[aur-general] [AUR4] Support of multiple ssh public keys
Hi, I prefer to use individual ssh public keys on different machines, but I could register only single key in my profile on aur4.archlinux.org. Is there any chance to support multiple ssh public keys like github[1] or Bitbucket[2]? [1] https://help.github.com/articles/generating-ssh-keys/#step-4-add-your-ssh-ke... [2] https://confluence.atlassian.com/display/BITBUCKET/Add+an+SSH+key+to+an+acco... Best regards, Yuki Chiba -- Yuki Chiba yuki.from.akita@gmail.com
I prefer to use individual ssh public keys on different machines, but I could register only single key in my profile on aur4.archlinux.org. Yes, you can only register one at this moment.
Is there any chance to support multiple ssh public keys like github[1] or Bitbucket[2]? I think that this is not as much relevant with AUR, because it's just instructions on how to build your package, some ocasional patch and the support files (install, systemd service, etc). The real development should be done on te services you mentioned, github, etc. I don't think
Em 11-06-2015 16:18, Yuki Chiba escreveu: the aur devs shouldn't sweat too much to implement this. You can, if you wish, register another user in the AUR, give that user co-maintainer rights. A dirty way to have more than one ssh key. Cheers, Giancarlo Razzolini
On Thu, 11 Jun 2015 at 21:18:11, Yuki Chiba wrote:
Hi,
I prefer to use individual ssh public keys on different machines, but I could register only single key in my profile on aur4.archlinux.org.
Just out of curiosity: Is there any reason for using different SSH keys per machine (for the same server)? Or is it really just a preference?
Is there any chance to support multiple ssh public keys like github[1] or Bitbucket[2]?
That would not be too hard to implement. I might add it before the final 4.0.0 release.
[1] https://help.github.com/articles/generating-ssh-keys/#step-4-add-your-ssh-ke... [2] https://confluence.atlassian.com/display/BITBUCKET/Add+an+SSH+key+to+an+acco...
Best regards, Yuki Chiba -- Yuki Chiba yuki.from.akita@gmail.com
On 06/11/2015 10:44 PM, Lukas Fleischer wrote:
Just out of curiosity: Is there any reason for using different SSH keys per machine (for the same server)? Or is it really just a preference?
I can't speak for Yuki, but I do it in order to be able to revoke only the related keys if a machine is compromised/stolen/lost (FDE and strong passphrases only buy you some time to do it).
Em 11-06-2015 17:56, Remi Gacogne escreveu:
(FDE and strong passphrases only buy you some time to do it). In the case of stolen/lost, it buy you a lot of time. Or you are aware of some cryptanalisys development I'm not aware of.
Now, if your machine is compromised, then I think that you might have bigger worries than the keys used to publish some packages on AUR. Cheers, Giancarlo Razzolini
On Thu, Jun 11, 2015 at 5:59 PM, Giancarlo Razzolini <grazzolini@gmail.com> wrote:
Em 11-06-2015 17:56, Remi Gacogne escreveu:
(FDE and strong passphrases only buy you some time to do it).
In the case of stolen/lost, it buy you a lot of time. Or you are aware of some cryptanalisys development I'm not aware of.
Now, if your machine is compromised, then I think that you might have bigger worries than the keys used to publish some packages on AUR.
Cheers, Giancarlo Razzolini
That's certainly true, but it's not the point. Seperate, individually revokable keys are a good idea if someone will be submitting from multiple machines. And it would help protect AUR down the line. So if it's fairly easy to implement, like Lukas said, +1 on that.
On Thu, 11 Jun 2015 21:58:33 -0400 David Kaylor <dpkaylor@gmail.com> wrote:
On Thu, Jun 11, 2015 at 5:59 PM, Giancarlo Razzolini <grazzolini@gmail.com> wrote:
Em 11-06-2015 17:56, Remi Gacogne escreveu:
(FDE and strong passphrases only buy you some time to do it).
In the case of stolen/lost, it buy you a lot of time. Or you are aware of some cryptanalisys development I'm not aware of.
Now, if your machine is compromised, then I think that you might have bigger worries than the keys used to publish some packages on AUR.
Cheers, Giancarlo Razzolini
That's certainly true, but it's not the point. Seperate, individually revokable keys are a good idea if someone will be submitting from multiple machines. And it would help protect AUR down the line. So if it's fairly easy to implement, like Lukas said, +1 on that.
Easiest way to attack a password protected private key: Just put a keylogger on the target. This is why we need u2f/similar support everywhere :/
On 06/11/2015 11:59 PM, Giancarlo Razzolini wrote:
In the case of stolen/lost, it buy you a lot of time. Or you are aware of some cryptanalisys development I'm not aware of.
I am not, but everything depends on your threat model. If you are targeted via an "evil-maid", or a cold-boot attack, FDE may be doomed. In addition to that, passphrase-protection on SSH keys has been weak for a long time, because a single MD5(IV || passphrase) is applied to generate the AES key used to encrypt the SSH key [1]. OpenSSL 6.5 introduced a new KDF [2] using bcrypt, enabled by default for ed25519 keys but not for RSA keys, so you may want to upgrade your keys to use the new KDF manually.
Now, if your machine is compromised, then I think that you might have bigger worries than the keys used to publish some packages on AUR.
Agreed :) [1] https://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-ke... [2] http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf
Em 12-06-2015 05:15, Remi Gacogne escreveu:
I am not, but everything depends on your threat model. If you are targeted via an "evil-maid", or a cold-boot attack, FDE may be doomed. Which is why I use secureboot + TPM + this: https://aur.archlinux.org/packages/mkinitcpio-chkcryptoboot/ and this: https://aur.archlinux.org/packages/chkboot/
And I have plans to port the tails memory erase to archlinux.
In addition to that, passphrase-protection on SSH keys has been weak for a long time, because a single MD5(IV || passphrase) is applied to generate the AES key used to encrypt the SSH key [1].
I'm aware of this, which is why I use Keepass + Keeagent, so not only my key is encrypted inside the keepass database, it also has a very long passphrase.
OpenSSL 6.5 introduced a new KDF [2] using bcrypt, enabled by default for ed25519 keys but not for RSA keys, so you may want to upgrade your keys to use the new KDF manually.
I rotate my keys at least twice a year. And now that keeagent supports ed25519 keys, I probably will rotate more often. Now, for the AUR, if it's a simple implementation, then I don't see why not do it. Just I don't see much benefit in compartimentalizing your ssh keys too much. Perhaps of for work and one personal will do. Cheers, Giancarlo Razzolini. Cheers,
Lukas Fleischer <lfleischer@archlinux.org> writes:
On Thu, 11 Jun 2015 at 21:18:11, Yuki Chiba wrote:
Hi,
I prefer to use individual ssh public keys on different machines, but I could register only single key in my profile on aur4.archlinux.org.
Just out of curiosity: Is there any reason for using different SSH keys per machine (for the same server)? Or is it really just a preference?
I want to exclude the possibility that my secret keys are leaked while I try to transfer them to different machines by some ways (e.g. a use of USB sticks). I know that it rarely happen, but I want to avoid the dangerousness which can be avoided.
Is there any chance to support multiple ssh public keys like github[1] or Bitbucket[2]?
That would not be too hard to implement. I might add it before the final 4.0.0 release.
I'm very glad if my request is implemented on AUR4. Thank you for your correspondence. Best regards, Yuki Chiba -- Yuki Chiba yuki.from.akita@gmail.com
participants (6)
-
David Kaylor
-
Giancarlo Razzolini
-
Lukas Fleischer
-
Remi Gacogne
-
Yuki Chiba
-
Øyvind Heggstad