Skip to content

Instantly share code, notes, and snippets.

@Fusion

Fusion/README.md

Last active April 26, 2024 08:30
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Fusion/725a8d2974682ce63366ef6d91ad4e09 to your computer and use it in GitHub Desktop.
Save Fusion/725a8d2974682ce63366ef6d91ad4e09 to your computer and use it in GitHub Desktop.
Download ZIP
Use a SSH key stored, encrypted, on a USB stick
Raw
README.md

What does this do for me?

You will be able to keep your public/private key pairs on a USB stick with a reasonable level of security.

Using this script, you will create a local ssh keystore, use it to decrypt your key, and delete it when you are done.

Platforms?

  • OS X, Linux: fully supported
  • Windows: some manual intervention required

Creating your key:

  • Format a USB stick with two partitions (or not) -- one for data ('DATA/'), the other for software ('SW/')
  • Copy all versions of aescrypt to SW/bin/
  • Copy fob_init.sh to SW/bin/ as well
  • Store keysets in DATA/keys/{key_folder_name}
  • Twist! The private key file was encrypted using aescrypt -e {private key file}
  • Our files are, in fact, called key.id_rsa.aes and key.id_rsa.pub

Whenever you wish to use a key, go to the folder containing the key pair:

  • {PATH}/SW/bin/fob_init.sh

Bonus!

ssh-env lets you load local keys, provided they were previously encrypted.

Example usage:

  • ssh-env *.aes
Raw
fob_init.sh
#!/bin/bash
# CFR: Heavily copied from https://github.com/DamnedFacts/ssh-fob/blob/master/fob_init.sh
#
# This will initialize a single shell with our ssh-agent and
# load our private key. No other shell should load this key,
# i.e. this will not be something executable through ~/.bashrc
# Find the location of our init script. It should be in the
# same directory as our '.sshenv' directory.
SELF=${BASH_SOURCE[0]}
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# ssh agent setup
SSH_AGENT_BIN=$(which ssh-agent)
SSH_ADD_BIN=$(which ssh-add)
PLATFORM=$(uname -s)
function cleanup {
[ -z ${SSH_AGENT_PID} ] && exit 0
echo
echo "Current ssh keys are loaded, cleaning up:"
${SSH_ADD_BIN} -l | awk '{ print $3 }'
echo
echo "Unloading keys from ssh-agent (${SSH_AGENT_PID})"
${SSH_ADD_BIN} -D
echo
sleep 1
}
function preinit_agent {
export RC_EXECUTE=YES
[ -z "${SSH_AGENT_BIN}" ] && echo "No ssh-agent command found, exiting." && exit 1
[ -z "${SSH_ADD_BIN}" ] && echo "No ssh-add command found, exiting." && exit 1
echo "Initialising new SSH agent..."
${SSH_AGENT_BIN} bash --rcfile ${SELF} || exit 1
echo finished!
}
function agent_init {
echo "Adding SSH keys to keychain"
case "${PLATFORM}" in
Darwin*) aesbinary=aescrypt-osx;;
*) aesbinary=aescrypt-linux;;
esac
clearkey="$(${DIR}/${aesbinary} -d -o - key.id_rsa.aes)"
${SSH_ADD_BIN} - <<< "${clearkey}"
alias ssh="ssh -A"
export PS1="\h:\W \u [ssh-agent]\$ "
}
# Source SSH settings, if applicable
if [ -z ${RC_EXECUTE} ]; then
preinit_agent
elif [ -n ${RC_EXECUTE} ]; then
trap cleanup EXIT QUIT
agent_init
fi
Raw
ssh-env
#!/bin/bash
# CFR: Heavily copied from https://github.com/DamnedFacts/ssh-fob/blob/master/fob_init.sh
#
# This will initialize a single shell with our ssh-agent and
# load our private key. No other shell should load this key,
# i.e. this will not be something executable through ~/.bashrc
# Find the location of our init script. It should be in the
# same directory as our '.sshenv' directory.
SELF=${BASH_SOURCE[0]}
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# ssh agent setup
SSH_AGENT_BIN=$(which ssh-agent)
SSH_ADD_BIN=$(which ssh-add)
PLATFORM=$(uname -s)
function cleanup {
[ -z ${SSH_AGENT_PID} ] && exit 0
echo
echo "Current ssh keys are loaded, cleaning up:"
${SSH_ADD_BIN} -l | awk '{ print $3 }'
echo
echo "Unloading keys from ssh-agent (${SSH_AGENT_PID})"
${SSH_ADD_BIN} -D
echo
sleep 1
}
function preinit_agent {
export RC_EXECUTE=YES
export RC_FILES=$@
[ -z "${SSH_AGENT_BIN}" ] && echo "No ssh-agent command found, exiting." && exit 1
[ -z "${SSH_ADD_BIN}" ] && echo "No ssh-add command found, exiting." && exit 1
echo "Initialising new SSH agent..."
${SSH_AGENT_BIN} bash --rcfile ${SELF} || exit 1
echo finished!
}
function agent_init {
echo -n "Enter encryption passphrase: "
read -s passphrase
echo "Adding SSH keys to keychain"
case "${PLATFORM}" in
Darwin*) aesbinary=aescrypt-osx;;
*) aesbinary=aescrypt-linux;;
esac
for filename in $RC_FILES; do
clearkey="$(${aesbinary} -d -p ${passphrase} -o - ${filename})"
[ $? -ne 0 ] && { echo "Bad passphrase or file: bailing."; exit 1; }
${SSH_ADD_BIN} - <<< "${clearkey}"
done
alias ssh="ssh -A"
export PS1="\h:\W \u [ssh-agent]\$ "
}
# Source SSH settings, if applicable
if [ -z ${RC_EXECUTE} ]; then
[ "$1" == "" ] && { echo "Syntax: provide encrypted private file"; exit 1; }
preinit_agent $@
elif [ -n ${RC_EXECUTE} ]; then
trap cleanup EXIT QUIT
agent_init
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment