Mikkel L. Ellertson wrote:
Ian Malone wrote:
This occurred to me this morning:
I log into my home machine remotely using an ssh
authorised key which I keep on a USB stick. In the
event it was lost or stolen it's pretty unlikely anyone
would use it to try to break into my machine, but
ideally you would want a remote way to disable the key.
Has anyone thought about this?
My first thought was a user account with password
authentication that instead of a login shell would run a
program which deleted the authorized_keys file in
question. Is this open to exploitation? (other than
running the risk that someone cracks the password
and prevents me logging in)
Well, if you have a good pass phrase on the private key on the USB
stick, it will take them a while to break it and be able to use the
key. This should give you more then enough time to remove the public
key of the key pair from the authorized key file on the machines in
question. If you have ether a second authorized key for that
account, or another account with a different authorized key, you can
use that to remove the first key. Just make sure that you do not
keep both private keys on the same media, or stored together in a
way that would result in someone getting both keys at the same time.
It is also a good idea to use a different pass phrase for each key.
To be honest, what I would actually do is just generate a new key
when I got home and I tend to use seemingly random long alpha-numeric
mixed case strings with punctuation as passwords. I was wondering
if there was a neater solution than using another key.
--
imalone
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list