0

I am running Debian with an Xfce desktop environment and while I've tried many solutions, I always need to enter the passphrase once upon every reboot.

  • In macOS, I can simply use ssh-add -l > /dev/null || ssh-add -A and macOS' default keychain manager will remember the password in its keychain, resulting in no longer needing to enter the passphrase, but the -A won't work in Debian.

    I have the following in .bashrc: 
    if [ ! -S ~/.ssh/ssh_auth_sock ]; then
  eval `ssh-agent`
  ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
fi
export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
ssh-add -l > /dev/null || ssh-add
  • I've also tried using keychain, which I thought was the same as macOS' keychain, however keychian also requires the passphrase upon every reboot.

How can I get some Debian key manager to remember the passphrase securely, thereby avoiding the entering of the passphrase forever?

JW0914
  • 7,052
  • 7
  • 27
  • 48
sgon00
  • 605
  • 2
  • 10
  • 20
  • why don't you remove the passphrase as the files should be anyways accessible to your account only. – Zina Jun 01 '20 at 13:49
  • @Zina If I remove the passphrase, all user programs and script will have access to my key id_rsa. I don't think that is safe. With some kind of keyring program, it's not 100% safe, but it's much safer than a plaintext key. Thanks. – sgon00 Jun 01 '20 at 14:22
  • @Zina Removing the passphrase from an SSH key is simply insecure and not recommended, as it's not the same as storing the passphrase as a hash by a keychain manager. The difference in security risk is even if someone gains physical access to the device, they have to crack the hash, which isn't likely _(provided it was hashed securely)_, whereas the removal of the key's encryption entirely allows useability to anyone gaining physical access to the key file. – JW0914 Jun 01 '20 at 14:23
  • @JW0914 - I know, but he wants to not enter the passphrase after a reboot...so he is making his keys vulnerable in the case the account is hacked anyways if he will not need to enter the passphrase..... – Zina Jun 01 '20 at 14:25
  • @Zina I am more worrying about normal program instead of my account gets hacked. I have already explained in the above comment. To hack a key stored in memory is a different story for simply accessing a plaintext key from my harddrive. All programs/scripts will have access to my keys if I remove passphrase. That is really a different story. – sgon00 Jun 01 '20 at 14:30
  • oh, ok. I misread your question. now I got what you want to achieve. – Zina Jun 01 '20 at 14:43
  • @Zina ^_^ I am googling two suggestions now. Thanks a lot. – sgon00 Jun 01 '20 at 14:55

1 Answers1

2

Nearly all approaches involve PAM in one way or another, because your system login password is the only piece of information that's obtained without having to store it on disk.

The simplest method is pam_ssh which will automatically start ssh-agent and use your system password to load all keys from standard locations and from ~/.ssh/session-keys.d/.

On Debian the libpam-ssh package will automatically insert the module in the correct location. Other similar methods:

  • pam_gnome_keyring uses your login password to unlock GNOME Keyring, which stores passphrases for your SSH keys.
  • pam_ecryptfs uses your login password to unlock an encrypted eCryptFS filesystem, where you can place your keys without any passphrase.
  • pam_gnupg uses your login password to unlock keys stored in gpg-agent (which may be PGP, SSH, or S/MIME keys).

If you do not want the boot process to show any password prompts whatsoever... well, there's no secure way to store keys on your system. At best you can make use of a TPM chip or some other hardware token to store RSA keys without the possibility to extract them – they'll be bound to the hardware element they're on.

