First time using SSH, I have a question about passphrases

MGu3l · 2015-07-21 16:23:30

Hi everybody, I'm using SSh keys for the first time in my life to connect to my Github account and each time I tried to clone a repo or push some changes it'll ask for my passphrase... if it's hard to remember a password!! So I've read something about SSH-agent and how it can help me manage my passphrase so I don't have to write it don every single time. I don't know if I understood correctly since I couldn't find any good documentation on my mother tongue [Spanish] and the Archwiki has a rellay nice and complete article about SSH but it can be a little too confusing after a while.

So my question is: can ssh-agent remember my passphrase? is it a good idea or the expected behavior is to write down my phrase every single time? and finally, in case question 1 is affirmative... should I add ssh-agent to systemd, and how?

Thanks in advance guys!

jasonwryan · 2015-07-21 16:55:41

Yes, you start the agent (for some, on login), and are prompted for the passphrase and then the agent will authenticate for you until you set it to time out.

You can either start it manually the first time you use it or on login (in your shell initialisation file or as a service with systemd).

MGu3l · 2015-07-21 19:39:12

Correct me if I'm wrong, but I tried to re-read the SSH Article on the wiki and from what I understand if I add this:

$ eval $(ssh-agent)

to my .bash_profile it will start the agent when a login shell starts. and then if I add this to my .bashrc:

$ ssh-add -l >/dev/null || alias ssh='ssh-add -l >/dev/null || ssh-add && unalias ssh; ssh'

it will ask me for my passphrase when needed and add it to the agent, am I right?

I know it's kind of redundant to ask for something that's on the wiki but I'm not 100% sure I understand it and I don't really trust Google Translator.

jasonwryan · 2015-07-21 20:45:44

Don't add that snippet to your .bashrc: it is pointless and will be executed every time you open a shell...

Either start the agent and add the keys in your ~/.{,bash}profile, use a service file, or add them as you go.

FWIW, I just start keychain in my ~/.{,z}profile and it manages my SSH and GPG keys.

MGu3l · 2015-07-23 03:15:58

Finally I decided to do as you and start using keychain, so acording to the wiki it says I should add

eval $(keychain --eval --agents ssh -Q --quiet id_ed25519)

to my bash profile [I've replaced id_ed25519 to my key id].
now I logged out, login again but I don't see nothing special at all, I run 'keychain' on a terminal and it outputs

 * keychain 2.8.0 ~ http://www.funtoo.org
 * Found existing ssh-agent: 754

So how can I do to add the passphrase or when is it going to ask me for it? and once I put my passprhase the first time it won't ask for it agan, am I right?

jasonwryan · 2015-07-23 04:03:52

Yes, the agent is running. If you kill the agent and relogin, you will be prompted for your passphrase for that key.

bulletmark · 2015-07-23 05:31:56

I have to ask, what desktop environments are you guys using where you have to set this stuff up manually?

MGu3l · 2015-07-23 05:40:36

I'm using XFCE with the minimal configuration.

jasonwryan, I added the code to my .bash_profile and then when I logged in again it asked for my passphrase but 2 things happened:

1. if I logout and log in again, not only the desktop but the whole system freezes and I have to do a manual restart.
2. if I login it ask for my passphrase, the desktop starts... if I shutdown the system and re-login then it'll ask for the passphrase again, is that the expected behavior?

Sorry but I'm feeling really loose in this subject, like I don't understand anything at all.

jasonwryan · 2015-07-23 06:12:22

1. Unrelated: separate systemd bug, covered elsewhere on the boards.

2. Assuming you mean logout, not shutdown, you can work around that by testing for an existing agent:

if [[ -z $(pidof ssh-agent) ]]; then
  eval $(/usr/bin/keychain --eval -Q -q --nogui --agents "ssh" id_dsa id_rsa)
  [[ -z $HOSTNAME ]] && HOSTNAME=$(uname -n)
  [[ -f $HOME/.keychain/${HOSTNAME}-sh ]] && source $HOME/.keychain/${HOSTNAME}-sh
fi

@bulletmark: no DE, just a WM or the TTY.

