"When asked to enter a passphrase, do so. An ssh key without a passphrase is completely vulnerable if stolen."
That's true, but how to do cron jobs? An 'expect' script literally has your unhashed passwd. Only multiple key pairs I guess.

@gemlog @tomasino I agree here. I have lots of scripts. How do I handle a key with a password from a shell script?

@adamd @gemlog there's a number of ways. I personally keep the passwords in LastPass and use it with ssh-agent to make everything magical.


@tomasino @adamd
Well, I may be wrong, but my thinking is that if I'm storing a key pair on the same box and then just also storing a pass phrase on the same box and I'm compromised, what is the difference?

@gemlog @adamd LastPass has its own mechanisms for password protection and stores it's db encrypted

@tomasino @adamd
Right after I pressed send I saw 'local hash' coming!

@gemlog @adamd you can do something similar with keypass or 1password, or just pick memorable passwords for your keys like "this is a phrase for tilde town". Knowing how to use ssh-agent is really helpful for making lots of keys more manageable.

Credit to @mwlucas and his ssh mastery book for it's fantastic information

@tomasino @gemlog @mwlucas
I'll do some looking around / learning. I was a keepassxc fan but wanted a cli way. I believe keepassxc has a cli way. At the time I did not know that. It was a long time ago. It will be a lot of work to move now as I have lots of information in my pass-store.


@adamd @gemlog @mwlucas I've been incrementally fixing my key situation. Michael's book severely shamed me. Haha

@tomasino @adamd @gemlog

There's no shame in not knowing better.

Now that you now better, you can feel shamed. :flan_tongue:

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko