undefined | Better HN

0 pointstraceroute664y ago0 comments

> And if the device on which you're running your ssh client is already compromised, it doesn't matter whether you use a key or password, its the same thing.

Whoa there sunshine.

Put your SSH keys on a USB HSM (Yubikey or Nitrokey) and nobody is ever going to be able to extract the private key.

Added bonus, put it on a USB HSM with touch auth (e.g. Yubikey) and nobody will ever be able to use the key without you knowing it (because you have to physically touch it).

0 comments

1 comments · 1 top-level

Enginerrrd4y ago

>Put your SSH keys on a USB HSM (Yubikey or Nitrokey) and nobody is ever going to be able to extract the private key.

Except you. To run through a compromised machine... Perhaps I don't quite understand how it works, but I don't see how this setup negates that issue. Once you plug it into the compromised machine and allow access to it with whatever touch-authentication or w/e, I can't imagine you could keep it secret from the attacker on the compromised machine. But maybe it's encrypting the key on the device?

j / k navigate · click thread line to collapse