How to use ssh keys on a USB drive

Feb 23, '05 07:12:00AM

Contributed by: Shawn Parr

After reading this ssh security hint, and the various comments regarding using USB drives for storing private keys, it got me motivated to actually try it. Well, I also use Linux and Windows machines, and ran into a problem: Mac OS X will not use a private key on the VFAT file system. A USB drive formatted VFAT is recognized as having all files and folders with permissions set to 777 -- and ssh will only use keys set to 600 or similar. I also had to figure out how to set this up using a different volume.

My solution was to make two copies of my private key (well three, actually, as I use Putty on the PC and it requires a key in its own format): one on the drive itself, and one in a sparseimage on the drive. That way, linux had access to the key on the VFAT partition, and I can mount the sparse image while I am at my Mac.

The next issue was how to get Mac OS X, or any unix, to use a key on a USB drive. It turns out that this is actually very easy. In a Terminal window, do the following:

$ cp /etc/ssh_config ~/.ssh/config
$ pico ~/.ssh/config
Now find this line:
# IdentityFile ~/.ssh/identity
Remove the # to uncomment it, and change the path to that of your key on the USB drive. Finish by logging out then back in. If everything is set up right, your public key authentication will not work without your USB drive and/or sparse image mounted. As soon as your drive is mounted, authentication works like expected.

I decided to go "whole hog" with this, and the sparse image is encrypted, my private key is DSA with -b 2048 used, and a long randomly generated passphrase. Obviously, one needs to be very careful what Windows PC one puts this drive in. I have the luxury of being Admin of the PCs I have to deal with, and I went to great lengths to ensure I could very quickly cleanse them when necessary.

Comments (13)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20050218224449785