current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
up vote 16 down vote favorite
1

I'm going to be connecting to one of my servers from my boss' computer (Win 10) using PuTTY. In order to do so, I'll be using my private key. Is there anything I should do before/after to prevent my key from being stolen?

My plan was:

Install PuTTY > add priv_key file to it > connect > ... > Uninstall PuTTY > remove priv_key

share|improve this question
5  
Have your private key on a hardware security module, like a smart card or Yubikey. – André Borie 12 hours ago
    
Note that (in relation to your worry about the key being "stolen") your boss may have the ability, perhaps indirectly by way of ordering someone else to do it, of both accessing all files on your (I assume company) computer and install keylogging software. It all comes down to your threat model. – Michael Kjörling 9 hours ago
up vote 38 down vote accepted

A more secure alternative is to create a new keypair that you use for this purpose.

  • Create the keypair on your boss' computer.
  • Transfer the public key to your own computer.
  • Connect to the server and add the public key.

Now your boss' computer can connect to the server. When this is done, you can remove the key on the server. This way, your own key does not leave your computer and your boss' key is only valid a short while.

share|improve this answer
2  
That's a good idea, didn't think about it, thanks. – Alex 14 hours ago
up vote 0 down vote

A good solution is to have the key on a dedicated hardware device that will do all your crypto operations without even revealing the key material to the host computer. You can use any PKI card supported by OpenSC, an OpenPGP smartcard (supported by both GnuPG and OpenSC) or a Yubikey (which in this case will behave just like an OpenPGP card).

For OpenSC-supported cards, install OpenSC and tell OpenSSH to use it:

ssh -I /usr/lib/opensc-pkcs11.so [email protected]

For GnuPG you can use the GPG agent as an SSH agent which will expose the card's keys through that. Note that unless you need passphrase/PIN caching I recommend using OpenSC over GPG.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.