6

Forgive the noob-ness of my question, but I'm taking baby steps.

I've read about why it is important to use SSH keys for logging into my server. However it seems to me that this is most useful if you only login to the server from one computer.

What if I'm away from my regular computer and need to login to the server?

Thanks

Coops
  • 6,055
  • 1
  • 34
  • 54
blogjunkie
  • 411
  • 1
  • 3
  • 6

2 Answers2

5

Firstly, well done for starting to use keys. Lots of newbies often try and avoid them as they seem complicated at first. In answer to your question I think you can either:

A) generate a new key on each machine you work from (this has an advantage that if one workstation is compromised you can revoke just its key, not effecting any of the others).

or

B) take the first key wherever you go (e.g. on a USB stick), but you risk loosing all your access if you loose the USB stick.

I've varied my choice over time depending on a few factors, such as the practicality of carrying a key with you, how machines you need to log into, how many machines you need to login from, etc.

But in the end the options are quite flexible as your normally just talking about a line or two of text that needs to be in the right place on the right server.

Coops
  • 6,055
  • 1
  • 34
  • 54
  • Great, this leads to the next question then.. How do I login with a USB stick? And to clarify, I'm carrying around my private key on this USB stick right? – blogjunkie Aug 13 '11 at 20:57
  • 1
    @blogjunkie - Yes, it would be the private key you would need to carry around with you. You then just need to tell SSH the location of your identity file (aka key) using the -i flag. For example: "ssh user@host -i /mnt/usb/priv.key" – Coops Aug 13 '11 at 21:00
  • @blogjunkie it's also worth reiterating again - if you loose the USB stick, someone can simply use that key themselves. So it can be worth encrypting the USB stick too - but that's a different matter :-) – Coops Aug 13 '11 at 21:01
  • 1
    That's why you put passphrases on your keys -- **especially** if you're going to be carrying them around, but they're valuable on keys that don't travel, too. – womble Aug 13 '11 at 21:23
  • 2
    This is probably the best solution. The only thing I'd add: make your 'mobile' key different from the ones that you use on all of your normal machines. That way, should you ever lose your storage device, all you need to do is remove the entry from the 'mobile' key in 'authorized_keys'. Full disk encryption of the mobile storage and passphrases on your keys provide some additional piece of mind. If you feel really paranoid, invest in a tamper resistant USB key (e.g. an IronKey). – Murali Suriar Aug 13 '11 at 21:42
  • @Murali to secure things further a yubikey (http://yubico.com/yubikey) works nicely alongside ssh keys. @ womble was going to say that, but comment is locked and three comments in a row is just rude :-) – Coops Aug 13 '11 at 21:58
2

You could keep a set of keys on a usb key (encrypted perhaps).

Also, don't forget you can have more than one key used to login. So you could setup a couple of workstatoins to login with ssh keys.

curtis
  • 184
  • 1
  • 7