Be careful of where you put your SSH private keys.

One of the semi-regular security checks we in Fedora Infrastructure do on various servers is to look for uploaded private .ssh keys. These are a problem because as much as we can not and do not guarantee the privacy of those keys on our servers.

In general we find 4-5 keys every couple of months and about 50% of the time they have no encryption key on them. This means that if the key had been found by a third party, they could use them without any problems in getting access to any server the public key has been placed in an .ssh/authorized_keys file. And while I have not tested the passwords on the encrypted id_rsa keys, I have tested some private created ones and found that the brute forcing is a lot faster than what is possible against the sha512crypt() used to encrypt Fedora passwords.

With this in mind, it is always important to make sure your SSH private keys remain

  1. on hardware that you control and not uploaded to services in the cloud.
  2. password encrypted with a password at least 10 characters in length and not easily guessable. [Using passwords like "fedoraproject", "password", "sshpassword", or the favourite "123456" are not hard to find or guess by an attacker]

If you have a hard time coming up with a password use the program pwqgen from the passwdqc package
[smooge@seiji-wlan ~]$ for ((i=0; i<10; i++)); do /usr/bin/pwqgen random=65; done bias Blaze Crook Primal Shore Borrow tilt Macro Beef leo Growth Reside Dolly prompt openly Crawl sigh Boyish thrill lake Past Urgent Carbon Orient Wrap root Arm Book Candy iowa chalk Plasma Champ Active motion Pause border Retina Mrs storm fault Mouth Xerox inward snatch advert apex Mature Akin play Chose the line you like the best.

No comments: