SSH Public Keys -> Pageant -> PWD

[MJCM]

Questions,

 

I use Private Keys to login to SSH on my Servers, but I still have to enter a Pwd for the Key!

 

Now I load Pageant on boot of my PC to load the keys, but the annoyance is that I still need to open my pwd manager copy and paste the pwd.

 

Is there a way around this. I have been searching but could not find a solution

 

There is a solution but that one I don't like, is create Keys WITHOUT a PWD.

 

Anyone any idea?

 

Ps: How I use pageant to load the keys at startup is via this

 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"zz_Pageant"="cmd /c \"for %i in (\"%USERPROFILE%\\*.ppk\") do start \"%ProgramFiles%\\PuTTY\\pageant.exe\" \"%i\"\""

 

[ukrules]

I had a similar problem about 10 years ago, I solved it by purchasing something named 'SecureCRT', I no longer have this problem.

 

It's not free but well worth the money, a mere $100-$130 for a perpetual license, about $13 a year for me so far as I went with the version that also does the file transfer.

 

This is a very well known piece of software but most people seem to end up using the free option which is kind of limited.

[GrandPapillon]

why not use Putty to login into your server with SSH? it's free, and it can generate the keys you need to login into SSH

 

you can also choose your keys without a further "pass phrase",

 

once it's saved, no need to add anything

[ukrules]

5 minutes ago, GrandPapillon said:

why not use Putty to login into your server with SSH? it's free, and it can generate the keys you need to login into SSH

 

you can also choose your keys without a further "pass phrase",

 

once it's saved, no need to add anything

You know that Pageant is the key management system for Putty right?

 

[GrandPapillon]

28 minutes ago, ukrules said:

You know that Pageant is the key management system for Putty right?

 

all I know is the binary in Putty, keygen.exe, maybe newer version of Putty have a different tool

 

the point is you save the key, setup putty sessions to load the private key when you start the SSH session, no need to manually input anything

 

not sure why you would need "SecureCRT" to do the same thing, and on the top of that, pay for it ????

 

I am sure I am missing something, so maybe you can explain LOL

[ukrules]

11 minutes ago, GrandPapillon said:

not sure why you would need "SecureCRT" to do the same thing

I don't need it, I want it. There's a difference.
 

It's a high end professional tool which offers many conveniences, if you use SSH a lot, as in all day every day then you really could benefit from something like this.

 

[GrandPapillon]

1 minute ago, ukrules said:

I don't need it, I want it. There's a difference.
 

It's a high end professional tool which offers many conveniences, if you use SSH a lot, as in all day every day then you really could benefit from something like this.

 

really, how for example? I use putty extensively, and I haven't seen anything better at this stage. Commercial packages always seem bloated with unnecessary garbage. Is there any particular feature you couldn't find on Putty or other open source solution?

[fdsa]

I don't get the point, please elaborate.

I suppose that you don't want to create a key with empty password for security reasons. But how does that differ from loading the password into memory? If your computer will get hacked then hackers will get access to your servers anyway, be it empty password or password extracted from the RAM.

[MJCM]

10 hours ago, fdsa said:

I don't get the point, please elaborate.

I suppose that you don't want to create a key with empty password for security reasons. But how does that differ from loading the password into memory? If your computer will get hacked then hackers will get access to your servers anyway, be it empty password or password extracted from the RAM.

You have a point, but I am keeping my PC very secure, and also the idea (read mine ???? ) is with using the password option with the key in Pageant that it makes their life just a bit more miserable if they do hack the PC.

 

I would prefer if Pageant used a Master Password which protect all they Key's passwords, but it seems that option is not available.

Edited July 19, 2021 by MJCM

[MJCM]

14 hours ago, GrandPapillon said:

why not use Putty to login into your server with SSH? it's free, and it can generate the keys you need to login into SSH

 

you can also choose your keys without a further "pass phrase",

 

once it's saved, no need to add anything

Already using Putty! Key's generated with Puttygen and Managed by Pageant!

 

And using no "Pass Phrase" I already said I don't like that in the OP.

 

https://www.digitalocean.com/community/tutorials/how-to-use-pageant-to-streamline-ssh-key-authentication-with-putty

[GrandPapillon]

7 hours ago, MJCM said:

Already using Putty! Key's generated with Puttygen and Managed by Pageant!

 

And using no "Pass Phrase" I already said I don't like that in the OP.

 

https://www.digitalocean.com/community/tutorials/how-to-use-pageant-to-streamline-ssh-key-authentication-with-putty

so your passphrase for the key is too long and you want to auto-enter them in Putty with Pageant, that seems to be working fine from that link above

 

I personally use short passphrase I can remember and don't mind to enter them everytime, to make sure I don't forget them

[ukrules]

7 hours ago, MJCM said:

I would prefer if Pageant used a Master Password which protect all they Key's passwords, but it seems that option is not available.

This master password option is available in the SecureCRT software which I mentioned above.

[MJCM]

5 minutes ago, GrandPapillon said:

so your passphrase for the key is too long and you want to auto-enter them in Putty with Pageant, that seems to be working fine from that link above

 

no it doesn't get entered automatically. On Opening you still have to enter the pwd for every key file.

[MJCM]

4 minutes ago, ukrules said:

This master password option is available in the SecureCRT software which I mentioned above.

I have seen that yes thx!

 

 

[MJCM]

Anyone has experience with this?

 

http://www.9bis.net/kitty/#!index.md

 

It's a fork of Putty

[GrandPapillon]

5 minutes ago, MJCM said:

no it doesn't get entered automatically. On Opening you still have to enter the pwd for every key file.

then why use pageant? use shorter passphrase that you can remember, problem solved.

 

Always a bad idea to have auto-login and auto-password in some setup, you will forget your password eventually, when you need it the most

 

and a master password for all "key passphrases"? jesus christ, that's a security disaster waiting to happen ????

[MJCM]

2 minutes ago, GrandPapillon said:

then why use pageant? use shorter passphrase that you can remember, problem solved.

 

Always a bad idea to have auto-login and auto-password in some setup, you will forget your password eventually, when you need it the most

 

and a master password for all "key passphrases"? jesus christ, that's a security disaster waiting to happen ????

Yeah Oke. May I ask have you ever used Pageant ICM with SSH Keys Public / Private Keys?

 

Edited July 19, 2021 by MJCM

[MJCM]

I just trying to ease my workflow.

 

At the moment the following happens when I start my PC and I want to login into a server

 

- Pageant starts loads the keys

- I have to open VeraCrypt (where my Pwd manager database is stored)

- Insert Yubikey

- Open the pwd manager

- Paste the pwd from the Server Key in Pageant.

etc etc

 

So I am trying to speed up this process a bit.

 

It's still only once a day (when the PC starts) but I was just asking if there is a way to do it.

 

 

Edit: And then I even haven't discussed Fz yet. Which (up till now) doesn't support v3 Puttygen Keys, so I also still have to use v2 keys.!

Edited July 19, 2021 by MJCM

[GrandPapillon]

4 minutes ago, MJCM said:

Yeah Oke. May I ask have you ever used Pageant ICM with SSH Keys Public / Private Keys?

 

you are missing the point, you need to remember the "pass phrase", not copy/paste them in some Excel spreadsheet or in some Wordpad document, that's the worst security MO

 

I use SSH Public/Private pair all the time for my servers, and I always remember the "pass phrase" and I am managing about a dozen servers.

[MJCM]

2 minutes ago, GrandPapillon said:

you are missing the point, you need to remember the "pass phrase", not copy/paste them in some Excel spreadsheet or in some Wordpad document, that's the worst security MO

 

I use SSH Public/Private pair all the time for my servers, and I always remember the "pass phrase" and I am managing about a dozen servers.

Read me post above yours. But your point using simplified pwds is noted!

Edited July 19, 2021 by MJCM

[GrandPapillon]

3 minutes ago, MJCM said:

I just trying to ease my workflow.

 

At the moment the following happens when I start my PC and I want to login into a server

 

- Pageant starts loads the keys

- I have to open VeraCrypt (where my Pwd manager database is stored)

- Insert Yubikey

- Open the pwd manager

- Paste the pwd from the Server Key in Pageant.

etc etc

 

So I am trying to speed up this process a bit.

 

It's still only once a day (when the PC starts) but I was just asking if there is a way to do it.

 

something doesn't add up here, you seem to be doing it wrong, and adding steps you don't need. Is there a specific reason for that?

 

is that for some obscure crypto rigg?

Edited July 19, 2021 by GrandPapillon

[MJCM]

2 minutes ago, GrandPapillon said:

something doesn't add up here, you seem to be doing it wrong, and adding steps you don't need. Is there a specific reason for that?

 

is that for some obscure crypto rigg?

Trying to be as secure as possible and just not using an Excel sheet for storing passwords ????

[GrandPapillon]

the issue seems to be your "password manager", adding a layer you don't really need

 

in theory Pageant should auto-login with your "pass phrase", so adding a tool in between is going to break that process

 

trying to guess what you do exactly from your post above, but I bet you are doing something you don't need to do

[MJCM]

Just now, GrandPapillon said:

 

trying to guess what you do exactly from your post above, but I bet you are doing something you don't need to do

Just trying to keep ALL my passwords / Servers as safe as possible.

 

Oke an Hack of my PC with Pageant that has the passwords in Memory is a danger, but just again, trying to minimize that.

[GrandPapillon]

adding unnecessary tools or toolkit layer for password is just adding another level of risks

 

to secure all your password, you need to keep the number of tools to a bare minimum,

 

Putty is one, and your own memory

[MJCM]

30 minutes ago, GrandPapillon said:

and a master password for all "key passphrases"? jesus christ, that's a security disaster waiting to happen ????

You are right, but what about the Firefox  and other browsers that have a master password to protect users logins and passwords, that is all a security disaster waiting to happen.

 

It's just the world we are living in where the new user pwd is "welcome2021".

 

How many users use 2FA nowadays??

 

I have tried to explain 2FA to my wife, and she said it's too difficult, and what password did she use for her Facebook?? Her ID Card number. ????

 

But this is getting off-topic.

 

Thanks for pointing out your concerns and suggestions

[GrandPapillon]

saving your password for entertainment websites and your porn is hardly a big security threat ????

 

for banking, that's another issue

 

anyway good hackers these days go directly to servers, they don't need customers passwords

 

plenty of security threats in corporate servers that are still not patched,

Edited July 19, 2021 by GrandPapillon

[fdsa]

BTW 2FA is actually a good idea, just set up a TOTP and create a new SSH key without password - this way is much easier and you'll be secure enough and won't ever need to open the Veracrypt container except to recover the TOTP master key if your smartphone gets broken/stolen.

 

 

example:

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

[MJCM]

^ Good One 2FA with SSH!!

[GrandPapillon]

28 minutes ago, fdsa said:

BTW 2FA is actually a good idea, just set up a TOTP and create a new SSH key without password - this way is much easier and you'll be secure enough and won't ever need to open the Veracrypt container except to recover the TOTP master key if your smartphone gets broken/stolen.

 

 

example:

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

nice but looks painful to setup ????

 

I prefer using my own memory, faster ????