Keeping Private SSH Keys Safe

Posted by Carmen on Server Fault See other posts from Server Fault or by Carmen
Published on 2012-01-28T05:47:55Z Indexed on 2012/04/10 23:32 UTC
Read the original article Hit count: 288

Filed under:

ssh

|

two-factor

|

hsm

I have a central server where I stored all the private ssh keys to the different machines that I want to ssh to. Currently, only sysadmins have access to this 'central' server.

Given the above scenario, I like to ask the following questions:

How do you protect your private ssh keys? I read about ssh-agent but I am not sure how to use it or if it can be used in this situation.
If a sysadmin leaves and he copies all the private ssh keys, then he has access to all the servers. How do you deal with this situation?

© Server Fault or respective owner

Related posts about ssh

Problem with hadoop start-dfs.sh

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I installed and configured hadoop on my Ubuntu 14.04 server, virtualized inside of hyper-v, however I am getting an issue when i run start-dfs.sh root@sUbuntu01:/var/log# start-dfs.sh 14/06/04 15:27:08 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java… >>> More
SSH problems (ssh_exchange_identification: read: Connection reset by peer)

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I was running 11.10 and decided to do the full upgrade and come up to 12.04 after the update SSH (not SSHD) is now misbehaving when attempting to connect to other OpenSSH instances. I say OpenSSH as I am running a DropBear sshd on my router and I am able to connect to it. When attempting to connect… >>> More
SSH main process ended

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a running ubuntu server 10.04.1. When I tried to login to the server via ssh, I could not. Instead, I got connection refused error. I tried to ping the machine and I got reply! So, the clear reason is that SSH daemon is stopped. After reboot, I was able to login to my server via ssh. After… >>> More
SSH server not working (respawns until stopped)

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a running Ubuntu Server 10.04.1. When I tried to login to the server via ssh, I could not. Instead, I got connection refused error. I tried to ping the machine and I got reply! So, the clear reason is that SSH daemon is stopped. After reboot, I was able to login to my server via ssh. After… >>> More
Cannot SSH after resetting firewall on VPS

as seen on Server Fault - Search for 'Server Fault'
I'm having trouble trying to SSH to my Debian 5 VPS with blacknight. It was working fine until I did the following: Logged into 'Parallels Infrastructure Manager' - Container - Firewall - Set to 'Normal Firewall settings'. It told me there was an error with the IPTables and offered the option again… >>> More

Related posts about two-factor

HTG Explains: What Is Two-Factor Authentication and Should I Be Using It?

as seen on How to geek - Search for 'How to geek'
More and more banks, credit card companies, and even social media networks and gaming sites are starting to use two-factor authentication. If you’re a little unclear on what it is or on why you’d want to start using it, read on to learn how two-factor authentication can keep your data secure. … >>> More
SSH: Two Factor Authentication

as seen on Server Fault - Search for 'Server Fault'
I currently have a Ubuntu Server 12.04 running OpenSSH along with Samba and a few other services. At the current time I have public key authentication set up, and I'm wondering if it's possible to set up two factor authentication? I've been looking at Google Authenticator which I currently use with… >>> More
Increase Security by Enabling Two-Factor Authentication on Your Google Account

as seen on How to geek - Search for 'How to geek'
You can easily increase the security of your Google account by enabling two-factor authentication; flip it on today for a free security boost. It’s not a new feature but it’s a feature worth giving a second look. Watch the above video for a quick overview of Google’s two-factor… >>> More
How To Use Google Authenticator and Other Two-Factor Authentication Apps Without a Smartphone

as seen on How to geek - Search for 'How to geek'
Google, Dropbox, LastPass, Battle.net, Guild Wars 2 – all these services and more offer two-factor authentication apps that work on smartphones. If you don’t have a supported device, you can run an alternative application on your computer. When you log in, you’ll need to enter a time-based code from… >>> More
Does Hotmail really offer two-factor authentication? [closed]

as seen on Super User - Search for 'Super User'
I've read multiple news articles that claim Hotmail offers two-factor authentication. One of the articles describes Hotmail's system, saying ...whenever you go to Hotmail...you can choose to get a single-use code–a string of numbers that will be sent via text message to your phone–to use instead… >>> More