Comment on SSH keys stolen by stream of malicious PyPI and npm packages
ShaunaTheDead@kbin.social 11 months agoDo you think using a custom ssh key directory would prevent these malicious apps from working correctly or is there some environment variable that always points to the ssh key folder or I guess they could just run a search on the system for any files like *.pub. Are there any safety procedures that one can take to circumvent these kinds of attacks?
lemann@lemmy.one 11 months ago
I think so, assuming these malicious packages are all primitive enough to just look for the single file in a user’s home folder lol. The only downside here is needing to provide the keyfile location to ssh every time you want to connect… Although a system search would pretty much defeat that instantly as you mention
SSH keyfiles can be encrypted, which requires a password entry each time you connect to a SSH server. Most linux distros that I’ve used automatically decrypt the SSH keyfile for you when you log in to a remote machine (using the user keyring db), or ask you for the keyfile password once and remember it for the next hour or so (using the ssh-agent program in the background).
On Windows you can do something similar with Cygwin and ssh-agent, however it is a little bit of a hassle to set up. If you use WSL i’d expect the auto keyfile decryption to work comparably to Linux, without needing to configure anything