
Announcing sshexport - ingve
http://esr.ibiblio.org/?p=6990
======
michaelmior
> This doesn’t actually pose much additional security risk because by
> hypothesis anyone who can read this file has read access to your current
> private ssh keys already.

Yes, but they _don 't_ have access to my password. That's kind of the point.
Having a password-protected private key file is much less useful without the
password. If you're going to store the password, might as well just remove it
and save yourself the trouble.

~~~
singlow
I read it like you the first time but now I think he means the remote account
password. As if I have password auth enabled in sshd.

~~~
csirac2
But he talks about GPG directories. And then says he uses drive encryption...
To protect his passwords? No, these sentences don't make sense.

~~~
db48x
To protect all the files on his computer(s), including the public/private key
pairs that allow him access to remote machines.

~~~
csirac2
I feel like I'm stating the obvious so perhaps I'm missing something, but FDE
only protects anything when a computer is off or a volume is otherwise not
mounted.

Eg. your average shoulder surfing/xscreensaver unlock bypassing jerk, hacker
or piece of malware isn't going to bother checking if an already mounted
filesystem happens to be on an encrypted block device and voluntarily decide
not to copy all your private keyfiles.

------
peterwwillis

      I struck a small blow for better security today.
    

Good old ESR. Taking a bow for writing an expect script.

------
eeZi
Ansible can easily do this out of the box. It's agent-less, too, so you don't
need to install anything on the remote host either. And if you're not using
config management, it's about time and Ansible is a great place to start!

[https://docs.ansible.com/ansible/authorized_key_module.html](https://docs.ansible.com/ansible/authorized_key_module.html)

------
JonathonW
How am I supposed to automatically rotate keys given that:

(1) Disabling password auth (which this appears to rely on) is literally the
second thing I do on a new machine (the first being to add the relevant
pubkey(s), so I don't get locked out), and

(2) My SSH private keys all have a passphrase set (they may or may not be
stored in ssh-agent at any given time, but that's irrelevant if I'm trying to
automate this). So, using the old keys to log in and rotate to the new keys is
also out.

I don't see how I manage key rotation without manual intervention at some
point, which means I'll either forget to do it sometime, or I'll manage to
mess it up and lock myself out of machines.

~~~
darkr
Manage them using a configuration management tool (e.g puppet/chef/ansible).

Also, it's far better to have the pubkeys stored in a filesystem location (I.e
not in the users home directory) that the ssh daemon has read access to, and
no-one outside of root/config management has write access to.

------
steventhedev
I wrote something similar, but in bash (and it uses the old key to rotate the
new key).

I'm half-surprised no one else had written something like this before. It's a
common enough problem.

[0]
[https://github.com/stevenkaras/bashfiles/tree/master/.ssh](https://github.com/stevenkaras/bashfiles/tree/master/.ssh)

------
aren
Great tool. Key rotation is so often overlooked but really important.

For anyone who wants to _enforce_ ssh key rotation, consider using our product
Foxpass (YC S15), which (effectively) automatically removes keys after a set
amount of time (e.g. 90 days).

[https://www.foxpass.com/](https://www.foxpass.com/)

------
Chris2048
Woah, Eric S. Raymond. Not heard that name in a while :-)

~~~
iamthebest
Same here. I hadn't heard anything about him in years until 2014 when he took
on the task of converting the Emacs code base to git.

[https://lists.gnu.org/archive/html/emacs-
devel/2014-01/msg00...](https://lists.gnu.org/archive/html/emacs-
devel/2014-01/msg00005.html)

It was especially amusing when the the repository was initially deployed
unpacked.

[https://lists.gnu.org/archive/html/emacs-
devel/2014-11/msg00...](https://lists.gnu.org/archive/html/emacs-
devel/2014-11/msg00659.html)

It took almost a year to complete but I am really glad he was able to make
this happen.

In browsing his site it's safe to say he's certainly been keeping busy. Can't
wait to check out his hist post titled "Why I joined the NRA".