MGu3l · 2015-07-23 06:39:16

yep, I meant logout, I was thinking in another question:

1. is there a way to permanently save the passphrase even if I turn off my machine? I think gnome-keyring can do it, but I'm not sure.
2.do you know if theres a way to make keychain ask for my pashprase not at login but when needed? I mean, to make keychain ask for it just after I use the 'git push' command,

jasonwryan · 2015-07-23 06:55:56

1. No, that makes no sense.

2. Sure, just start the agent at login without adding keys, and then add it just before you require it (make an alias if that rings your bell).

Awebb · 2015-07-23 09:48:33

jasonwryan wrote:

1. No, that makes no sense.

I object. It makes a lot of sense from a user's perspective, but the entire concept is so flawed, it makes no sense to use passphrases at all in a lot of scenarios.

The only real reason an ssh key should always have passphrase is to prevent theft by leaks in sandboxes, malicious scripts run by the user or malevolent administrators stealing keys. The key itself is already protected against everything else by the access rights of the folder, your personal login password and your disk encryption (which you have, haven't you?).

You cannot defend yourself against an evil root. It doesn't really matter, whether you type the passphrase every time or use ssh-agent, at some point the key will be unencrypted in the system's memory, so root can dump and read it. Then, considering how easy it is to rebind keys in X, any sandbox leak/malicious script run by a careless user can log the key. That means the passphrase does not protect you from key theft, it only forces an attacker to wait for you to use the passphrase at least once.

This is a typical example of the single sign on problem. A user does not want to memorize many passwords, so the user wants to simplify the process. Optimal - from the user's point of view - would be logging in and activating anything at once. Then we have keyring systems in desktop environments, that break as much as they fix, for example did the KDE wallet ask for my keyring password, because it stored the WLAN passwords behind that key (I think it's obvious why this might be a problem). While the information is stored securely, the password prompts come at the most inconvenient moments. Those inconvenient moments are the root cause of the biggest security hole known to exist: the user.

You see, what happens once passwords are involved. Users will want to automate the process. Isn't one password not enough? The more passwords you have, the more single sing-on you will want. This is especially bad, if you want to automate a couple of things. How many hours of work have been wasted over the history of system administration, thanks to cronjobs that failed because a keyring wasn't unlocked after a reboot?

In order to simplify this, you add more points of failure. You add ssh-agent, so you'll only have to enter the password once a session (whatever that means for the normal user, knowledge of login shells and probably seats are required to predict, when the system will ask for a password interactively), giving a malevolent root not only a window during your ssh session, but during your entire system session to dump your unencrypted keys. It also does not stop malicious scripts and browser sandbox exploits from simply connecting to the ssh-agent socket and run malicious stuff and may do so without a problem, because you unlocked it for the same session of the same user. It creates one security problem to fix another. You don't want your private key file to be stolen and used elsewhere. Fine, the attacker will simply use your machine on the same vector as it would have stolen the file.

If you now want a single sign-on, that accepts your unix password (even after a change without re-encrypting everything), you would have to introduce another secret, some piece of data that is being re-encrypted on every password change, that contains the secret you need to unlock your keyring, which holds the secret to unlocking your ssh key secret. While this all sounds super secret, every step on the way not only has access to another secret, but also consists of software, something we know can be buggy or tampered with.

Now after securing every single key on your system, you suddenly want to automate something on a host that has to be protected by one of those super secret private keys. You cannot simply change they key and miss the point of the entire security exercise. You cannot create a second user on the remote system for some reason. You already feel the temptation. If I had a nickel for every time I have seen a clear text password echoed, piped and xargsed in a script, I would probably be able to hire somebody to write my board posts for me. There once was a time, when ssh actually accepted passwords either with a switch or from STDIN.

My conclusion: If you want to use a passphrase for an ssh key, then be prepared to enter it every time you want to connect. If you don't like the idea, then all the hacks your brain might come up with will introduce more security problems than the passphrase fixes. If you feel you need the passphrase, not just because the feature exists but due to valid real-world concerns, then you probably have a whole different metric ton of security problems to deal with.

wirr · 2015-07-23 10:12:01

I'm not entirely sure whether this ssh-add flag addresses all of your concerns:

     -c      Indicates that added identities should be subject to confirmation before being used for authentication.
             Confirmation is performed by the SSH_ASKPASS program mentioned below.  Successful confirmation is sig‐
             naled by a zero exit status from the SSH_ASKPASS program, rather than text entered into the requester.

