I Stopped Trusting SSH Key Files

https://igorstechnoclub.com/why-i-stopped-trusting-ssh-key-files/

5•Tomte•2h ago

Comments

Bender•2h ago

A copied key works from anywhere, silently. There's no "is the real owner here right now?" check.

The server can have restrictions on where SSH keys are valid from. Furthermore the server side public SSH keys can be moved under /etc/ssh/keys so they are harder to tamper with vs a users .ssh dir in $HOME. This can significantly reduce the blast radius of a leaked key. Furthermore the server side file should be set immutable and read-only and something like Tripwire or OSSEC should be monitoring for changes to anything in /etc. Additionally one can limit access to SSH over a VPN such as Wireguard unless this is a public SFTP server.

    # grep "/etc/ssh/keys/" /etc/ssh/sshd_config
    AuthorizedKeysFile /etc/ssh/keys/%u

    # chmod 0444 /etc/ssh/keys/root
    # chattr +i /etc/ssh/keys/root

    # cat /etc/ssh/keys/root
    from="172.16.0.0/12,26.10.15.0/24" ssh-ed25519 AAAA...[snip].... JIRA-10040

cyanydeez•5m ago

now imagine they move these to physical devices. It gets much worse, but there really arn't any super secure means to secure, identify and prevent impersonation and unwarranted access.

Likely, sufficiently complex passwords will continue to be the frontline defense.

Grombobulous•4m ago

I wished for the article to tell us how to set it up at least from a bi high level.

I also think SSH certificate authentication mostly solves the “key comes from anywhere” problem by automatically expiring certificates.

This isn’t as immune to this type of attack as Secure Enclave, but you do get a benefit where the user has to get the correct certificate periodically in order to maintain access.

If I pass my credentials and certificates to someone else or someone steals them, they’ll eventually expire them, or I can expire them if I know a breach has occurred.

The impracticalities of Secure Enclave are obvious to all of us: recent Apple devices only.

The most banned man inside the United States of America

When AI Files Your Taxes: Who Pays When It Fails

The best stack for the AI Era

Plants keep tabs on the competition, and adapt growth patterns

Show HN: Persona.js – a vanilla-JS agent UI library with native WebMCP (MIT)

Show HN: An experiment in human and AI social networking

HSIP–local identity server in Rust with Ed25519 signing and AI agent governance

No-Code Automated Quant Trading

The notational conventions I adopted, and why (EWD 1300)

Why an AI-saturated internet gave me a reason to write

Read Zero Knowledge As I Write It (crypto thriller)

AMD will reinstate memory encryption on Ryzen 9000 CPUs via BIOS update in July

Show HN: My Windows XP portfolio with working Game Boy and iPod

GitHub DMCA Repository

Show HN: Tin Validate, a tax ID validator that explains why checks pass or fail

VMAF v1: Good Is Not Good Enough

Google display wrong flags for world cup 2026

Show HN: An ASCII 3D Rendering Engine

Russia no longer needs so many graduates, country's education minister warns

The Market's AI Fanfare Is Running into a Harsh Political Reality

The Next Generation of American Cheese (2023)

AI in Games: The Impact on Sales

Ask HN: Are people optimistic about the future?

GoPro and Roomba were U.S. pioneers. Chinese rivals now dominate

Russia Wants AI Sovereignty. It Has a Chip Problem

America's Founders helped create a world they were not yet ready to live in

LLVM-Snippy: An Instruction Sequence Generator. Part 1: Overview [video]

PostgresBench: A Reproducible Benchmark for Postgres Services

How the Fifth Lateran Council Unlocked Financial Theory

World first, a man living with HIV received transplant from HIV-positive donor