SSH and GPG key storage - PGP

This is a discussion on SSH and GPG key storage - PGP ; Is my ~/.ssh/id_rsa private key for ssh encrypted? OpenSSH uses a private key passphrase but just from looking at it, it doesn't look too secure to me: $ cat .ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,550111791F3084ED L1bKcwXRVGeKODgSei3Nh1NgxKvG9Epk9nF+2zL/WadapDVqTnMPZchIbUDU5XOG lofobgZlVbX/kIzum8PdaIoxYAKC0Fib0dtIZuf7bwvAcUbv+II3Ac3MdUNJ/Uot ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: SSH and GPG key storage

  1. SSH and GPG key storage

    Is my ~/.ssh/id_rsa private key for ssh encrypted?

    OpenSSH uses a private key passphrase but just from looking at it,
    it doesn't look too secure to me:

    $ cat .ssh/id_rsa
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,550111791F3084ED

    L1bKcwXRVGeKODgSei3Nh1NgxKvG9Epk9nF+2zL/WadapDVqTnMPZchIbUDU5XOG
    lofobgZlVbX/kIzum8PdaIoxYAKC0Fib0dtIZuf7bwvAcUbv+II3Ac3MdUNJ/Uot
    Z9bTwzwzqm+yuMva8YzAlZYwJ3TyHI5nNjWamRlyhsT/hIcp8mrCwlncZSBZy675
    rX2F9n+atKMecZXUUV54+Z3hlD3F3+wKsm0jW3aU+y7X4iBJOw DMva8YzAlZYwJ3
    9r0n4oUH1JqeHuYtNzdJ+niBHS7QMeKuo9//VURErtjbilMyo2Y/VQFV/PTeT69J
    Rzhn478+uf/fg0uE847u1ecEzFiVGhBifA+HBDtkO41iw+OUU+eM/0iy6/NivnZi
    tjfeCeIimjI3jOYlnQqK4VtyhqJbUDU5XOGTtucP2P+d4iSTtc t97mtdSQkym4vy
    X2uQuAppQBPVmYMmLGKy61tCQHmMQngpWtCoD7J4Ixzd4C1Nmq fAkx5UxR8ZYGdC
    ejtHGKQ0K+Zxb/bFkV/V1D+jqtAnFdN/3L7uz2zQwjTxshACTQhmbf/NP3X37pJM
    ZW9D90xwjI9MBQk6zsrD7Vmq6o4Hz3bdANVr8zffP3u+cP6MEG s+EA+Z3hlD3FJo
    V4/EXHjBUKdzuEGNeC5hksfGBuppU8Lu/XxSL6L0CNoQU/YHU+sAc/LtaB0yDgo0
    LZDEkMHAuzerKxR8ZYGdC+loh2KH4TTXd2ALIUgLX8mISyqszY nXN9mCSXl3ZYS3
    6Bw6mGtiS3zzmmbnMer89h1joKht++cSP7D7ee0TbOBf23M2p1 bLDw==
    -----END RSA PRIVATE KEY-----

    Shouldn't this be in some kind of keystore that's encrypted itself? If
    this is encrypted what's the difference between this and say the pgp
    keystore? Why aren't keys stored in a standard location? Is there a way
    to specify .ssh/id_rsa.pub with gpg or do I have to import that key
    pair into th gpg keystore? Is there a way to instruct ssh to look at
    the gpg keystore?

    Thanks,
    Mike

  2. Re: SSH and GPG key storage

    On Sat, 02 Aug 2003 19:13:52 -0400, Michael B Allen wrote:

    >Is my ~/.ssh/id_rsa private key for ssh encrypted?


    #1. You are asking the wrong group. If you have questions about OpenSSH, you
    should be asking the OpenBSD developers who code it.

    #2. Yes, It is encrypted. When you SSH to another machine using PubKey
    authentication, you are prompted for a password to decrypt the private key.
    >
    >OpenSSH uses a private key passphrase but just from looking at it,
    >it doesn't look too secure to me:


    Apparantly you have never looked at a private PGP key in ASCII form. They "look"
    nearly identical.

    >$ cat .ssh/id_rsa




    I hope you consider your key to be comprimised now. Throw it away and generate a
    new one. While it is unlikely that someone could punch through the encryption if
    you are using a decent passphrase, it is _possible_, and since you have just
    effectively distributed it to the world, consider it null and void.

    >Shouldn't this be in some kind of keystore that's encrypted itself? If
    >this is encrypted what's the difference between this and say the pgp
    >keystore? Why aren't keys stored in a standard location? Is there a way
    >to specify .ssh/id_rsa.pub with gpg or do I have to import that key
    >pair into th gpg keystore? Is there a way to instruct ssh to look at
    >the gpg keystore?


    Keystore? Do you mean some sort of binary key container? If yes, what would be
    the point? Just as with any system, your SSH key is only as safe as the machine
    it is stored on. If you are admin for your particular *nix machine, one would
    assume you have the appropriate permissions on user home directories to keep
    others out.

    What do you mean why isn't it in a "standard" location? It is! ~/.ssh is the
    _standard_ location for OpenSSH keys. If you are asking why OpenSSH and PGP Keys
    don't go in a single location, that's because they are different keys for
    different products.

    How are you going to import a SSH key into GPG/PGP? They are different software
    packages. I highly doubt they are compatible.

  3. Re: SSH and GPG key storage

    On Sat, 02 Aug 2003 20:14:40 -0400, Beretta wrote:

    >>$ cat .ssh/id_rsa

    >
    >
    >
    > I hope you consider your key to be comprimised now.


    No I don't. I changed the content. Good luck cracking it.

    >>Shouldn't this be in some kind of keystore that's encrypted itself? If
    >>this is encrypted what's the difference between this and say the pgp
    >>keystore? Why aren't keys stored in a standard location? Is there a way
    >>to specify .ssh/id_rsa.pub with gpg or do I have to import that key pair
    >>into th gpg keystore? Is there a way to instruct ssh to look at the gpg
    >>keystore?

    >
    > Keystore? Do you mean some sort of binary key container?


    A "keystore" is a place to store keys.

    > If yes, what would be the point?


    The point of using a keystore would be to have all keys in one location
    protected with a single passphrase instead of being strewn about the
    system.

    > Just as with any system, your SSH key is only as
    > safe as the machine it is stored on.


    Mmm, I thought that the private key was encrypted to prevent people who
    have access to the machine from gaining access to it. So encrypting the
    private key is worthless then. Interesting.

    > If you are admin for your
    > particular *nix machine, one would assume you have the appropriate
    > permissions on user home directories to keep others out.


    Who said anything about unix or directory permissions? What do you do
    with private keys on laptops that can get stolen (like mine) or PDAs
    with no concept of a "home directory"?

    > What do you mean why isn't it in a "standard" location? It is! ~/.ssh is
    > the _standard_ location for OpenSSH keys. If you are asking why OpenSSH
    > and PGP Keys don't go in a single location, that's because they are
    > different keys for different products.
    >
    > How are you going to import a SSH key into GPG/PGP? They are different
    > software packages. I highly doubt they are compatible.


    Why would they not be "compatible"? SSL, SSH, and GPG/PGP use symmetric
    keys right? Each key pair has an algorithm, a size, etc. Perhaps it would
    have been prudent to parameterize this information so that keys could
    be shared between applications? Applications could query the "keystore"
    in a "standard location"? The keys that meet the requirements of the
    application would be displayed to the user who would select one?

    Most users will probably only ever need one public/private key
    pair. This pair could be on a secure server somewhere or on physical
    media. When installing an operating system the user would be prompted
    for the servername (or physical media) and passprase. Now during the
    installtion and when installing different packages like http with ssl,
    postfix with tls, e-mail clients with pgp, ssh, encrypted filesystems,
    and so on the keys are readily available.

    Maybe this is a really bad idea but it sure *sounds* good to me.

    Mike

  4. Re: SSH and GPG key storage

    On Sat, 02 Aug 2003 22:47:48 -0400, Michael B Allen wrote:



    >> Keystore? Do you mean some sort of binary key container?

    >
    >A "keystore" is a place to store keys.
    >
    >> If yes, what would be the point?

    >
    >The point of using a keystore would be to have all keys in one location
    >protected with a single passphrase instead of being strewn about the
    >system.


    Strewn about? GPG/PGP/OpenSSH all store the users keys in a subdir of ~. (Be it
    ~/.ssh, ~/.pgp or ~/.gpg. If you are desiring that they all store in a single
    directory, edit the source code. It's freely available for GPG and OpenSSH.

    >> Just as with any system, your SSH key is only as
    >> safe as the machine it is stored on.

    >
    >Mmm, I thought that the private key was encrypted to prevent people who
    >have access to the machine from gaining access to it. So encrypting the
    >private key is worthless then. Interesting.


    If you don't maintain exclusive phycial access to the machine then of course it
    is useless. What is to prevent someone from installing a keylogger? (hardware
    and/or software based)

    >
    >> If you are admin for your
    >> particular *nix machine, one would assume you have the appropriate
    >> permissions on user home directories to keep others out.

    >
    >Who said anything about unix or directory permissions? What do you do
    >with private keys on laptops that can get stolen (like mine) or PDAs
    >with no concept of a "home directory"?


    You said something about *nix when you pointed out that your keys are stored in
    ~/.ssh. AFAIK PDA's and non-unix based OS's do not use ~ to denote a users home
    directory


    >
    >Why would they not be "compatible"? SSL, SSH, and GPG/PGP use symmetric
    >keys right? Each key pair has an algorithm, a size, etc. Perhaps it would
    >have been prudent to parameterize this information so that keys could
    >be shared between applications? Applications could query the "keystore"
    >in a "standard location"? The keys that meet the requirements of the
    >application would be displayed to the user who would select one?


    I can think of a number of reasons why they would not be compatible. One of
    which I already mentioned. They are coded by different developers with different
    functions in mind. PGP and GPG keys already are interchangable, and to some
    extent SSL keys can be imported into PGP, however I am unaware of anyone making
    an attempt to develop a method for importing/exporting SSH keys into or out of
    PGP/GPG. That's not to say such a method does not exist, just that I am unaware
    of it.

    >Most users will probably only ever need one public/private key
    >pair. This pair could be on a secure server somewhere or on physical
    >media. When installing an operating system the user would be prompted
    >for the servername (or physical media) and passprase. Now during the
    >installtion and when installing different packages like http with ssl,
    >postfix with tls, e-mail clients with pgp, ssh, encrypted filesystems,
    >and so on the keys are readily available.


    I'd aruge that would be a horrible situtation. One box / key compromised and
    _all_ of your services that rely on that single key are compromised. It's the
    same situation when you use a single password for multiple logins.



  5. Re: SSH and GPG key storage

    On Sun, 03 Aug 2003 01:35:45 -0400, Beretta wrote:

    >>Most users will probably only ever need one public/private key pair.
    >>This pair could be on a secure server somewhere or on physical media.
    >>When installing an operating system the user would be prompted for the
    >>servername (or physical media) and passprase. Now during the installtion
    >>and when installing different packages like http with ssl, postfix with
    >>tls, e-mail clients with pgp, ssh, encrypted filesystems, and so on the
    >>keys are readily available.

    >
    > I'd aruge that would be a horrible situtation. One box / key compromised
    > and _all_ of your services that rely on that single key are compromised.
    > It's the same situation when you use a single password for multiple
    > logins.


    You're going to manage multiple private keys per machine on a big
    network? That's just insanity. Why is this different from the private
    key on a Kerberos Key Distribution Center? Or one of the master private
    keys used by a CA to sign SSL certificates? When someone has to log
    into 150 boxes with ssh do they upload a different public key to each
    machine so all the machines aren't compermised if the private key is
    compermised? I seriously doubt there are a lot of admins that do that.
    If there's a keylogger on your machine you're pretty much screwed no
    matter what you do.

    Mike

+ Reply to Thread