MGu3l · 2015-07-23 16:22:13

jasonwryan wrote:

2. Sure, just start the agent at login without adding keys, and then add it just before you require it (make an alias if that rings your bell).

yeah, I guess that was a pretty obvious response, jejeje...

now, due to Awebb excelent post I have another question, is it really important to have a Passphrase for my SSH Key? I'm not doing something really important, just uploading some test and projects I do while learning ruby, so I think it's not a bigg matter... or do you think in terms of security is better to have a Passphrase no matter what you're doing?

MGu3l · 2015-07-23 16:23:19

wirr wrote:

I'm not entirely sure whether this ssh-add flag addresses all of your concerns:

     -c      Indicates that added identities should be subject to confirmation before being used for authentication.
             Confirmation is performed by the SSH_ASKPASS program mentioned below.  Successful confirmation is sig‐
             naled by a zero exit status from the SSH_ASKPASS program, rather than text entered into the requester.

wirr, so from what I understand instead of you writing down the passphrase ssh-add will comunicate with SSH_ASKPASS to do it for you?

jasonwryan · 2015-07-23 18:00:11

If you don't have a passphrase, why bother about security at all?

Seriously, do some research: this is starting to feel like spoonfeeding.

MGu3l · 2015-07-23 18:36:28

jasonwryan wrote:

If you don't have a passphrase, why bother about security at all?
Seriously, do some research: this is starting to feel like spoonfeeding.

woah, relax, I was just asking for your opinion. you said it makes no sense to save the passphrase permanently and Awebb has a different opinion, that's why I asked about this security topic, not because I haven't do any reserach at all.

jasonwryan · 2015-07-23 19:35:38

Reread Awebb's post: he is actually agreeing. From a security standpoint, it makes no sense. From a convenience view, it may provide an (illusory) benefit.

And there are plenty of articles on the web about the risks around passphraseless keys.

nbvcxz · 2015-07-23 21:01:50

Awebb wrote:

My conclusion: If you want to use a passphrase for an ssh key, then be prepared to enter it every time you want to connect. If you don't like the idea, then all the hacks your brain might come up with will introduce more security problems than the passphrase fixes. If you feel you need the passphrase, not just because the feature exists but due to valid real-world concerns, then you probably have a whole different metric ton of security problems to deal with.

100% true. In fact I am quite lazy and don't use passphrase, because it would be just another level of security. I am not paranoid so my account password + some easy security tools (eg screenlock) are fair enough for me in daily use. I don't need to make my keys "top ultra hyper secret". The ssh and gpg keys are just to simplify my daily work with many online logins (I don't use keyring).

Arch Linux

#1 2015-07-21 16:23:30

First time using SSH, I have a question about passphrases

#2 2015-07-21 16:55:41

Re: First time using SSH, I have a question about passphrases

#3 2015-07-21 19:39:12

Re: First time using SSH, I have a question about passphrases

#4 2015-07-21 20:45:44

Re: First time using SSH, I have a question about passphrases

#5 2015-07-23 03:15:58

Re: First time using SSH, I have a question about passphrases

#6 2015-07-23 04:03:52

Re: First time using SSH, I have a question about passphrases

#7 2015-07-23 05:31:56

Re: First time using SSH, I have a question about passphrases

#8 2015-07-23 05:40:36

Re: First time using SSH, I have a question about passphrases

#9 2015-07-23 06:12:22

Re: First time using SSH, I have a question about passphrases

#10 2015-07-23 06:39:16

Re: First time using SSH, I have a question about passphrases

#11 2015-07-23 06:55:56

Re: First time using SSH, I have a question about passphrases

#12 2015-07-23 09:48:33

Re: First time using SSH, I have a question about passphrases

#13 2015-07-23 10:12:01

Re: First time using SSH, I have a question about passphrases

#14 2015-07-23 16:22:13

Re: First time using SSH, I have a question about passphrases

#15 2015-07-23 16:23:19

Re: First time using SSH, I have a question about passphrases

#16 2015-07-23 18:00:11

Re: First time using SSH, I have a question about passphrases

#17 2015-07-23 18:36:28

Re: First time using SSH, I have a question about passphrases

#18 2015-07-23 19:35:38

Re: First time using SSH, I have a question about passphrases

#19 2015-07-23 21:01:50

Re: First time using SSH, I have a question about passphrases

Board footer