← Back to context

Comment by enkrs

13 hours ago

If the argument for a password login is being able to log in from anywhere, just store a spare ssh key (password protected) in your gmail or similar that's reasonably safe and accessible from anywhere.

But I'm having hard time imagining those "anywhere" machine scenarios. Strangers machines that you trust enough to connect to your servers, and are able to install putty or your preferred ssh client of choice on? Better just have SSH on your own phone and laptop.

16 comments

enkrs

Reply
sam_lowry_  13 hours ago

> I'm having hard time imagining those "anywhere" scenarios

Hold my beer.

You ski in the Alps, its noon, and you get an alert that your DB is down.

You know this may happen because of invasive bots, and you know what to do, so you just find a calm spot at the high-altitude cafe, ssh from the phone, find the infringing bot's IPs, block them with ipset and send yourself an email to deal with the problem properly later.

Then you ski happily until dusk, knowing that users won't be affected.

  • saurik  12 hours ago

    I think "anywhere" here has to mean "any random device you come across", not merely "any strange location", as the premise is being able to log in with just a password rather than a key... I often use my phone to do tasks, but I do it with an ssh key on my phone.

    • kenhwang  12 hours ago

      Back when I worked from my phone while in the ski lift line, the solution really is to keep an SSH key on the phone if I intended to do any work from it.

      If I really had to access work resources from any random device, I'd go through the ordeal of logging into the SSO to log in to the web console to open a temporary cloud SSH session with the multiple layers of 2FA and probably even SecOps manual approvals that's likely required.

  • doorsopen  12 hours ago

    As someone who works with SREs every day, this breaks my heart.

    1 - Don't be on-call while going to ski

    2 - fail2ban and other automated systems can do this for you

    3 - Passwords suck and are typically not regularly rotated unless you're using some centralized IdP

    If you're in this situation you have already failed. If you use password auth use 2FA as well, and then I don't cry, it's just toil though.

    • sam_lowry_  10 hours ago

      1. It breaks my heart to see indie dev spirit die even on HN.

      2. it's brittle and too automated to my taste. There may be false positives that I'd fait to review if it was too automated.

      3. There should be a very limited set of passwords for your main assets. For instance, one for infrastructure, one for a password manager, one for the safe at home. And they should never be rotated. They are meant to be ingrained in muscle memory and stay with you for many years.

  • sam_lowry_  13 hours ago

    Another one: you sold an online business and forgot about it until the moment the buyer contacts you asking for a meeting exactly when you decide whether you want to go to the bomb shelter or risk staying in the appartment building so conveniently located next to a damb that protects Kyiv from flooding.

    You decide that staying on the 9th floor on the path of cruise missiles to the damb is too risky, pick your good old Toughbook that has enough juice to last until dawn, and go downstairs, asking the buyer over phone to reset the root password and send it over whatsapp.

    Once installed in the shelter, you quickly realize the disk is full, clean the logs and give furter instructions to the buyer to pass on to his IT.

    • teruakohatu  12 hours ago

      Instead: you WhatsApp your public ssh key to the buyer and login once they confirm your key has been added.

      I have had to send my ssh pub key over all sorts of messaging platforms.

      4 replies →

  • xorcist  12 hours ago

    > ssh from the phone

    That strengthens the previous commenters point. That personal phone is not an "anywhere" device but one that already carries the necessary software and can both interface your yubikey or carry your encrypted keys.

    A better example would be the same ski trip but where the data connection is bad on nonexistent so you borrow the hotel's computer to make the emergency fix.

    We used to do things like that, complete with post trip password rotations. I carried a laminated card in my wallet with the important key fingerprints. But with devices like the yubikey and cheap international data roaming, that has gotten less common.

    • sam_lowry_  11 hours ago

      A Google or Apple phone carrying encryption keys to my precious servers? Hm... I feel already pwned.

      Jokes aside, I can not be bothered installing ssh keys on my phone. Phones change, get broken or stolen. Ssh clients on phones change as well and can not always be relied upon. I want to be 100% sure I can have ssh access to my servers in whatever improbable situation.

      As for Yubikey... I used it for a while as a keyboard emulator to generate a string to prepend to my corporate laptop password that had insane strength requirements.

      For personal and small business auth... it is too complex and brittle.

      And frankly, what's the problem with a strong password? Like... a quote from Netzsche translated in a mix of French and Dutch with a couple special chars thrown in?