I'd like to keep an SSH key on a USB stick rather than storing it locally on every machine I want to use the key on. The theory is that this is "more secure" for laptops that could be stolen or lost, or used by others (ie. at work). The problem is that when I run "ssh-add /media/stick/my_dsa" ssh refuses to use the key because the security permissions are too liberal. As you can probably guess, this is because the USB key is formatted as vfat and I'm trying to use the key on a Unix system - the problem was actually encountered on a Mac laptop, I'm assuming the behaviour would be the same with a Linux machine - even if it's not, I need a solution for the Mac. vfat doesn't support per-user permissions, and so the stick is mounted such that all files have 777 perms. I did some research which told me there's no way to tell ssh to ignore the perms error. I've seen a variety of solutions for this, but none are simple. I don't want to make a local copy of the key every time I have to add it. I don't want to have a separate ext4 partition on the key - not only is that awkward, but the ownership of the key is going to be a problem given that the UID of my user on the Mac won't be the same as it is on Linux machines (and may not even be the same on all my Linux machines, although I've tried to make that so). Has anyone found an elegant/simple solution for this? -- Giles http://www.gilesorr.com/ gilesorr@gmail.com
It has been a little while since I had my key on my USB thumbdrive, but if I recall correctly I had to copy it there manually, because SSH doesn't trust it. Once it is in place though, I was able to use it without difficulty, even though the permissions were too loose. To be fair, I was using the key with PuTTY on Windows, not on a UNIX box, so that might be a problem. On 30 March 2015 at 11:24, Giles Orr <gilesorr@gmail.com> wrote:
I'd like to keep an SSH key on a USB stick rather than storing it locally on every machine I want to use the key on. The theory is that this is "more secure" for laptops that could be stolen or lost, or used by others (ie. at work). The problem is that when I run "ssh-add /media/stick/my_dsa" ssh refuses to use the key because the security permissions are too liberal. As you can probably guess, this is because the USB key is formatted as vfat and I'm trying to use the key on a Unix system - the problem was actually encountered on a Mac laptop, I'm assuming the behaviour would be the same with a Linux machine - even if it's not, I need a solution for the Mac. vfat doesn't support per-user permissions, and so the stick is mounted such that all files have 777 perms.
I did some research which told me there's no way to tell ssh to ignore the perms error. I've seen a variety of solutions for this, but none are simple. I don't want to make a local copy of the key every time I have to add it. I don't want to have a separate ext4 partition on the key - not only is that awkward, but the ownership of the key is going to be a problem given that the UID of my user on the Mac won't be the same as it is on Linux machines (and may not even be the same on all my Linux machines, although I've tried to make that so). Has anyone found an elegant/simple solution for this?
-- Giles http://www.gilesorr.com/ gilesorr@gmail.com --- Talk Mailing List talk@gtalug.org http://gtalug.org/mailman/listinfo/talk
have a "pre" script that : 1. make a secure ram disk 2. copies the file to the ram disk 3. then points ssh at it . David On Mon, Mar 30, 2015 at 11:24 AM, Giles Orr <gilesorr@gmail.com> wrote:
I'd like to keep an SSH key on a USB stick rather than storing it locally on every machine I want to use the key on. The theory is that this is "more secure" for laptops that could be stolen or lost, or used by others (ie. at work). The problem is that when I run "ssh-add /media/stick/my_dsa" ssh refuses to use the key because the security permissions are too liberal. As you can probably guess, this is because the USB key is formatted as vfat and I'm trying to use the key on a Unix system - the problem was actually encountered on a Mac laptop, I'm assuming the behaviour would be the same with a Linux machine - even if it's not, I need a solution for the Mac. vfat doesn't support per-user permissions, and so the stick is mounted such that all files have 777 perms.
I did some research which told me there's no way to tell ssh to ignore the perms error. I've seen a variety of solutions for this, but none are simple. I don't want to make a local copy of the key every time I have to add it. I don't want to have a separate ext4 partition on the key - not only is that awkward, but the ownership of the key is going to be a problem given that the UID of my user on the Mac won't be the same as it is on Linux machines (and may not even be the same on all my Linux machines, although I've tried to make that so). Has anyone found an elegant/simple solution for this?
-- Giles http://www.gilesorr.com/ gilesorr@gmail.com --- Talk Mailing List talk@gtalug.org http://gtalug.org/mailman/listinfo/talk
On 30 March 2015 at 11:31, James Knott <james.knott@rogers.com> wrote:
On 03/30/2015 11:24 AM, Giles Orr wrote:
As you can probably guess, this is because the USB key is formatted as vfat
Why not format the USB stick for something like ext2?
Or perhaps symlink to the key?
I wouldn't expect symlinks to help; ssh goes to *some* efforts to get to the underlying file. I would be rather more inclined to format with ext2/ext3, which, while not portable to Windows, is pretty fine on Linux. (And probably more trustworthy. I'm never quite sure what gets committed to disk on VFAT...) -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?"
On 03/30/2015 12:13 PM, Christopher Browne wrote:
I would be rather more inclined to format with ext2/ext3, which, while not portable to Windows,
It is possible to add ext2/3 support to Windows. I don't know that ext3 would bring much benefit, as that data won't be written very often, so a journal FS isn't needed.
