passphrases are your friend
About three months ago, I wrote about How
to copy files around without anyone seeing them. In response to that article,
Jeff Seely has written in about passphrases. Thanks.
A passphrase is often
associated with ssh and pgp identity keys. In order to use the keys, you must enter
your secret passphrase. But passphrases are optional, as you can see in the above
link.
Jeff Seely writes:
If you don’t set a passphrase and someone manages to get their hands on
the file that store your private key they can use them. However, if you set a
passphrase they can try to use them but will still need to have your passphrase for them
to work properly. Here are two excerpts from a tutorial I read that is mentioned
later in this article.
To further protect your private key you should enter a passphrase to encrypt the key
when it is stored in the filesystem. This will prevent people from using it even if the
gain access to your files.
Always, always, type in a good pass-phrase when prompted for one. It can be multiple
words (i.e. spaces are just fine within the phrase), so you could choose a sentence that
you can remember. Changing some of the words by misspelling them or by changing some
of the letters into digits is highly recommended to increase the strength of your
pass phrase.
I know what you are thinking, the purpose of you trying scp in the first place was so
you didn’t have to enter a password (or passphrase), or store them in clear text in your
scripts. And you are right, you will be prompted for your passphrase if you set one.
But I did a little research and found a way around that. The ssh protocol
suite has two utilities for this, ssh-agent and ssh-add. What you would do is run
"ssh-agent $SHELL" and use "ssh-add" to add your public key’s
passphrase into memory. I hope I am making sense, because like I said my knowledge
of crypto, and ssh is not great, but I set my system up like this and it works for me.
I found a very good resource at http://csociety.ecn.purdue.edu/~sigos/projects/ssh/overview/
if you would like to check it out.