  • Many new computers come with a TPM module, or (in case of desktops) a pin header to connect one bought separately, or occasionally a "fTPM" emulated via firmware. Such modules can hold symmetric and asymmetric keys.
  • There are some USB "smart card" tokens providing either a PIV or OpenPGP interface, and both can be used for SSH. For laptops, some YubiKey models fit almost entirely inside a USB port.
u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Thank you very much for your answer. I am OK to enter login password at boot time. I actually need to enter LUKS password too. I just don't want to enter the ssh key's passphrase. That's all. Regarding the `pam_ssh` solution, can you please show the steps about how to do it? At meantime, I will google for it and hopefully I can figure out. Thanks a lot. – sgon00 Jun 01 '20 at 14:26
  • @sgon00 YubiKeys are one of the best methods to manage SSH & GPG keys, and is how I manage mine. YubiKey's still requires the 8-digit user PIN to unlock the SSH key stored on the YubiKey, with the time between re-auth's for the PIN being customizable. – JW0914 Jun 01 '20 at 14:29
  • @JW0914 thanks for introducing YubiKeys, but I don't want to enter any keys for this purpose on every reboot. I just want my login to unlock ssh keys. Login password should be enough for this purpose. – sgon00 Jun 01 '20 at 14:32
  • @sgon00 There's likely a way to automate, with Yubico offering an extensive [docs](https://support.yubico.com/support/solutions) collection on their site that may be worth checking out. `gpg` is used to manage the keys on the YubiKey and GPG Authentication and SSH keys are [interchangeable](https://superuser.com/a/390176/529800), you just need to ensure your SSH key is the first Authentication key stored _(additional [reference](https://0day.work/using-a-yubikey-for-gpg-and-ssh/))_. If you choose to go that route, the YubiKey Nano is meant to remain plugged into a device semi-permanently. – JW0914 Jun 01 '20 at 14:39
  • 1
    For Debian, there's only one step: install the libpam-ssh package. – u1686_grawity Jun 01 '20 at 14:57
  • @user1686 do I need to remove all my previous ssh-agent lines from .bashrc? After installing libpam-ssh, everything will work magically? so I only need to login as normal and no longer required to enter passphrase when I do ssh? Thanks a lot. – sgon00 Jun 01 '20 at 15:01
  • @user1686 I read libpam-ssh description, It says `during authentication, the user types a SSH passphrase and is authenticated if the passphrase successfully decrypts the user's SSH private keys in session phase, a ssh-agent process is started and decrypted keys are added, and thus the user can SSH to other hosts that accept key authentication without typing more passwords for the entire session.`. The descripton says I need to enter ssh passphrase once on every reboot? It mentions session phrase and entire session. I don't want to enter passphrase on every reboot. – sgon00 Jun 01 '20 at 15:06
  • I just want to make sure if what I describe is clear. I am OK to unlock ssh based on my system user login, because I will need to enter password to login anyway. But I don't want to enter SSH passphrase anymore on reboot. I read `libpam-ssh` and its description. It talks about entering ssh passphrase and no need password for the entire session. The description doesn't look like what I want to achieve. Thanks a lot. Please correct me if I am wrong. Btw, I am not a native Engish speaker, please forgive my bad English. – sgon00 Jun 01 '20 at 15:11
  • @sgon00 I believe _"session"_ refers to the `ssh-agent` session, not a terminal session _(i.e. you can use the key for however long it's loaded into `ssh-agent`)_ – JW0914 Jun 01 '20 at 15:38
  • PAM auth modules form a chain, and pam_ssh will usually not prompt for an additional passphrase as it can re-use the previously entered password from pam_unix. The "session" here refers to a login session; the agent is started and keys loaded during login. – u1686_grawity Jun 01 '20 at 15:43
  • The post owner and @JW0914: I have confirmed that this is not the solution I am looking for. I have installed that package. It re-asked me ssh passphrase on every reboot. This is just the same solution I setup in the original question (which uses ssh-agent too). I think I have described what I want clearly in English and not sure if there is still any misunderstanding or not. I am OK to enter login password, but I don't want to enter SSH passphrase on every reboot. The SSH passphrase should be remembered once in some keyring store and used in the future on all reboots. Thanks – sgon00 Jun 02 '20 at 02:32
  • I wrote that pam_ssh will use your login password _to unlock keys_. If your SSH passphrase is _different_ from your login password, it won't be able to do that! So change the passphrase to be identical – it won't result in reduction in security compared to using a keyring. If the passphrases must remain different from the login password, I have already listed two keyring-based alternatives in my post. – u1686_grawity Jun 02 '20 at 05:32
  • Thanks a lot for the reply. To be more secure, I don't want to make login password and ssh passphrase the same. I am trying to avoid any CCTV (camera) to record my SSH passphrase, That's the reason why I don't want to enter it anymore. `pam_ecryptfs` is the same as storing plaintext key. I am already using LUKS. I want to avoid running program or script access my keys too. So `pam_ecryptfs` is not a solution. I am not using gnome, so I don't know if `pam_gnome_keyring` will require any gnome installation. I will search for `pam_gnome_keyring` and `pam_gnupg` or `YubiKeys` recommned by @JW0914 – sgon00 Jun 02 '20 at 05:54
  • Well, it won't actually be more secure if the very same login password just unlocks a keyring that holds the rest. It may make stealing the id_rsa file marginally more difficult, but it's still the weakest link in the chain. Still, if that's your concern, gpg-agent will probably be next best choice. As for gnome_keyring, it does require a few GNOME dependencies but it does not require the entirety of it – I've successfully used it with Xfce, KDE, and Openbox so far. – u1686_grawity Jun 02 '20 at 05:58
  • Thanks, I will search for gpg-agent. and yeah, that is my concern. I don't want to type ssh passphrase is NOT because I am getting bored of typing the same passwords again and again. It's because I am using a different passphrase and don't want anyone to see what I typed. If my login password and ssh passphrase are the same, I am OK to enter SSH passphrase all the times on every single shell/terminal. It's mainly a security concern here. Thanks. – sgon00 Jun 02 '20 at 06:02
  • Thanks a lot for the answer. I finally solved the question by using gnome-keyring. Gnome-keyring works as what I expect. I have upvoted the answer and marked it as the answer. Cheers. – sgon00 Jun 05 '20 at 03:20