I couldn't find any good reference on how to set this up, so I wrote this up

I wanted to use a USB thumbdrive for storing ssh keys, while making it easy to load and unload ssh keys
into ssh-agent. This was a several step process by hand, which resulted in me 'just not using it' before
I set this up.

Why would you want this: Notebooks are handy. They are also heavy, and are attractive targets for being stolen. USB Thumbdrives are small, portable, and can be kept with you 24/7. Some folks keep them on their 'keychains', but I tend to keep mine around my neck. With this setup, your notebook could be stolen/fscked up, and you'll still have access to your keys. It is also designed to be quick & usable in function.

You'll need: a linux workstation w/ root access, a *nix server, a usb thumbdrive, ssh & all the related ssh bits (ssh-agent).

  • Easy to use
  • 'secure'
  • auto-mount of usb thumbdrive
  • Launch ssh-add to add or remove keys
  • no command line options; set keys, or remove them like magic
  • Not have to deal with passphrases all the bloody time.

    Step one: Get usb working & mounting by hand with correct perms

    Most distros should do this out of the box these days

    If all goes well, you should see something like this in dmesg when you insert a usb thumbdrive:

    hub.c: new USB device 00:1f.2-2, assigned address 7
    WARNING: USB Mass Storage data integrity not assured
    USB Mass Storage device found at 7
    SCSI device sda: 256000 512-byte hdwr sectors (131 MB)
    sda: Write Protect is off
     /dev/scsi/host0/bus0/target0/lun0: p1
     usb.c: USB disconnect on device 00:1f.2-2 address 7

    Now, you should be able to mount the drive by hand using this command as root:

    mount /dev/sda1 /mnt/floppy

    If you have scsi drives in your system, it will be a different device name. See the dmesg output to figure out what it is.
    The good news is that each time you hot-plug it (provided it was shut down/unmounted cleanly last time), it will show
    up on the same device name (in this case, /dev/sda)

    If this doesn't work, check with your distro's manpages, help etc. In most 'redhat-like' distros, you'll need to have usbd
    or hotplug running. Newer distros (anything released in the last 1-2 years) should have this installed by default. If you
    are running something old (2.2 kernel based?), it's high time you upgrade anyway. :)

    You'll know if this worked if it returned no error while mounting, and 'mount' shows it listed. When you are done getting it online, be sure to umount it when you are a done (umount /mnt/floppy).

    Step two: Get usb thumbdrive mounting under non-root user

    This is pretty easy to do, but has a number of steps. You will need to be root on most of these commands.
    It also requires a bunch of whacko flags in your /etc/fstab

    First of all, find your user and group id. This can be done via:

    # grep ericj /etc/passwd
    ericj:x:1001:100:Eric Johanson:/home/ericj:/bin/bash

    In this case, my uid (user id) is 1001, and my gid (group id) is 100.

    Now that we know that, we need to make a mountpoint. I used /mnt/flash. Make sure those perms are ok by doing something like this:

    # mkdir /mnt/flash
    # chown ericj /mnt/flash
    # chmod 700 /mnt/flash
    # ls -lartd /mnt/flash
    drwx------    2 ericj    root           48 Apr 10 12:38 /mnt/flash

    ok; Almost done; now it's time to add a line to the fstab file which allows our user to mount.

    Add a line something like this (you may have to change this if you didn't use /mnt/flash as you mountpoint):

    /dev/sda1               /mnt/flash      vfat            noauto,user,uid=1001,gid=100,umask=077,exec   0 0

    Most fstab files use tabs between fields. You should do the same. :)
    You should set your uid & gid to your users uid & gid

    Time to give it a try; your user should now be able to mount /mnt/flash, read everything on the drive, and umount /mnt/flash.

    If that doesn't work:
  • Your kernel may not have support for vfat filesystems. You should rebuild it to include this, or modprobe the module. Most distros have this by default. Resist the urge to format your flash disk ext2/ext3/reiser. While this will work, it reduces your options.
  • Some distros may require installing the 'dosfsutils' rpm/deb/package/ebuild.
  • You may have the wrong uid & gid
  • You may have usb problems. See step 1

    Step three: Make some keys

    If you have ssh keys, skip to step 4

    This is pretty easy. As your non-root user, run this:
    	$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa

    Make sure you set a passphrase. If you don't, then it's very easy for someone who finds your thumbdrive to access your servers!

