aboutsummaryrefslogtreecommitdiff
path: root/posts/single-use-ssh-keys.md
blob: df4445c13c6390b2b012e1040ebc6d5e50255a27 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
% Single-Use SSH Keys
%
% 23 Aug 2015

**NOTE:** This is a "retroposted" article -- I originally created and
wrote this in the summer of 2015, but now (30 Nov 2019) I'm revising
it and merging it into my new blog system. There was some discussion
about this on [Hacker
News](https://news.ycombinator.com/item?id=10105661) at the time. The
concept here is a bit useless now (everyone's got an SSH client on
their phone, right?), but I think it's a neat thing to have, just in
case.

This article outlines a system of "single-use SSH keys" -- SSH keys
which, when used to log in, automatically delete themselves from the
user's `authorized_keys` file.

## Motivation

Say you're stranded without a laptop, but you need to SSH into a
remote box for some urgent maintenance. You could carry a flash drive
around with a long-term SSH key, but would you trust that to a public
computer?

This issue could be partially resolved with a "disposable" SSH key --
a key that can only be used to log in once (ideally you'd never have
to do this -- but the world is non-ideal^\[[citation
needed](https://xkcd.com/285/)\]^). The idea is that you'd generate one
or two keys in advance and use them as needed in situations like the
one above.

## How It Works

Each key in a user\'s `.ssh/authorized_keys` file can be modified to run
a command when the key is used for authentication. This mechanism can be
(ab)used to delete the key from the list after it is used to log in:

~~~ {bash}
command="sed -i \"/MYMH_user_DONOTMODIFYTHISCOMMENT_onetime0^/d\" $HOME/.ssh/authorized_keys ; $SHELL" ssh-rsa AAAA.... MYMH_user_DONOTMODIFYTHISCOMMENT_onetime0
~~~

## Threat Model

This system is far from perfect. It does *not* offer any protection
against the following:

- Theft of unused, unencrypted keys.
- Injection of commands by an SSH client.

It *does*, however, protect against a long-term key from being stolen
and being used by an attacker to authenticate later, because a key is
rendered worthless after being used.

## Script Download

To automate the process, I\'ve written a simple shell script that
automatically generates and sets up some single-use keys.

The script can be downloaded from [here](/pub/onetime_ssh.sh).\

::: {.fine}
SHA1: 5a68f99d933003dc4aac17134af5186c65d50efa\
MD5: c1e4b1d03d516711f006d96e974ce9e9
:::