Giles Orr wrote:
I'd like to keep an SSH key on a USB stick rather than storing it locally on every machine I want to use the key on. The theory is that this is "more secure" for laptops that could be stolen or lost, or used by others (ie. at work). The problem is that when I run "ssh-add /media/stick/my_dsa" ssh refuses to use the key because the security permissions are too liberal. As you can probably guess, this is because the USB key is formatted as vfat and I'm trying to use the key on a Unix system - the problem was actually encountered on a Mac laptop, I'm assuming the behaviour would be the same with a Linux machine - even if it's not, I need a solution for the Mac. vfat doesn't support per-user permissions, and so the stick is mounted such that all files have 777 perms.
I did some research which told me there's no way to tell ssh to ignore the perms error. I've seen a variety of solutions for this, but none are simple. I don't want to make a local copy of the key every time I have to add it. I don't want to have a separate ext4 partition on the key - not only is that awkward, but the ownership of the key is going to be a problem given that the UID of my user on the Mac won't be the same as it is on Linux machines (and may not even be the same on all my Linux machines, although I've tried to make that so). Has anyone found an elegant/simple solution for this?
I like how TailsOS handles/stores ssh keys (and pretty much everything else the user uses). Basically they create an encrypted partition on an USB key and mount it to you $HOME/.ssh/ directory. The only issue with this it will not be compatible with Windows and Mac. Personally I have gone the every computer has their own SSH key so if I were to lose a computer I would just remove the ssh key from the authorized_keys file. I have a little script that automates the process of remove the keys for all my different computers and servers.
On Mon, Mar 30, 2015 at 11:24:57AM -0400, Giles Orr wrote:
I'd like to keep an SSH key on a USB stick rather than storing it locally on every machine I want to use the key on. The theory is that this is "more secure" for laptops that could be stolen or lost, or used by others (ie. at work). The problem is that when I run "ssh-add /media/stick/my_dsa" ssh refuses to use the key because the security permissions are too liberal. As you can probably guess, this is because the USB key is formatted as vfat and I'm trying to use the key on a Unix system - the problem was actually encountered on a Mac laptop, I'm assuming the behaviour would be the same with a Linux machine - even if it's not, I need a solution for the Mac. vfat doesn't support per-user permissions, and so the stick is mounted such that all files have 777 perms.
I did some research which told me there's no way to tell ssh to ignore the perms error. I've seen a variety of solutions for this, but none are simple. I don't want to make a local copy of the key every time I have to add it. I don't want to have a separate ext4 partition on the key - not only is that awkward, but the ownership of the key is going to be a problem given that the UID of my user on the Mac won't be the same as it is on Linux machines (and may not even be the same on all my Linux machines, although I've tried to make that so). Has anyone found an elegant/simple solution for this?
Have a disk image file on the vfat filesystem you can loopback mount? For bonus points it could be encrypted too. -- Len Sorensen
Try mount option 'dmask=077' and 'fmask=277'. -- William On Mon, Mar 30, 2015 at 11:24:57AM -0400, Giles Orr wrote:
I'd like to keep an SSH key on a USB stick rather than storing it locally on every machine I want to use the key on. The theory is that this is "more secure" for laptops that could be stolen or lost, or used by others (ie. at work). The problem is that when I run "ssh-add /media/stick/my_dsa" ssh refuses to use the key because the security permissions are too liberal. As you can probably guess, this is because the USB key is formatted as vfat and I'm trying to use the key on a Unix system - the problem was actually encountered on a Mac laptop, I'm assuming the behaviour would be the same with a Linux machine - even if it's not, I need a solution for the Mac. vfat doesn't support per-user permissions, and so the stick is mounted such that all files have 777 perms.
I did some research which told me there's no way to tell ssh to ignore the perms error. I've seen a variety of solutions for this, but none are simple. I don't want to make a local copy of the key every time I have to add it. I don't want to have a separate ext4 partition on the key - not only is that awkward, but the ownership of the key is going to be a problem given that the UID of my user on the Mac won't be the same as it is on Linux machines (and may not even be the same on all my Linux machines, although I've tried to make that so). Has anyone found an elegant/simple solution for this?
-- Giles http://www.gilesorr.com/ gilesorr@gmail.com --- Talk Mailing List talk@gtalug.org http://gtalug.org/mailman/listinfo/talk
I'd like to keep an SSH key on a USB stick rather than storing it locally on every machine I want to use the key on. The theory is that this is "more secure" for laptops that could be stolen or lost, or used by others (ie. at work). At first I would use strong enough passwords for my keys to avoid simple re-use by third parties. If you really need to use the same key on multiple platforms I would either a) use separate partitions for Windows, Linux, Mac. Pros: native support for each platform, Cons: need to sync keys every time you change them. b) use portable Putty installation for each of the platform, just keep
On 2015-03-30 11:24, Giles Orr wrote: three binaries on a stick. Pros: mobile and independent. Cons: limited to a single app.
The problem is that when I run "ssh-add /media/stick/my_dsa" DSA ? I'd consider switching to RSA at least or ECDSA family.
-- Tim
participants (9)
-
Christopher Browne -
David Thornton -
Giles Orr -
James Knott -
Lennart Sorensen -
Myles Braithwaite -
Tim Sattarov -
William Park -
William Witteman