Re: SSH key encryption when using FDE
Stuart Henderson wrote: > On 2016-08-03, Hugo Osvaldo Barrerawrote: > > Doesn't the fact that ssh-agent is running somehow make the keys > > accessible anyway? > > If it's running and you haven't told it to forget the keys one > way or another: yes. > > Some screen lockers allow you to run another program; > one thing you can do is run "ssh-add -D" to kill the keys when > you lock. Alternatively when you start ssh-agent you can use > the -t flag to set the lifetime of the key; if you do this > ssh-agent will expire added keys automatically after this > timeout. (for the latter if you use xdm you'll need to edit > Xsession). > > By itself this can be annoying as you normally have to run > ssh-add to add the keys back in before you can use them. But > if you use "AddKeysToAgent yes", ssh will prompt you for the > key passphrase when it needs it (i.e. after the lock/timeout) > and add them to the agent automatically. So it works rather > like sudo's password timeout - very convenient, and it avoids > the keys hanging around in your agent for longer than needed. That is a damn good advice! Predrag
Re: SSH key encryption when using FDE
Nick Hollandwrote: > Now, I suspect (nb: I am not a cryptographer or SSH coder. But I sat at > a table with one once, and was completely in awe) the key has to be held > in unlocked form in RAM, so perhaps a very serious breach that allowed > the raw access of system RAM might produce it...but would also produce a > lot of other nifty things, and by that point, your system is so > completely compromised, not much is trustworthy anymore. > > Nick. I have actually seen step by step instructions for doing just that, but I don't have the link around. You essentially need root permissions for pulling that off. Ssh-agent prevents an intruder from stealing the key material in any useful form, but it does not prevent him from using the material that is already kept by the agent - if he is able to send a query to your agent, he will be able to use the keys even if he does not get to see them. I encrypt my key materials even when I am using PFDE, I just don't think the agent is something it is not. -- OpenPGP Key Fingerprint: BB5A C2A2 2CAD ACB7 D50D C081 1DB9 6FC4 5AB7 92FA
Re: SSH key encryption when using FDE
On 2016-08-03, Hugo Osvaldo Barrerawrote: > Doesn't the fact that ssh-agent is running somehow make the keys > accessible anyway? If it's running and you haven't told it to forget the keys one way or another: yes. Some screen lockers allow you to run another program; one thing you can do is run "ssh-add -D" to kill the keys when you lock. Alternatively when you start ssh-agent you can use the -t flag to set the lifetime of the key; if you do this ssh-agent will expire added keys automatically after this timeout. (for the latter if you use xdm you'll need to edit Xsession). By itself this can be annoying as you normally have to run ssh-add to add the keys back in before you can use them. But if you use "AddKeysToAgent yes", ssh will prompt you for the key passphrase when it needs it (i.e. after the lock/timeout) and add them to the agent automatically. So it works rather like sudo's password timeout - very convenient, and it avoids the keys hanging around in your agent for longer than needed.
Re: SSH key encryption when using FDE
On 08/02/16 21:02, Hugo Osvaldo Barrera wrote: > On Tue, Aug 2, 2016, at 22:01, Nick Holland wrote: >> On 08/02/16 01:48, Remi Locherer wrote: ... >> > I still makes sense to encrypt your ssh keys. Think of a bug in a >> > browser >> > that allows a server reading your files. >> >> right. >> >> Disk Encryption protects your key and other data when your computer is >> OFF. And only when it is off. When your computer is active and the >> file systems available, any attacker that manages to get into your >> system through any means can see whatever they have access to. If >> they >> grab your no-passphrase key, they now have your key. If they >> grab your >> passphrased key...they got a jumble of funny characters. >> >> Nick. >> > > Doesn't the fact that ssh-agent is running somehow make the keys > accessible anyway? Or am I making misassumptions on how it works? ssh-agent provides a way to USE keys, not expose keys. Remember, this is public key cryptography, which has some nifty abilities to avoid exposing private keys while still using them. A key without a passphrase is protected by nothing other than file permissions. Anything /you/ run or runs as you has the ability to read your private key. ANYTHING. Your browser. Your mail client. That obfuscated code block your friend just showed you. Your backup system. Everyone else with doas access on your system. >From the man page: "The agent will never send a private key over its request channel. Instead, operations that require a private key will be performed by the agent, and the result will be returned to the requester. This way, private keys are not exposed to clients using the agent." so ... there's no way to query the agent and get a passphrase-free private key. Instead, things wishing to use the agent pose a query (based on the public key) that can only be answered by something holding the private key. Now, I suspect (nb: I am not a cryptographer or SSH coder. But I sat at a table with one once, and was completely in awe) the key has to be held in unlocked form in RAM, so perhaps a very serious breach that allowed the raw access of system RAM might produce it...but would also produce a lot of other nifty things, and by that point, your system is so completely compromised, not much is trustworthy anymore. Nick.
