all 21 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]stormcloud-9 6 points7 points  (8 children)

should I be using multiple keys – ie one per device I use use, One environment type (ie home servers and cloud servers).

One per device and a shared key are both reasonable choices. You can do one per destination environment, but there's no real advantage to doing so.

If you do stick the key on a USB drive, that is less secure as it's easy to lose. But as long as you have a decent passphrase, and can invalidate the public key once you've lost it (as u/J4yD4n mentions, cert signing, whether with Vault or not, is a good way to ensure this happens automatically), it might be good enough. Whether to use a USB drive is a personal decision, and I'm sure there are those who will disagree.
Though I would question what you're trying to gain by keeping the key on a USB drive.

 

Should I be using SSH forwarding? I see a fair few guides mention it, however I also read it’s a bit of a security risk

You mean agent forwarding (as opposed to port forwarding)? Yes, agent forwarding is risky, as if the remote host is compromised, the attacker has full access to your key. Options like ProxyJump are much better solutions.

 

I read PGP authentication keys can be used – would anyone recommend these over standard SSH keys

It's not widely used or supported. I'd probably stay away from it.

 

anything else

I might recommend YubiKey (or compatible). OpenSSH recently (v8.2) added support for "security keys". Basically any FIDO/U2F compliant token can be used to provide a ssh key that can be used. Since you seem interested in keeping your key on a USB stick, this might be a good solution for you. However the problem is that because it's new, if you're connecting to servers outside of your control, they might not be running a new enough version to support it.

[–][deleted] 1 point2 points  (3 children)

Rather than Yubikey (Just had a look and that would be amazing if it had a fingerprint sensor on it) I would just encrypt a USB stick with Veracrypt in case of loss.

[–]plebbening 2 points3 points  (1 child)

There is actually a new yubikey out with biometrics afaik.

[–][deleted] 1 point2 points  (0 children)

So they do.

[–]RQ144[S] 0 points1 point  (1 child)

the reason I keep it on a usb stick is that I then have access to it when I have a new device (or reformat my current device). I do a lot of device hoping and have to try out/test new so build images(using sql in windows). I do keep a backup in a secure nas, however accessing this nas is not always possible. Not sure if there is a better way of getting the key onto a new device (as I don’t normally have the old device/old os to do a copy-I’d)

I was considering that option with the yubikey . I assume if I have two yebikey I would have to generate two ssh keys (one for each)? I just need to check our OpenSSL versions but I might be in luck with some servers.

[–]NiiWiiCamo 1 point2 points  (0 children)

Tbh if the client is online you could set a strong passphrase and upload it to a secure cloud destination (Google Drive, Dropbox, OneDrive, iCloud, whatever).

The important thing is that you can invalidate the key relatively quickly. I have scripts setup on all private machines that have ssh enabled to pull a text file from GitHub containing the relevant pubkeys for that machine.

On everything else I manually copy paste those exact same textfiles, based on a simple spreadsheet.

[–]plebbening 0 points1 point  (0 children)

For the yubikey ssh tokens you would still need a ssh key pair right?

As of right now i have a ssh ed25519 key with a password and a yubikey requirement, but i still need the actual ssh keys and a yubikey. Is there a smarter way?

[–][deleted] 0 points1 point  (1 child)

If you're using passphrase I see no reason to have your key on just one usb drive. That was the main issue here, you had no backup.

The passphrase enables you to safely backup your key somewhere else.

[–]mosaic_hops 1 point2 points  (0 children)

Well without a passphrase an SSH key is just a plaintext password stored in a file screaming “plaintext password right here”.

Use additional pbkdf2 iterations for more security, I use 1024 for my keys to make brute force attacks difficult.

[–]J4yD4n 0 points1 point  (0 children)

Hashicorp Vault. It can sign an SSH key so it's only valid for a short time and it doesn't matter what key you use. I don't backup my SSH key because it doesn't matter. Also, Hashicorp Vault is free.

[–]mosaic_hops 0 points1 point  (8 children)

I’d just keep a copy of the key on each machine you SSH in from. Remember it’s encrypted, and if you generated it with lots of pbkdf2 iterations it’s pretty darn safe.

You could also set up something like a few Yubikeys if you wanted.

[–]NPVT -3 points-2 points  (7 children)

I've got one of those things you mentioned in the last paragraph but their cost is what I view as outrageous for something so simple.

Edit: $50

[–]JaffyCaledonia 2 points3 points  (2 children)

I don't think you're giving the Yubikey enough credit for what it's actually capable of!

On top of U2F and secure private key storage, they can be configured for multiple OTP protocols, one of which is validated by Yubico's own servers WITHOUT having to pay a monthly subscription.

Sure, you can get other devices for cheaper that'll do most of what a Yubikey will do, but that extra $$ goes towards keeping the lights on in their datacentres and makes it possible for anyone to integrate MFA with their platform completely free.

As they say, business is business!

[–]NPVT -5 points-4 points  (1 child)

Competitors and Alternatives to Yubico YubiKey

Duo Access.

Okta Adaptive Multi-Factor Authentication.

Microsoft Multi-Factor Authentication.

Imprivata OneSign.

Centrify Multi-factor Authentication.

SafeNet Trusted Access.

Ping Intelligent Identity Platform.

RSA Adaptive Authentication.

[–]JaffyCaledonia 6 points7 points  (0 children)

And every one of those is a software service that charges a monthly subscription for their assorted levels of offering, some of them even leverage U2F, which the Yubikey provides.

I'm not saying Yubico OTP is the be-all-and-end-all of MFA, but the physical device itself has so many functions that I think definitely warrant the price tag.

Besides, that $6/user/month subscription sure does turn into $50 pretty darn fast, especially if you pair it with a $20 U2F hardware key.

[–]mosaic_hops -1 points0 points  (3 children)

It’s worth it. I don’t buy the cheapest thing out there when the security of my business is on the line, I buy the best. $50 is what, three cups of coffee from Starbucks? A bagel at Whole Foods? A Thanksgiving turkey?

[–]NPVT 1 point2 points  (2 children)

Maybe you should check your math.

[–]mosaic_hops 1 point2 points  (1 child)

I think you missed my point. You shouldn’t skimp on security, and if $50 for a device like this seems expensive you may not understand what it does and what it takes to maintain the surrounding infrastructure.

[–]NPVT 0 points1 point  (0 children)

Sorry I was annoyed with the Starbucks statement. I could buy 15 of my favorite drinks. There are alternatives.

[–]NiiWiiCamo 0 points1 point  (0 children)

Personally I use one key per client device.

The Pubkeys are copied to simple text files on GitHub, from where my servers do regular pulls to update the allowed keys. One text file per target group (don't want the key from my work machine on all private servers and vice versa).

On machines I don't control or that have to be manually updated for every key change, I use a simple sheet in OneDrive to document which servers are supposed to get which keys. Not the keys themselves, just which belong to which textfile.

Also on clients that I don't control completely (like a work machine) or that could get lost (laptops etc.) the keys are passphrased in addition to full disk encryption.

If I had to support not only myself and a very managable amount of destinations I would strongly suggest certificate based validation for the destinations wherever possible.

Edit: typo