0

I am running Debian with an Xfce desktop environment and while I've tried many solutions, I always need to enter the passphrase once upon every reboot.

  • In macOS, I can simply use ssh-add -l > /dev/null || ssh-add -A and macOS' default keychain manager will remember the password in its keychain, resulting in no longer needing to enter the passphrase, but the -A won't work in Debian.

    I have the following in .bashrc: 
    if [ ! -S ~/.ssh/ssh_auth_sock ]; then eval `ssh-agent` ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock fi export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock ssh-add -l > /dev/null || ssh-add
  • I've also tried using keychain, which I thought was the same as macOS' keychain, however keychian also requires the passphrase upon every reboot.

How can I get some Debian key manager to remember the passphrase securely, thereby avoiding the entering of the passphrase forever?

Improve this question
7
  • why don't you remove the passphrase as the files should be anyways accessible to your account only. Commented Jun 1, 2020 at 13:49
  • @Zina If I remove the passphrase, all user programs and script will have access to my key id_rsa. I don't think that is safe. With some kind of keyring program, it's not 100% safe, but it's much safer than a plaintext key. Thanks. Commented Jun 1, 2020 at 14:22
  • @Zina Removing the passphrase from an SSH key is simply insecure and not recommended, as it's not the same as storing the passphrase as a hash by a keychain manager. The difference in security risk is even if someone gains physical access to the device, they have to crack the hash, which isn't likely (provided it was hashed securely), whereas the removal of the key's encryption entirely allows useability to anyone gaining physical access to the key file. Commented Jun 1, 2020 at 14:23
  • @JW0914 - I know, but he wants to not enter the passphrase after a reboot...so he is making his keys vulnerable in the case the account is hacked anyways if he will not need to enter the passphrase..... Commented Jun 1, 2020 at 14:25
  • @Zina I am more worrying about normal program instead of my account gets hacked. I have already explained in the above comment. To hack a key stored in memory is a different story for simply accessing a plaintext key from my harddrive. All programs/scripts will have access to my keys if I remove passphrase. That is really a different story. Commented Jun 1, 2020 at 14:30

1 Answer 1

Reset to default
2

Nearly all approaches involve PAM in one way or another, because your system login password is the only piece of information that's obtained without having to store it on disk.

The simplest method is pam_ssh which will automatically start ssh-agent and use your system password to load all keys from standard locations and from ~/.ssh/session-keys.d/.

On Debian the libpam-ssh package will automatically insert the module in the correct location. Other similar methods:

  • pam_gnome_keyring uses your login password to unlock GNOME Keyring, which stores passphrases for your SSH keys.
  • pam_ecryptfs uses your login password to unlock an encrypted eCryptFS filesystem, where you can place your keys without any passphrase.
  • pam_gnupg uses your login password to unlock keys stored in gpg-agent (which may be PGP, SSH, or S/MIME keys).

If you do not want the boot process to show any password prompts whatsoever... well, there's no secure way to store keys on your system. At best you can make use of a TPM chip or some other hardware token to store RSA keys without the possibility to extract them – they'll be bound to the hardware element they're on.

  • Many new computers come with a TPM module, or (in case of desktops) a pin header to connect one bought separately, or occasionally a "fTPM" emulated via firmware. Such modules can hold symmetric and asymmetric keys.
  • There are some USB "smart card" tokens providing either a PIV or OpenPGP interface, and both can be used for SSH. For laptops, some YubiKey models fit almost entirely inside a USB port.
Improve this answer
16
  • Thank you very much for your answer. I am OK to enter login password at boot time. I actually need to enter LUKS password too. I just don't want to enter the ssh key's passphrase. That's all. Regarding the pam_ssh solution, can you please show the steps about how to do it? At meantime, I will google for it and hopefully I can figure out. Thanks a lot. Commented Jun 1, 2020 at 14:26
  • @sgon00 YubiKeys are one of the best methods to manage SSH & GPG keys, and is how I manage mine. YubiKey's still requires the 8-digit user PIN to unlock the SSH key stored on the YubiKey, with the time between re-auth's for the PIN being customizable. Commented Jun 1, 2020 at 14:29
  • @JW0914 thanks for introducing YubiKeys, but I don't want to enter any keys for this purpose on every reboot. I just want my login to unlock ssh keys. Login password should be enough for this purpose. Commented Jun 1, 2020 at 14:32
  • @sgon00 There's likely a way to automate, with Yubico offering an extensive docs collection on their site that may be worth checking out. gpg is used to manage the keys on the YubiKey and GPG Authentication and SSH keys are interchangeable, you just need to ensure your SSH key is the first Authentication key stored (additional reference). If you choose to go that route, the YubiKey Nano is meant to remain plugged into a device semi-permanently. Commented Jun 1, 2020 at 14:39
  • 1
    For Debian, there's only one step: install the libpam-ssh package. Commented Jun 1, 2020 at 14:57

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.