Re: SSH key encryption when using FDE
On Tue, Aug 2, 2016, at 22:01, Nick Holland wrote: > On 08/02/16 01:48, Remi Locherer wrote: > > On Mon, Aug 01, 2016 at 07:10:21PM -0300, Hugo Osvaldo Barrera > > wrote: > >> Hi, > >> > >> I've always used password-protected ssh keys, with ssh-agent, > >> and in > >> recent year, I've been using full disk encryption as well. > >> I'm wondering if there's some redundancy here, and if using FDE > >> nullifies the need for password-protecting the keys, or if > >> there's some > >> attack vector I'm no considering. > >> > >> Keep in mind that I using ssh-agent, and unlock the keys > >> usually as a > >> first action after startup (I guess *not* using ssh-agent > >> completely > >> changes the scenario). > > > > I still makes sense to encrypt your ssh keys. Think of a bug in a > > browser > > that allows a server reading your files. > > right. > > Disk Encryption protects your key and other data when your computer is > OFF. And only when it is off. When your computer is active and the > file systems available, any attacker that manages to get into your > system through any means can see whatever they have access to. If > they > grab your no-passphrase key, they now have your key. If they > grab your > passphrased key...they got a jumble of funny characters. > > Nick. > Doesn't the fact that ssh-agent is running somehow make the keys accessible anyway? Or am I making misassumptions on how it works? -- Hugo Osvaldo Barrera
Re: SSH key encryption when using FDE
On 08/02/16 01:48, Remi Locherer wrote: > On Mon, Aug 01, 2016 at 07:10:21PM -0300, Hugo Osvaldo Barrera wrote: >> Hi, >> >> I've always used password-protected ssh keys, with ssh-agent, and in >> recent year, I've been using full disk encryption as well. >> I'm wondering if there's some redundancy here, and if using FDE >> nullifies the need for password-protecting the keys, or if there's some >> attack vector I'm no considering. >> >> Keep in mind that I using ssh-agent, and unlock the keys usually as a >> first action after startup (I guess *not* using ssh-agent completely >> changes the scenario). > > I still makes sense to encrypt your ssh keys. Think of a bug in a browser > that allows a server reading your files. right. Disk Encryption protects your key and other data when your computer is OFF. And only when it is off. When your computer is active and the file systems available, any attacker that manages to get into your system through any means can see whatever they have access to. If they grab your no-passphrase key, they now have your key. If they grab your passphrased key...they got a jumble of funny characters. Nick.
Re: SSH key encryption when using FDE
On Mon, Aug 01, 2016 at 07:10:21PM -0300, Hugo Osvaldo Barrera wrote: > Hi, > > I've always used password-protected ssh keys, with ssh-agent, and in > recent year, I've been using full disk encryption as well. > I'm wondering if there's some redundancy here, and if using FDE > nullifies the need for password-protecting the keys, or if there's some > attack vector I'm no considering. > > Keep in mind that I using ssh-agent, and unlock the keys usually as a > first action after startup (I guess *not* using ssh-agent completely > changes the scenario). I still makes sense to encrypt your ssh keys. Think of a bug in a browser that allows a server reading your files. Remi