undefined | Better HN

0 pointschrisweekly8mo ago0 comments

Yeah, I'd strike "except where they're needed". Never share a private key.

0 comments

One of the best things you can do is generate a key per device, not per person. That way if you lose your phone you just revoke that key and not the one that you use on your tablet, work laptop, home desktop, etc.

Bonus points: monkeysphere and certificate based auth are two other great solutions for making sure the ssh server you log into is not doing a MITM on initial connection (you know, the part where it asks you to manually verify the fingerprint of the server key and you likely just hit y instead).

Forwarding your ssh agent to a host that you don’t know for certain is not doing a MITM attack on you can be devastating, as is entering a password into same.

munchler8mo ago

But that way you can only use each key on that one device. E.g. No starting a private conversation on your phone and then continuing it on your desktop later.

IgorPartola8mo ago

The service you use should allow you to add more than one key and create a symmetric encryption key for the conversion. Your private key identifies your device, the service should know that you own multiple devices.

msgodel8mo ago

Are there really people who don't do this? Copying private keys around just feels gross like copying binaries around.

j / k navigate · click thread line to collapse

0 comments

IgorPartola8mo ago

Forwarding your ssh agent to a host that you don’t know for certain is not doing a MITM attack on you can be devastating, as is entering a password into same.

munchler8mo ago

But that way you can only use each key on that one device. E.g. No starting a private conversation on your phone and then continuing it on your desktop later.

IgorPartola8mo ago

msgodel8mo ago

Are there really people who don't do this? Copying private keys around just feels gross like copying binaries around.

j / k navigate · click thread line to collapse