SSH keys for travelers

From BNL Physics Computing

Contents 1 Ways to safely use SSH keys while traveling 1.1 Take your own laptop 1.2 Put your keys and client on removable media 1.3 Put an entire OS on removable media

Ways to safely use SSH keys while traveling

This topic gives suggestions on how to safely use SSH keys while traveling. No matter what method you prefer you must make sure your SSH keys are protected by a passphrase. If you neglected to enter one when you generated them you can fix that right now by typing:

ssh-keygen -p

It will prompt you for which key to operate on and the old and a new passphrase.

Take your own laptop

If you have a laptop, just copy your ~/.ssh/id_* files to ~/.ssh/ area in your laptop account's home directory. Then follow the usual procedures.

This is the safest method. You must only trust that the hardware and OS has been under your control and free of any viruses or trojans.

Put your keys and client on removable media

You can store an SSH client program and your keys on removable media (floppy, USB flash drive, etc). Using a borrowed host computer, run your own trusted client and direct it to use your keys.

A note for doing this with a GNU/Linux host: OpenSSH requires that the keys are not world readable. Since it is unlikely that the UID of the borrowed user matches the one used to write the keys you must write the keys world readable, copy them to the host account and set them world unreadable. This is risky as it would be easy to forget to delete the keys when the session is done.

This method is safe only as long as you can trust the hardware and OS on the system you are borrowing. Be aware that hardware and software key stroke sniffers are cheap and easy to install. They will compromise your passphrase and any sensitive information you type. Since the OS has access to your keys they can be copied off the removable media and stored, along with your passphrase for later use.

This method requires full trust in the borrowed host hardware and OS. It is not recommended for use with systems with unfettered public access (public cyber cafes, library computers).

Put an entire OS on removable media

In order to avoid trusting the OS you can bring your own and boot the borrowed host with that. Examples include Knoppix a live GNU/Linux CD. You can either add your keys to the CD before burning or bring along a floppy or USB flash drive.

For extra security, particularly when you must store sensitive information, consider Encrypted Debian on a USB flash drive.

This still leaves you vulnerable to hardware sniffers but given that there is no way to copy your keys for later use it is relatively secure.