SSH and GPG key storage

SSH and GPG key storage

Post by Michael B Alle » Mon, 04 Aug 2003 08:13:52



Is my ~/.ssh/id_rsa private key for ssh encrypted?

OpenSSH uses a private key passphrase but just from looking at it,
it doesn't look too secure to me:

$ cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,550111791F3084ED

L1bKcwXRVGeKODgSei3Nh1NgxKvG9Epk9nF+2zL/WadapDVqTnMPZchIbUDU5XOG
lofobgZlVbX/kIzum8PdaIoxYAKC0Fib0dtIZuf7bwvAcUbv+II3Ac3MdUNJ/Uot
Z9bTwzwzqm+yuMva8YzAlZYwJ3TyHI5nNjWamRlyhsT/hIcp8mrCwlncZSBZy675
rX2F9n+atKMecZXUUV54+Z3hlD3F3+wKsm0jW3aU+y7X4iBJOwDMva8YzAlZYwJ3
9r0n4oUH1JqeHuYtNzdJ+niBHS7QMeKuo9//VURErtjbilMyo2Y/VQFV/PTeT69J
Rzhn478+uf/fg0uE847u1ecEzFiVGhBifA+HBDtkO41iw+OUU+eM/0iy6/NivnZi
tjfeCeIimjI3jOYlnQqK4VtyhqJbUDU5XOGTtucP2P+d4iSTtct97mtdSQkym4vy
X2uQuAppQBPVmYMmLGKy61tCQHmMQngpWtCoD7J4Ixzd4C1NmqfAkx5UxR8ZYGdC
ejtHGKQ0K+Zxb/bFkV/V1D+jqtAnFdN/3L7uz2zQwjTxshACTQhmbf/NP3X37pJM
ZW9D90xwjI9MBQk6zsrD7Vmq6o4Hz3bdANVr8zffP3u+cP6MEGs+EA+Z3hlD3FJo
V4/EXHjBUKdzuEGNeC5hksfGBuppU8Lu/XxSL6L0CNoQU/YHU+sAc/LtaB0yDgo0
LZDEkMHAuzerKxR8ZYGdC+loh2KH4TTXd2ALIUgLX8mISyqszYnXN9mCSXl3ZYS3
6Bw6mGtiS3zzmmbnMer89h1joKht++cSP7D7ee0TbOBf23M2p1bLDw==
-----END RSA PRIVATE KEY-----

Shouldn't this be in some kind of keystore that's encrypted itself? If
this is encrypted what's the difference between this and say the pgp
keystore? Why aren't keys stored in a standard location? Is there a way
to specify .ssh/id_rsa.pub with gpg or do I have to import that key
pair into th gpg keystore? Is there a way to instruct ssh to look at
the gpg keystore?

Thanks,
Mike

 
 
 

SSH and GPG key storage

Post by Michael B Alle » Mon, 04 Aug 2003 11:47:48



>>$ cat .ssh/id_rsa

> <snip>

> I hope you consider your key to be comprimised now.

No I don't. I changed the content. Good luck cracking it.

Quote:>>Shouldn't this be in some kind of keystore that's encrypted itself? If
>>this is encrypted what's the difference between this and say the pgp
>>keystore? Why aren't keys stored in a standard location? Is there a way
>>to specify .ssh/id_rsa.pub with gpg or do I have to import that key pair
>>into th gpg keystore? Is there a way to instruct ssh to look at the gpg
>>keystore?

> Keystore? Do you mean some sort of binary key container?

A "keystore" is a place to store keys.

Quote:> If yes, what would be the point?

The point of using a keystore would be to have all keys in one location
protected with a single passphrase instead of being strewn about the
system.

Quote:> Just as with any system, your SSH key is only as
> safe as the machine it is stored on.

Mmm, I thought that the private key was encrypted to prevent people who
have access to the machine from gaining access to it. So encrypting the
private key is worthless then. Interesting.

Quote:> If you are admin for your
> particular *nix machine, one would assume you have the appropriate
> permissions on user home directories to keep others out.

Who said anything about unix or directory permissions? What do you do
with private keys on laptops that can get stolen (like mine) or PDAs
with no concept of a "home directory"?

Quote:> What do you mean why isn't it in a "standard" location? It is! ~/.ssh is
> the _standard_ location for OpenSSH keys. If you are asking why OpenSSH
> and PGP Keys don't go in a single location, that's because they are
> different keys for different products.

> How are you going to import a SSH key into GPG/PGP? They are different
> software packages. I highly doubt they are compatible.

Why would they not be "compatible"? SSL, SSH, and GPG/PGP use symmetric
keys right? Each key pair has an algorithm, a size, etc. Perhaps it would
have been prudent to parameterize this information so that keys could
be shared between applications? Applications could query the "keystore"
in a "standard location"? The keys that meet the requirements of the
application would be displayed to the user who would select one?

Most users will probably only ever need one public/private key
pair. This pair could be on a secure server somewhere or on physical
media. When installing an operating system the user would be prompted
for the servername (or physical media) and passprase. Now during the
installtion and when installing different packages like http with ssl,
postfix with tls, e-mail clients with pgp, ssh, encrypted filesystems,
and so on the keys are readily available.

Maybe this is a really bad idea but it sure *sounds* good to me.

Mike

 
 
 

SSH and GPG key storage

Post by Michael B Alle » Mon, 04 Aug 2003 17:12:59



>>Most users will probably only ever need one public/private key pair.
>>This pair could be on a secure server somewhere or on physical media.
>>When installing an operating system the user would be prompted for the
>>servername (or physical media) and passprase. Now during the installtion
>>and when installing different packages like http with ssl, postfix with
>>tls, e-mail clients with pgp, ssh, encrypted filesystems, and so on the
>>keys are readily available.

> I'd aruge that would be a horrible situtation. One box / key compromised
> and _all_ of your services that rely on that single key are compromised.
> It's the same situation when you use a single password for multiple
> logins.

You're going to manage multiple private keys per machine on a big
network? That's just insanity.  Why is this different from the private
key on a Kerberos Key Distribution Center? Or one of the master private
keys used by a CA to sign SSL certificates? When someone has to log
into 150 boxes with ssh do they upload a different public key to each
machine so all the machines aren't compermised if the private key is
compermised? I seriously doubt there are a lot of admins that do that.
If there's a keylogger on your machine you're pretty much screwed no
matter what you do.

Mike

 
 
 

1. PGP and GPG (+ GPG Shell)

Hello,

Is anybody aware of incompatibilities between PGP and GPG?

At work, I am using PGP Freeware version 7.0.3 on Windows 98.
At home, I am running Windows Me and I tried to use GPG and
GPG Shell (2.27). But it is important for me to be able to
share some keys between my workplace and my home.

When I try to import, at home, the keys generated by PGP 7.0.3
into GPG Keys (they have been exported and placed into a '.ASC'
file at work), I get the following errors:

- No message from Gnu PG -

Run-time error 53: file not found

Does anybody have an idea why GPGkey is unable to import a key
from my file?

Thank you for your help

Marie-No?lle Baechler

2. Screen Mode Driver for NEC 3D Want

3. PGP key import into GPG with time error

4. Fs: Tandy stuff...

5. Some questions about obsolete keys (GPG).

6. AUDIO Dev.

7. Problems encrypting to gpg public key with PGP

8. what are you goint to support next days ....

9. GPG - Key date extension

10. Import GPG private key into PGP?

11. Can I use my PGP keys with GPG?

12. gpg: encrypted with 2048-bit ELG-E key, ID

13. Can't Import Public Key (GPG)