would use that pass phrase, but it gives
you an idea of the type of thing you can use.) While a random
combination of letters, numbers, and spaces would give you a better
pass phrase, it would be hard to remember, and more likely to be
written down. So pick something you can remember, but would not
normally be associated with you.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux