Abandoning SSH Password Authentication

All too often, I find myself logging into remote computers using a password. You should, of course, never do this. You should always be using pubkey authentication, and password authentication should always be disabled on your machines, but still, I find myself logging into my servers with a password and obviously not disabling the feature. Why? Well, it all goes back to the annoyance of moving my public keys around, especially since I make an effort to never move my keys between machines. I generate separate keys for each machine I have, and I generate new keys when I reinstall my machines. Obviously, this makes it difficult to keep everything up to speed, but it doesn’t have to be so hard.

The solution? Git. I have created a git repo at https://github.com/ColtonDRG/ssh-keystore where I can store all of my id_rsa.pub files after generating new keys. There is also a shell script that erase the contents of authorized_keys file, and then recreate it with all of the keys from that repo. That way, all I have to do is git pull followed by ./install and the latest set of keys is installed. I can also very easily automate this process via cron or maybe even a webhook. This way, all I have to do when I get a new key that I want installed on all my servers is simply push a copy of the key to the git repo. What if I want to revoke a key? The script deletes the contents of the authorized_keys file before generating a new one, so I simply have to delete the key in question from that repository. It’s very handy.

Wait though, there’s a small problem. Some machines might not have git installed. What then? Enter https://security.coltondrg.com/ssh/. This is a copy of the repo that’s accessible over http with easily memorable URLs, so any keys can easily be downloaded from there, and the latest pre-generated copy from the install script is also available at https://security.coltondrg.com/ssh/authorized_keys.

This works really nicely for me, as I can now disable password authentication on all my machines without facing the issue of not being able to access a machine because the key of the device I currently happening to be using doesn’t have it’s key installed.

This site uses Akismet to reduce spam. Learn how your comment data is processed.