Abandoning SSH Password Authentication

All too often, I find myself logging into remote computers using a password. You should, of course, never do this. You should always be using pubkey authentication, and password authentication should always be disabled on your machines, but still, I find myself logging into my servers with a password and obviously not disabling the feature. Why? Well, it all goes back to the annoyance of moving my public keys around, especially since I make an effort to never move my keys between machines. I generate separate keys for each machine I have, and I generate new keys when I reinstall my machines. Obviously, this makes it difficult to keep everything up to speed, but it doesn’t have to be so hard.

The solution? Git. I have created a git repo at https://github.com/ColtonDRG/ssh-keystore where I can store all of my id_rsa.pub files after generating new keys. There is also a shell script that erase the contents of authorized_keys file, and then recreate it with all of the keys from that repo. That way, all I have to do is git pull followed by ./install and the latest set of keys is installed. I can also very easily automate this process via cron or maybe even a webhook. This way, all I have to do when I get a new key that I want installed on all my servers is simply push a copy of the key to the git repo. What if I want to revoke a key? The script deletes the contents of the authorized_keys file before generating a new one, so I simply have to delete the key in question from that repository. It’s very handy.

Wait though, there’s a small problem. Some machines might not have git installed. What then? Enter https://security.coltondrg.com/ssh/. This is a copy of the repo that’s accessible over http with easily memorable URLs, so any keys can easily be downloaded from there, and the latest pre-generated copy from the install script is also available at https://security.coltondrg.com/ssh/authorized_keys.

This works really nicely for me, as I can now disable password authentication on all my machines without facing the issue of not being able to access a machine because the key of the device I currently happening to be using doesn’t have it’s key installed.

comment with your coltondrg.com? account, or sign into Google, Twitter, Facebook, or WordPress.com

This site uses Akismet to reduce spam. Learn how your comment data is processed.