SSH Fail

I'm very very angry just at the moment, I'm angry about a total mismatch of expectations in the name of 'usability' that has invalidated what I thought was a totally reasonable security mechanism that I more or less took for granted.

I have an SSH key. ~/.ssh/id_dsa. I have a passphrase on that key, so that if someone compromises my machine, all they have is a key, and they have to brute force my (rather long) passphrase. I have ssh-agent to remember my passphrase in memory so that I don't ever let that passphrase hit disk, but have the passphrase cached.

Running ssh-add -D should wipe that passphrase from memory so I have to type it again. I was toying with doing this nightly so that it would wipe the passphrase every night so when I log in the next morning my passphrase needs to be re-entered.

This is where the nightmare begins. On the weekend my machine crashed so I had to start a fresh this morning. I sit down, log in, fire up a terminal, and ssh into another host.

Bam, I'm straight in. No passphrase, no prompt, nothing. Just straight in. This shouldn't be possible. Either the passphrase has been removed from my key so that it can be used without a passphrase, or something is saving it to disk without my knowledge.

Fedora 9 in its default configuration will save your passphrase to disk if you're logged in under gnome. I don't know how to turn it off. I feel angry, violated, annoyed and really really frustrated. It was a simple thing and it's been fucked. I can't turn it off, I can't stop gnome from remembering my passphrase, I feel like pulling the drive, hitting it with a hammer, and going back to OSX instead.

At least OSX can get simple things like ssh-agent right.



jml said...

That really sucks. Does Ubuntu suffer from this problem?

glyph said...

Wow. That is absolutely terrible. If they were really concerned with "usability", presumably there would be some kind of graphical representation of your loaded keys. This isn't "usability", it's a horribly misguided attempt to make things convenient.

Cory said...

OS X has its own crypto fail of exactly the same kind. In its default configuration, File Vault stays on when you suspend to disk. In other words, if your laptop is stolen while suspended (which, for most of us, is the majority of its existence) your crypto avails you nothing.

Anonymous said...

RedHat has a long tradition of sacrificing compatibility, security and correctness for "user friendliness" and the appearance of convenience. It's like the slow windozization of unix.

Anonymous said...

In ubuntu there is an option to decrypt the key on login, I've never enabled so I'm not sure how to reverse it but it does look like gnome-keyring would be storing it. Might be the same in Fedora