Giles Orr wrote:
I'd like to keep an SSH key on a USB stick rather than storing it locally on every machine I want to use the key on. The theory is that this is "more secure" for laptops that could be stolen or lost, or used by others (ie. at work). The problem is that when I run "ssh-add /media/stick/my_dsa" ssh refuses to use the key because the security permissions are too liberal. As you can probably guess, this is because the USB key is formatted as vfat and I'm trying to use the key on a Unix system - the problem was actually encountered on a Mac laptop, I'm assuming the behaviour would be the same with a Linux machine - even if it's not, I need a solution for the Mac. vfat doesn't support per-user permissions, and so the stick is mounted such that all files have 777 perms.
I did some research which told me there's no way to tell ssh to ignore the perms error. I've seen a variety of solutions for this, but none are simple. I don't want to make a local copy of the key every time I have to add it. I don't want to have a separate ext4 partition on the key - not only is that awkward, but the ownership of the key is going to be a problem given that the UID of my user on the Mac won't be the same as it is on Linux machines (and may not even be the same on all my Linux machines, although I've tried to make that so). Has anyone found an elegant/simple solution for this?
I like how TailsOS handles/stores ssh keys (and pretty much everything else the user uses). Basically they create an encrypted partition on an USB key and mount it to you $HOME/.ssh/ directory. The only issue with this it will not be compatible with Windows and Mac. Personally I have gone the every computer has their own SSH key so if I were to lose a computer I would just remove the ssh key from the authorized_keys file. I have a little script that automates the process of remove the keys for all my different computers and servers.