Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

How to use ssh keys on a USB drive UNIX
After reading this ssh security hint, and the various comments regarding using USB drives for storing private keys, it got me motivated to actually try it. Well, I also use Linux and Windows machines, and ran into a problem: Mac OS X will not use a private key on the VFAT file system. A USB drive formatted VFAT is recognized as having all files and folders with permissions set to 777 -- and ssh will only use keys set to 600 or similar. I also had to figure out how to set this up using a different volume.

My solution was to make two copies of my private key (well three, actually, as I use Putty on the PC and it requires a key in its own format): one on the drive itself, and one in a sparseimage on the drive. That way, linux had access to the key on the VFAT partition, and I can mount the sparse image while I am at my Mac.

The next issue was how to get Mac OS X, or any unix, to use a key on a USB drive. It turns out that this is actually very easy. In a Terminal window, do the following:
$ cp /etc/ssh_config ~/.ssh/config
$ pico ~/.ssh/config
Now find this line:
# IdentityFile ~/.ssh/identity
Remove the # to uncomment it, and change the path to that of your key on the USB drive. Finish by logging out then back in. If everything is set up right, your public key authentication will not work without your USB drive and/or sparse image mounted. As soon as your drive is mounted, authentication works like expected.

I decided to go "whole hog" with this, and the sparse image is encrypted, my private key is DSA with -b 2048 used, and a long randomly generated passphrase. Obviously, one needs to be very careful what Windows PC one puts this drive in. I have the luxury of being Admin of the PCs I have to deal with, and I went to great lengths to ensure I could very quickly cleanse them when necessary.
    •    
  • Currently 2.80 / 5
  You rated: 4 / 5 (5 votes cast)
 
[16,842 views]  

How to use ssh keys on a USB drive | 13 comments | Create New Account
Click here to return to the 'How to use ssh keys on a USB drive' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to use ssh keys on a USB drive
Authored by: Shawn Parr on Feb 23, '05 09:52:41AM
Remove the # to uncomment it, and change the path to that of your key on the USB drive

Oops, this should say:

and change the path to that of your key on the mounted sparse image.

If you reformat your USB flash drive to HFS than you can just put your keys on the USB drive, however it is obviously less effective for PC's. :)

---
Nothing, but lots of it
Shawn's Tech Articles

[ Reply to This | # ]

How to use ssh keys on a USB drive
Authored by: danielsbrewer on Feb 23, '05 10:21:23AM
Easier than changing the configuration file one can just use the -i option e.g.

ssh -i /Volumes/FLASH/ssh\ keys/id_rsa  www.example.com


[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: danielsbrewer on Feb 23, '05 10:27:04AM

In a previous I said that you could use the -i option to choose any ssh key rather than changing the configuration. Interestingly enough using this seems to avoid the problem of it complaining about the permissions. I have my ssh keys on a flash drive on FAT with permissions 777. When I use the -i it does not seem to complain.



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: houchin on Feb 23, '05 11:16:05AM

Cool.

What if you went one step farther and put a shell script on the flash drive to run ssh with that -i option. You would then put that script's directory into your path. You could then open connections just by typing something like "usbssh www.example.com" and not have to remember any paths at all.

The script could even be intelligent enough to figure out the mount point, or making the identity files relative to the script.

But you know, now that I type this, I'm starting to have security worries. Unless there's some form of access control to the USB keydrive, you're putting your identity on a easily losable device.



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: Scott Windsor on Feb 23, '05 01:19:28PM

Is there any way to encrypt the USB key's filesystem?
If not, you could encrypt your keys and config. At this point, you'd probally want a more complicated "unlock" script that goes out to the USB key, decrypts it, and allows you access? But, ideally you wouldn't have to copy the keys to your harddrive...



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: TrentC on Feb 23, '05 03:05:11PM

Why would you put your only private key onto a USB drive?

SSH will recognize multiple keys; generate one specifically for your USB drive, and add the public key to ~/.ssh/authorized_keys.

If you lose your USB drive, all you need to do is delete the public key from authorized_keys and the key on the USB drive will no longer work.



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: Shawn Parr on Feb 23, '05 11:41:54PM

I administrate a number of servers. I have a mac at home, many macs at work, and a number of linux workstations that I may be working at.

Creating one Private key, and carrying it with me is very convenient. It also ensures that the private key is not on any single machine that may be stolen, as long as I remember to log out and/or remove them from the key agent.

Of course I also have to remember to always keep my USB drive secure, but often that is easier than securing workstations or laptops from walking away, especially as the I-stick has a wallet holder.



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: TrentC on Feb 24, '05 01:53:58AM

I administrate a number of servers. I have a mac at home, many macs at work, and a number of linux workstations that I may be working at.

Creating one Private key, and carrying it with me is very convenient. It also ensures that the private key is not on any single machine that may be stolen, as long as I remember to log out and/or remove them from the key agent.

Of course I also have to remember to always keep my USB drive secure, but often that is easier than securing workstations or laptops from walking away, especially as the I-stick has a wallet holder.

Heh. nothing said the advice here is "one size fits all"; it your case, it'd make sense to have one key to worry about.

Me, I have 2 linux boxes and an iMac to worry about; if I lose a USB drive, the odds that someone will find it, figure out my passphrase as well as what machines it can access, before I can get to a place where I can delete 3 public keys are enough in my favor that I don't lose sleep. :)



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: Shawn Parr on Feb 23, '05 11:51:33PM

Actually you can easily do that with aliases.

man alias

You can create them on the fly in a terminal session, or add them to your .profile



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: mnb on Feb 23, '05 04:16:02PM

instead of changing your system config (which will be a problem for multi user systems and less obvious to change back), you should be able to just do this:

cd ~/
mv .ssh .ssh-orig
ln -s .ssh/ /Volumes/NameOfUSBMount/.ssh/

This assumes you have stored the files in a directory named .ssh at the root level of the USB Drive.

If you want to revert to normal use...

rm.ssh ; mv .ssh-orig .ssh



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: Shawn Parr on Feb 23, '05 11:43:58PM

You copy ssh_config from etc to ~/.ssh so that it only affects you. Not the other users. You shouldn't change /etc/ssh_config as that will probably be overwritten by a future OS update.



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: rhowell on Feb 23, '05 04:56:46PM

Once a disk image (encrypted or not) and/or a USB drive is mounted, any user on the system can browse it depending on the permissions of the files and folders. Now, if you have private keys with 777-permissions (thanks windows!) aren't you at a huge risk of giving them away?



[ Reply to This | # ]
How to use ssh keys on a USB drive
Authored by: Shawn Parr on Feb 23, '05 11:48:35PM

YES! Just like any hard drive you put data on (without using FileVault) can be ripped out, and stuck in a firewire enclosure, and all your data can be read by anyone.

I understand this risk, and make sure that I always have the card in my posession, and that the key agent is disabled before logging off the machine (just to be extra paranoid).

There is no such thing as perfect security, only better and worse security.

This gives me better security for my servers (disabling login/password ssh), and gives me a bit of convenience. However it also gives me the inconvenience of having to be paranoid about where the USB drive is at all times.



[ Reply to This | # ]