[Discuss] deadmanish login?

[john at johnbyrnes.info (John Byrnes)]

Hi Kent,

On Fri, Feb 03, 2017 at 01:20:11PM -0500, Kent Borg wrote:

> You are a proponent of ssh keys, right? And you encrypt yours, right? And
> you use a passphrase...that has how much entropy? I bet less than 100-bits
> of entropy, because typing good passphrases is really hard. I further bet
> that your key sits unencrypted much of the time because you are too lazy to
> type even your poor passphrase every time you would have to. Good passphrase
> hygiene is hard, much harder than good password hygiene.
> 
> Compared to a decent password (that isn't shared between systems*) ssh keys
> solve a problem that doesn't exist, yet they create additional problems that
> you ignore.
> 


You can keep your ssh keys on a PIN protected smartcard and only insert
it when you need to log in somewhere. Your keys never leave the
card. When the card is unplugged, an attacker has no access at all. I
feel like this is better than a password.  It also makes it easier to
keep the keys synchronized between boxes.

gpg-agent can allow access to GPG keys on a card with the
--enable-ssh-support option.

===
--enable-ssh-support
--enable-putty-support

    Enable the OpenSSH Agent protocol.

    In this mode of operation, the agent does not only implement the
    gpg-agent protocol, but also the agent protocol used by OpenSSH
    (through a separate socket). Consequently, it should be possible to
    use the gpg-agent as a drop-in replacement for the well known
    ssh-agent.
===


Cheers,
John