On Sat, Sep 30, 2017 at 9:28 AM, Roy Smith roy@panix.com wrote:
What’s the current best practice for auth on ToolForge?
I have a passphrase on my public ssh key. I’ll be accessing toolforge from my MacBook which is protected with Apple’s Touch ID fingerprint scanner. I’ll be nailing up a tmux session.
So, most of the time, there will be an active ssh session into wfmlabs protected only by my fingerprint touch. If the ssh session goes down (i.e. reboot or network change), it’ll be a touch plus my ssh passphrase.
Is this considered an appropriate level of protection for this environment?
Having a strong passphrase on your private ssh key is recommended. Using an ssh-agent to hold your ssh key when decrypted is reasonable. Keeping an ssh session open via screen or tmux is acceptable. I would expect these three things to be in common use by a number of Toolforge / Cloud VPS users and administrators.
The only thing that is semi-unique about the setup you describe is the use of biometric auth for unlocking your laptop. I don't see that that makes your key handling practices inherently weaker (or stronger) than having a passphrase for unlocking.
Bryan