Comment by enkrs

Comment by enkrs 13 hours ago

16 replies

View on Hacker News

If the argument for a password login is being able to log in from anywhere, just store a spare ssh key (password protected) in your gmail or similar that's reasonably safe and accessible from anywhere.

But I'm having hard time imagining those "anywhere" machine scenarios. Strangers machines that you trust enough to connect to your servers, and are able to install putty or your preferred ssh client of choice on? Better just have SSH on your own phone and laptop.

sam_lowry_ 13 hours ago

> I'm having hard time imagining those "anywhere" scenarios

Hold my beer.

You ski in the Alps, its noon, and you get an alert that your DB is down.

You know this may happen because of invasive bots, and you know what to do, so you just find a calm spot at the high-altitude cafe, ssh from the phone, find the infringing bot's IPs, block them with ipset and send yourself an email to deal with the problem properly later.

Then you ski happily until dusk, knowing that users won't be affected.

Reply View 15 replies
  • saurik 12 hours ago

    I think "anywhere" here has to mean "any random device you come across", not merely "any strange location", as the premise is being able to log in with just a password rather than a key... I often use my phone to do tasks, but I do it with an ssh key on my phone.

    Reply View 1 reply
    • kenhwang 12 hours ago

      Back when I worked from my phone while in the ski lift line, the solution really is to keep an SSH key on the phone if I intended to do any work from it.

      If I really had to access work resources from any random device, I'd go through the ordeal of logging into the SSO to log in to the web console to open a temporary cloud SSH session with the multiple layers of 2FA and probably even SecOps manual approvals that's likely required.

      Reply View 0 replies
  • doorsopen 12 hours ago

    As someone who works with SREs every day, this breaks my heart.

    1 - Don't be on-call while going to ski

    2 - fail2ban and other automated systems can do this for you

    3 - Passwords suck and are typically not regularly rotated unless you're using some centralized IdP

    If you're in this situation you have already failed. If you use password auth use 2FA as well, and then I don't cry, it's just toil though.

    Reply View 1 reply
    • sam_lowry_ 10 hours ago

      1. It breaks my heart to see indie dev spirit die even on HN.

      2. it's brittle and too automated to my taste. There may be false positives that I'd fait to review if it was too automated.

      3. There should be a very limited set of passwords for your main assets. For instance, one for infrastructure, one for a password manager, one for the safe at home. And they should never be rotated. They are meant to be ingrained in muscle memory and stay with you for many years.

      Reply View 0 replies
  • sam_lowry_ 12 hours ago

    Another one: you sold an online business and forgot about it until the moment the buyer contacts you asking for a meeting exactly when you decide whether you want to go to the bomb shelter or risk staying in the appartment building so conveniently located next to a damb that protects Kyiv from flooding.

    You decide that staying on the 9th floor on the path of cruise missiles to the damb is too risky, pick your good old Toughbook that has enough juice to last until dawn, and go downstairs, asking the buyer over phone to reset the root password and send it over whatsapp.

    Once installed in the shelter, you quickly realize the disk is full, clean the logs and give furter instructions to the buyer to pass on to his IT.

    Reply View 5 replies
    • teruakohatu 12 hours ago

      Instead: you WhatsApp your public ssh key to the buyer and login once they confirm your key has been added.

      I have had to send my ssh pub key over all sorts of messaging platforms.

      Reply View 4 replies
      • sam_lowry_ 10 hours ago

        No way this person would understand what I want him to do. And if he would not understand, he would grow suspicious. No, no and and no again.

        Reply View 3 replies
  • xorcist 12 hours ago

    > ssh from the phone

    That strengthens the previous commenters point. That personal phone is not an "anywhere" device but one that already carries the necessary software and can both interface your yubikey or carry your encrypted keys.

    A better example would be the same ski trip but where the data connection is bad on nonexistent so you borrow the hotel's computer to make the emergency fix.

    We used to do things like that, complete with post trip password rotations. I carried a laminated card in my wallet with the important key fingerprints. But with devices like the yubikey and cheap international data roaming, that has gotten less common.

    Reply View 1 reply
    • sam_lowry_ 11 hours ago

      A Google or Apple phone carrying encryption keys to my precious servers? Hm... I feel already pwned.

      Jokes aside, I can not be bothered installing ssh keys on my phone. Phones change, get broken or stolen. Ssh clients on phones change as well and can not always be relied upon. I want to be 100% sure I can have ssh access to my servers in whatever improbable situation.

      As for Yubikey... I used it for a while as a keyboard emulator to generate a string to prepend to my corporate laptop password that had insane strength requirements.

      For personal and small business auth... it is too complex and brittle.

      And frankly, what's the problem with a strong password? Like... a quote from Netzsche translated in a mix of French and Dutch with a couple special chars thrown in?

      Reply View 0 replies
  • cyberpunk 11 hours ago

    If I’m skiing in the alps there’s no fucking way I am on call, and you shouldn’t accept it either…

    Reply View 2 replies
    • sam_lowry_ 10 hours ago

      Can you imagine that some people are their own bosses, with no backup whatsoever?

      Reply View 1 reply
      • cyberpunk 5 hours ago

        One person isn't enough to run a business with a 24/7 support requirement.

        Reply View 0 replies