Some notes from migrating towards encrypted SSH keys
I'll start with the admission: up until now I've used unencrypted SSH keys on my home and office workstations, ultimately because I didn't think that doing so made the risks particularly worse than using encrypted keys and it's undeniably more convenient. For hand-waving reasons I've recently decided to experiment with encrypted keys on at least my home machine so this is a collection of early notes on the process.
The most important part of making encrypted SSH keys convenient is to be running ssh-agent. Normal people will have this done automatically as part of their X session because GDM or xdm or the KDE equivalent sets all of this up for you. I'm the kind of crazy person who starts their X session by hand so I had to add a magic incantation to start it in the right way. On Fedora 20 and in my case this is:
xinit /usr/bin/ssh-agent /bin/env TMPDIR=$TMPDIR \ /usr/bin/dbus-launch --exit-with-session \ $HOME/.xinitrc -- <server args>
(This comes from
/etc/X11/xdm/xinit/xinitrc-common. I assume the
TMPDIR bit is necessary because
ssh-agent normally changes
$TMPDIR in the environment it passes to anything it starts.)
If you have an existing unencrypted SSH key (as I did) you encrypted it
ssh-keygen -p'. This prompts for everything and is smart enough
to recognize that your key is unencrypted. Note that you don't encrypt
the public key, just the private key.
Loading keys into your running ssh-agent is done with
Fedora 20, if you have the
openssh-askpass package installed
will automatically use the graphical frontend from it when needed
without you having to set
$SSH_ASKPASS, which is somewhat contrary
to the manpage. This behavior may also happen for other graphical
ssh-add password agents; I haven't tested. I invoke
on in my
.xinitrc (after I've started my window manager but before
almost anything else) so that I have automatic SSH logins available for
anything else I want to start.
(I've found that I want a cover script for
ssh-add because I don't
put my SSH keys in the default place. The cover script is just
ssh-add /path/to/identity-rsa', more or less.)
I find it somewhat annoying that I have yet to find a
agent that will accept an X
-geometry argument or any equivalent of
it. I don't want to have to place the password window; I want it to
just appear in a fixed place so I can park my mouse there and type the
password. If I decide I really care about this the solution is to run
ssh-add in a disposable
xterm because I can definitely place those.
(Ie run '
xterm -geometry ... -e ssh-addkeys', where
is my cover script. When
ssh-add is run this way it just prompts on
the terminal instead of popping up a graphical window for it.)
I lock my screen with the
xlock from xlockmore. This offers a pretty
convenient way to integrate with ssh-agent; you can run a command
before the screen locks (ie '
ssh-add -D' to drop all keys) and
then run a second command afterwards which gets fed the password
you used to unlock the screen. If you use your regular password as
your SSH key password, this can thus wind up re-adding your SSH
keys to ssh-agent without any further input from you.
(Of course it would probably be more secure to use a separate password for your SSH keys, but then it would be less convenient and you might wind up locking your screen less (or not purging the keys from ssh-agent when you lock the screen). I've chosen to go with convenience here.)
This is getting long enough that I think I'm going to stop here for now. I have some remaining unsolved issues with encrypted keys but they'll go in a separate entry.
PS: users of more sophisticated desktop environments may have all of this integrated into their desktop's existing key management infrastructure so that everything unlocks on login without you having to do anything and screen locking is automatically handled and so on. This is certainly the way it should be and modern desktops do have general password stores.
Sidebar: a post-unlock
According to the
xlock manpage, a sample script for the
argument comes with
xlock. This script is not packaged in the Fedora 20
version and since I had to dig it out of some web searches, here it is
for anyone else (without the original comments):
#!/usr/bin/perl -w use strict; use Expect; my $pass = <STDIN>; my $exp = Expect->spawn('/u/cks/bin/X11/ssh-addkeys'); $exp->expect(10, ':'); $exp->send("$pass\r\n"); $exp->expect(10, ':'); $exp->hard_close;
On Fedora 20, you'll need the
perl-Expect package. In general
you'll need to change where it starts my
ssh-addkeys script to
something that runs
ssh-add with whatever keys are appropriate
(It's kind of a pity that
ssh-add can't do this by itself. All
it would take is an argument to specify 'just read the key from
standard input and be done with it'.)