48

I'm going to be connecting to one of my servers from my boss' computer (Win 10) using PuTTY. In order to do so, I'll be using my private key. Is there anything I should do before/after to prevent my key from being stolen?

My plan was:

  1. Install PuTTY
  2. add priv_key file to it
  3. connect
  5. Uninstall PuTTY
  6. remove priv_key
unor
  • 1,769
  • 1
  • 19
  • 38
sysfiend
  • 2,364
  • 4
  • 14
  • 22
  • 28
    Have your private key on a hardware security module, like a smart card or Yubikey. – André Borie Dec 22 '16 at 17:30
  • 3
    Note that (in relation to your worry about the key being "stolen") your boss may have the ability, perhaps indirectly by way of ordering someone else to do it, of both accessing all files on your (I assume company) computer *and* install keylogging software. It all comes down to your threat model. – user Dec 22 '16 at 21:03
  • 1
    @MichaelKjörling yeah, that's true but I will have to "trust" that the computer is clean from keyloggers – sysfiend Dec 23 '16 at 09:36

2 Answers2

120

A more secure alternative is to create a new keypair that you use for this purpose.

  • Create the keypair on your boss' computer.
  • Transfer the public key to your own computer.
  • Connect to the server and add the public key.

Now your boss' computer can connect to the server. When this is done, you can remove the key on the server. This way, your own key does not leave your computer and your boss' key is only valid a short while.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 22
    In general, one ssh key pair per client is way better than one per user (or, as I've weirdly seen, one per server). That way, if you lose a device, you can just disable that key. – mattdm Dec 23 '16 at 15:08
  • 6
    @mattdm: That's the entire way it's intended to be used. Any other setup is utterly broken. – R.. GitHub STOP HELPING ICE Dec 24 '16 at 01:52
  • 2
    I recommend adding a passphrase to any private key that will live on a machine outside your direct control or where other people can obtain root. – Rache Dec 25 '16 at 15:57
  • 1
    @Rache that won't hurt, but it won't protect you from someone controlling the machine before you use it, who could add a key logger. – Alan Shutko Dec 26 '16 at 04:14
15

A good solution is to have the key on a dedicated hardware device that will do all your crypto operations without even revealing the key material to the host computer. You can use any PKI card supported by OpenSC, an OpenPGP smartcard (supported by both GnuPG and OpenSC) or a Yubikey (which in this case will behave just like an OpenPGP card).

For OpenSC-supported cards, install OpenSC and tell OpenSSH to use it:

ssh -I /usr/lib/opensc-pkcs11.so user@example.com

For GnuPG you can use the GPG agent as an SSH agent which will expose the card's keys through that. Note that unless you need passphrase/PIN caching I recommend using OpenSC over GPG.

On Windows, you should use either your card's minidriver (how Microsoft calls software like OpenSC) - most of them can be downloaded automatically provided you allow your system to search for drivers online. If no official minidriver is found you can use OpenSC's Windows build which includes a generic minidriver. Note that for OpenPGP cards there is a third-party minidriver that works better than OpenSC's one (in fact I had no luck getting OpenSC's minidriver to work with the OpenPGP card, even if the PKCS11 library worked fine proving that OpenSC was talking to the card).

Once the minidriver is installed, software will be able to talk to the card using the system's standard Crypto API (the card appears like any other certificate in the user's cert store). PuTTY-CAC is such a program that can take advantage of those certs (and cards), it includes PuTTY itself as well as Pageant, PuTTY's equivalent of an SSH agent. If under Cygwin/MSYS you can use ssh-pageant to convert a running Pageant into an SSH agent that can be used by the standard ssh (a direct bridge between CAPI and SSH would've been nicer, but no such thing exists yet).

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 6
    Note that the question discusses using Putty under Windows 10; do these solutions (OpenSC, GPG agent) work in that environment? – IMSoP Dec 23 '16 at 09:54