Ian Malone wrote: > This occurred to me this morning: > > I log into my home machine remotely using an ssh > authorised key which I keep on a USB stick. In the > event it was lost or stolen it's pretty unlikely anyone > would use it to try to break into my machine, but > ideally you would want a remote way to disable the key. > Has anyone thought about this? > > My first thought was a user account with password > authentication that instead of a login shell would run a > program which deleted the authorized_keys file in > question. Is this open to exploitation? (other than > running the risk that someone cracks the password > and prevents me logging in) > Well, if you have a good pass phrase on the private key on the USB stick, it will take them a while to break it and be able to use the key. This should give you more then enough time to remove the public key of the key pair from the authorized key file on the machines in question. If you have ether a second authorized key for that account, or another account with a different authorized key, you can use that to remove the first key. Just make sure that you do not keep both private keys on the same media, or stored together in a way that would result in someone getting both keys at the same time. It is also a good idea to use a different pass phrase for each key. Please keep in mind that the key has a pass phrase, and not a password. This means you can use more then one word to protect the key. For example, if I wanted to, I could use "Do not meddle in the affairs of dragons" as a pass phrase to protect a key. Unless someone knows my usual signature, they would have a hard time guessing it. (Not that I would use that pass phrase, but it gives you an idea of the type of thing you can use.) While a random combination of letters, numbers, and spaces would give you a better pass phrase, it would be hard to remember, and more likely to be written down. So pick something you can remember, but would not normally be associated with you. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list