[Cialug] ssh-agent and multiple keys

Jeff Chapin chapinjeff at gmail.com
Fri May 16 18:22:10 CDT 2008


Zachary Kotlarek wrote:
>
> On May 16, 2008, at 5:04 PM, Jeff Chapin wrote:
>
>> I am looking to use ssh-agent with a large number of hosts, with one 
>> key per host.
>
> I agree, the default ssh-agent behavior is sometimes undesirable. It's 
> particularly annoying when you've setup an automated connection to use 
> a specific key using the config file or -i, but the agent key is 
> accepted first when you're testing interactively.
>
> But I'm a little confused as to what you're trying to do. If you're 
> going to keep all your keys in the same place, and simultaneously 
> decrypted, why do you need so many keys? The only reason that comes to 
> my mind for having more than one key per role is to protect other 
> hosts when one is compromised, but if all your keys are available at 
> the same time in the same place an attacker could presumably steal the 
> lot of them as easily as a single key. What am I missing?
>
>     Zach
> ------------------------------------------------------------------------
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>   
In the long run, I am hoping to set it up so that when I first ssh to a 
host for the day, the key for that host is unlocked and added to my 
ssh-agent, with an expiration of say, 6:00pm.  That way, I can work with 
unlocked keys per-host for the day, and they get re-locked each night 
(or after an hour, what ever I end up deciding). I ultimately do not 
plan on unlocking them all at once. To add to the fun, I am storing my 
keys on a removable, truecrypt protected USB drive -- unlocking them and 
adding them to ssh-agent allows me to unplug and keep the keys in a 
non-network accessible location. Moving forward, I am considering 
separating out my testing, staging and personal keys from the production 
keys, and putting them on a separate USB drive and locking it up.

This would limit the exposure as the least amount of access will be 
unlocked at any given time.

Call me paranoid, but it's more along the lines of what was once an idle 
thought, and expected to be a simple shell script has jumped in 
complexity and become a learning opportunity.

Or as my coworkers would say: I'm futzing.



More information about the Cialug mailing list