By fortime in Linux

Use KeePassXC to Store Ssh Private Key

A path traversal vulnerability was discovered in fnOS, which could expose all files on the system—including SSH private keys—to the Internet. In addition, there are occasional reports of malware stealing SSH private key files. For these reasons, I believe it would be better to secure my SSH private keys.

Instead of encrypting my keys directly, I add these keys to KeePassXC, and let it add them to `ssh-agent`. There are some points I want to write down here.

Adding a Encrypted Key to KeePassXC

If the key is encrypted, we should provide the password in the password field of the KeePassXC entry.

According to the behavior of KeePassXC, I think it will decrypt the key, then add it to `ssh-agent`.

Communicating with ssh-agent

To communicate with ssh-agent, we should set SSH_AUTH_SOCK. Instead of setting this variable, I enter the path in the "SSH_AUTH_SOCK override" field and set the IdentityAgent in ~/.ssh/config.

Multiple Keys

I have multiple ssh private keys. By default, ssh will try to use every key to pass the authentication. Too may attempts may fail the login. So, I set IdentitiesOnly to yes. After that, ssh will only use keys specified by IdentityFile and CertificateFile. Working with ssh-agent, there is no private key in the disk. We can set the public key path to IdentityFile.

Required User Confirmation When the Key Is Used

If I check this box in KeePassXC, ssh will fail with error "agent refused operation". During the search, I found that I should install one kind of ssh-askpass program. I installed ksshaskpass while I'm using KWin. At first, I think the program will be used once I have installed it. But, I was wrong. I should set SSH_ASKPASS instead. Because I found this variable in the man page of ssh. I set it before running ssh. Of course, it doesn't work. After an hour fighting with ssh config, KeePassXC setting, private key encryption and decryption, I set the variable before starting ssh_agent. Then, it works. Why doesn't this variable appear in the man page of ssh_agent. Maybe It's a chance to earn a PR.

FINALLY, I EXPRESS MY SINCERE GRATITUDE TO THE LIBRARY FOR PROVIDING FREE WI-FI. THE CONDITIONAL CONNECTION RESET OF SSH CONNECTION MAKE ME LEARN A LOT.