    You should now have ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub

    Step four: Get the keys on the server

    The easiest method to do this: Copy your id_rsa.pub into ~/.ssh/authorized_keys2 on the host you want to ssh into.

    The keys should look like this (but without any CRs or LFs!!):

    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEApOYrQc/LE7rJ3ZX31GQPMTjnulLadypRJbCpA36va8Jgrv2J7ZHean0schzOb8epypEjLvyNKJz6wZ
    7o++cWZcTsdkj3d1Sfvm8Ee5RbmT71GtlWU= test@hostname

    If all is well, you should be able to ssh into your server, enter your ssh key passphrase, and log in!

    Typical problems are perms on the authorized_keys2 file on the server. Make sure that you do a chmod 700 ~/.ssh and chmod 600 ~/.ssh/authorized_keys2. If you still have problems, dig around on the net. Your sshd_conf may disable keys, or something else might be happening.

    Step five: Get ssh agent working without automation

    ssh-agent should be started with your xwindows. You should see it via `ps auxw | grep ssh`. It should also set two items in your environment:

    If you don't have those items, it's time to read online elsewhere. If you run purely from a terminal, you'll need to start it once, and then set the env. variables each time you start a pty. It's a real pain. You CAN start the agent before you start gnu-screen, you'll have the env. setup on each terminal session. Try a gui sometime. don't worry, vi will still work. :)

    So, at this point, run: `ssh-add`. It should prompt your for your passphrase, and then return you to a prompt. `ssh-add -l` should list your key. If all of that works, you should then be able to ssh into your server without being prompted for a passphrase. If not, try looking in your server error logs, or try ssh -v user@host.com

    Step six: Get your keys onto the thumbdrive

    As your non-root user, do the following:
    mount /mnt/flash
    cd ~
    mkdir /mnt/flash/keys
    cp ~/.ssh/id_rsa /mnt/flash/keys/
    cp ~/.ssh/id_rsa.pub /mnt/flash/keys/
    mkdir ~/backup_keys 
    mv ~/.ssh/id_rsa ~/backup_keys
    mv ~/.ssh/id_rsa.pub ~/backup_keys
    ln -s /mnt/flash/keys/id_rsa ~/.ssh/id_rsa
    ln -s /mnt/flash/keys/id_rsa.pub ~/.ssh/id_rsa.pub
    umount /mnt/flash

    That should have copied your keys onto the thumbdrive, and created symlinks to the files on the drive from your home directory.
    We also have a backup copy of the keys under ~/backup_keys. You should back these up to a floppy or cdr, and REMOVE THEM
    from your notebook.

    Download this and stick it in your path somewhere. You'll need to chmod 755 it. You may need to tweak the commandline options.

    You should try running key_loader.sh. It should mount your thumbdrive, and prompt your for your passsphrase. Next time your run it, it should remove your keys from ram.

    Umm... that's it. You are done. Be sure that you've removed all of your keys from ~/backup_keys/*

    Step seven: (incomplete) get cron to auto-remove keys if idle

    One of my next goals is to setup a script on cron that polls the keyboard interrupt count from /proc/interrupts. If the keyboard/mouse hasn't been used in X minutes, remove the keys from the ssh-agent.

    This code doesn't exist yet. If somebody finds/writes up such an item, please email it to me.

    Other notes...

    I also tend to stick a few other items on my thumbdrives.

  • putty,pagent & pscp.exe
  • putty-formatted ssh keys
  • Copy of my hosts public keys
    Putting all of this stuff on a vfat-formatted thumbdrive means that if you find a random windows box, you are able to use your keys.

    Many of these thumbdrives sport a hardware 'readonly' jumper. This is a _great_ feature. It prevents your data from getting fscked up if something doesn't unmount cleanly & stopping windows crud/mac OSX crud from showing up on the volume. If you don't have one of these, consider adding 'ro' to your fstab option list.

    I've seen some cases where the hotplug agent is slow loading the drivers for the usb device, so you may have to wait a few seconds before running 'key_loader.sh'. One box had to run the 'mount' command twice before it would load the drivers & mount ok.

    You could get key_loader to run from an icon on your desktop. I've never tried this, as I spend most of my days in terms.
    Somebody showed me a sexy .reg file that would import your server host keys, so you wouldn't have to verify them by hand each time. I don't spend the time in windows to bother emailing the person about the format of the .reg files, but I know it's possible. It also adds your 'server profiles' for you. Sexy, Sexy.

    Questions/comments/flames? You could email me at sshusb @ v i l o s DOT com
    -Eric Johanson