Comment on SSH keys stolen by stream of malicious PyPI and npm packages
lemann@lemmy.one 11 months agoI think they would start obfuscating the relevant code to get around it
Many ad networks and AABs do something similar (especially Admiral) in an attempt to evade ad blocking extensions
ShaunaTheDead@kbin.social 11 months ago
Do you think using a custom ssh key directory would prevent these malicious apps from working correctly or is there some environment variable that always points to the ssh key folder or I guess they could just run a search on the system for any files like *.pub. Are there any safety procedures that one can take to circumvent these kinds of attacks?
lemann@lemmy.one 11 months ago
I think so, assuming these malicious packages are all primitive enough to just look for the single file in a user’s home folder lol. The only downside here is needing to provide the keyfile location to ssh every time you want to connect… Although a system search would pretty much defeat that instantly as you mention
SSH keyfiles can be encrypted, which requires a password entry each time you connect to a SSH server. Most linux distros that I’ve used automatically decrypt the SSH keyfile for you when you log in to a remote machine (using the user keyring db), or ask you for the keyfile password once and remember it for the next hour or so (using the ssh-agent program in the background).
On Windows you can do something similar with Cygwin and ssh-agent, however it is a little bit of a hassle to set up. If you use WSL i’d expect the auto keyfile decryption to work comparably to Linux, without needing to configure anything