Protect authorized_keys and known_hosts?

postcd

Member
Credits
0
/home/me/.ssh/known_hosts
/home/me/.ssh/authorized_keys

I would like to put these files to an €ncrypt€d folder that is being decrypted manually after Linux Raspbian 10 start.
Why? i do not want anyone to discover that files contents (consider someone steal the drive - my Raspbian installed from NOOBS does not offered me /home directory encryption)

i read that i can define custom path in /etc/ssh/sshd_config (or ssh_config?):
AuthorizedKeysFile
UserKnownHostsFile

i have not tried it, i would like to read some feedback. thank You

By the way, somehow the stupid Raspbian allowed by default all users to read other users files and see other users processes, i eliminated it, maybe without that, other users would be able to see contents of that ssh files.
 


dos2unix

Well-Known Member
Credits
638
You could change this line in your /etc/ssh/sshd_config file.

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

But then all someone has to do... is look at this file to know where your keys are.

Normally the authorized keys file has permssions of 644 so no one but the owner (you)
can edit this file.

You can change permissions on your home directory, so it can only be seem by you and root.
(that is the default on most distro's)

But letting people see your public keys isn't really a problem. They only work if you have the private key. That's what you need to protect.

You can put a . (period) before any folder in any location to "hide" it.
mv mysecretfolder .mysecretfolder

It won't show up using ls, but it will still show up using ls -a (all)

The other think you could possibly do is put it in an obscure place.

maybe something like...
/usr/lib/python3.8/site-packages/__pycache__/.mysecretfolder

A better name might be...

/usr/lib/python3.8/site-packages/__pycache__/.ab12yu78op1cv34

then

chown -R myusername /usr/lib/python3.8/site-packages/__pycache__/.ab12yu78op1cv34
chmod -R myusername chown myusername /usr/lib/python3.8/site-packages/__pycache__/.ab12yu78op1cv34

My system has over 20,000 directories and subdirectories, it's highly unlikely someone will
search through everyone of those directories.

If that's not good enough, you can still use pgp (pretty good privacy)
and encrypt each file manually. You can't open it unless you know the password.

Kind of like a password protected zip file.
 

postcd

Member
Credits
0
letting people see your public keys isn't really a problem. They only work if you have the private key. That's what you need to protect.
i would think that at least the public key in ~/.ssh/authorized_keys (or in known_hosts) is an unique identifier that allows to prove some person had access to that computers (which for someone may be nothing to be concerned about).


You mean this file:
File: ‘/root/.ssh/id_rsa’
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
when accessed by unwanted person, then they can connect password-less all remote servers to which i "ssh-copy-id [email protected]" ?
But when someone steal my HDD which has /home (and /root ?) un-encrypted, then he can do it and there is no way to prevent, except a) encrypting /home or HDD or b) adding the file to some encrypted container that i decrypt after boot and then can use SSH password less access to remote computers. Other option c) is setting up the password when generating the key (ssh-keygen) and then private key file is useless without knowing password?

Is anyone using any custom encryption script to decrypt ssh files for using password less ssh access?
 


Members online


Top