8

My super crucial private key is stored at ~/.ssh/id_rsa with a chmod of "-rw-------"

I run a lot of applications on my Mac. For example:

  • Bash scripts
  • .app binaries (For example, Sketch.app)
  • Ruby gems and Python packages

It seems to me that anything I run has access to my private key and, in theory, can siphon it off with an HTTP POST to a hacker's server.

Isn't this a security issue? How do folks mitigate it?

jwodder
  • 166
  • 1
  • 6
american-ninja-warrior
  • 179
  • 6

2 Answers2

11

Yes, malicious software running as your user can do anything that you can do as a user. There is no privilege separation between different applications running as the same user. This has also been noticed by xkcd.

To protect your SSH key specifically, you can add a passphrase, as mentioned by galoget, but that will only help marginally -- a malicious program could also scrape memory when the key is in use or log your keystrokes for your passphrase. (Though there are some mitigations for those attacks.)

A better option is to use a hardware token of some sort -- I use a Yubikey 4 with an OpenPGP key for SSH authorization. Though my key might be abused when unlocked, the key material itself cannot be stolen, and it is only unlocked for a short period of time. (You could set this timeout to near 0 and require user interaction for each use of the key.)

Another option is to store your key under another user account and use su to switch to that account before SSHing.

In any case, if you have malicious software running as your user on your computer, you're going to have a bad time.

David
  • 15,814
  • 3
  • 48
  • 73
  • I agree wrt MacOS, but iOS is different -- there's interapp protection, and so maybe part of this is that the hardware token is an ipad? :) – Adam Shostack Jan 08 '18 at 18:10
  • While your first paragraph might be correct for macOS, it's not really true for Linux, depending on how you've set it up. MAC systems like SELinux and AppArmor can add restrictions for files to only be accessible to specific processes rather than everything running under the user. – Bob Jan 09 '18 at 00:28
  • 1
    @Bob, you're correct, of course, but I have *never* seen a workstation with a locked-down SELinux or AppArmor policy. Writing and maintaining a policy for a workstation seems like a full-time job by itself. :) – David Jan 09 '18 at 01:07
  • @David Yea, unfortunately, configuration is an unsolved problem. Well, I guess they're used by default for containers (Docker, LXD) and on mobile devices (Android) but otherwise your typical user on a desktop distro probably won't be. We have (half of) the technology! – Bob Jan 09 '18 at 01:11
6

Your private key can be secured by using a passphrase, and that's another reason to use software from trusted sources only.

Here are two links that will be a very good complement for your understanding:

Hope it helps.

galoget
  • 1,414
  • 1
  • 9
  • 15
  • Yes, using from software from trusted sources only is - in theory - a great option, however imagine that software developers need to install packages from `homebrew`, `pip` or `npm` every day, therefore odds of someone pushing a malicious code in a repository are pretty severe (just like there are malicious images on Docker Hub from time to time). I think that the issue pointer out by @american-ninja-warrior is still pretty legitimate and hard to solve :( – adamsfamily Aug 30 '20 at 09:55