Hacker News new | ask | show | jobs
by jbverschoor 2541 days ago
Or the private keys in ~/.ssh?
2 comments
javagram 2541 days ago
The private keys in .ssh can be stored encrypted. I do that, and store the decryption key in macOS keychain.
link
poyu 2541 days ago
Can you share how to achieve this?
link
simlevesque 2541 days ago
On linux, I use ssh-agent. My key at ~/.ssh/id_rsa is encrypted.

When my shell starts, it boots ssh-agent (add "eval `ssh-agent`" to your ~/.bashrc)

Still in the shell boot, it tries to add the ssh key to the keychain (add "ssh-add" to your ~/.bashrc), and it asks for my private key password. Once I enter the password, my key is unlocked for as long at ssh-agent is running (usually until I shut down my computer).

My password is a long, I only need to enter it once a day so it's not really a problem. You can add multiple keys to the ssh-agent (ssh-add mykey.pem). The private key must have these permissions: 0400 (chmod 0400 mykey.pem).

link
imtringued 2540 days ago
I can already see the headline "ssh-agent desktop application stores private keys in plain text".

There is no solution to the problem of the author beyond demanding a password on every single interaction.

link
javagram 2540 days ago
https://apple.stackexchange.com/a/250572
link
msbarnett 2541 days ago
You almost certain should be storing your keys encrypted with a decent passphrase.
link
macspoofing 2541 days ago
And if you want headless access this passphrase will be stored unencrypted. This is nothing more than security Kabuki theater.
link
simlevesque 2541 days ago
Well, yeah, some keys must be unencrypted to be useful. But in a lot of cases you can and should encrypt your keys used to do manual stuff.
link
asadlionpk 2541 days ago
In this scenario, wouldn't that mean the user will have to enter a passphrase on each Trello boot to be able to use it?

(ask for passphrase -> decrypt auth token -> Access API)

link
simlevesque 2540 days ago
No, you use ssh-agent.
link
macspoofing 2540 days ago
Or you can restrict the file with the key to a specific user and only run the process as that user.

The point is, you haven't actually solved the problem. It's not magic. In a 2-system authentication scheme, where headless access is necessary, a key needs to be somewhere in plaintext accessible to the process. You can obfuscate this, or add OS controls, or hardware chips, or ssh-agent, or keystores, or web-services for keys, but it doesn't change this reality.

link
msbarnett 2538 days ago
Indeed if you want to do something stupid, something stupid will be the result
link