ssh-agent was in the news recently due to the matrix.org
compromise. The main
takeaway from that incident was that one should avoid the ForwardAgent
(or -A) functionality when ProxyCommand can
do
and consider multi-factor authentication on the server-side, for example
using
libpam-google-authenticator
or libpam-yubico.
That said, there are also two options to ssh-add that can help reduce the
risk of someone else with elevated privileges hijacking your agent to make
use of your ssh credentials.
Prompt before each use of a key
The first option is -c which will require you to confirm each use of your
ssh key by pressing Enter when a graphical prompt shows up.
Simply install an ssh-askpass frontend like
ssh-askpass-gnome:
apt install ssh-askpass-gnome
and then use this to when adding your key to the agent:
ssh-add -c ~/.ssh/key
Automatically removing keys after a timeout
ssh-add -D will remove all identities (i.e. keys) from your ssh agent, but
requires that you remember to run it manually once you're done.
That's where the second option comes in. Specifying -t when adding a key
will automatically remove that key from the agent after a while.
For example, I have found that this setting works well at work:
ssh-add -t 10h ~/.ssh/key
where I don't want to have to type my ssh password everytime I push a git branch.
At home on the other hand, my use of ssh is more sporadic and so I don't mind a shorter timeout:
ssh-add -t 4h ~/.ssh/key
Making these options the default
I couldn't find a configuration file to make these settings the default and
so I ended up putting the following line in my ~/.bash_aliases:
alias ssh-add='ssh-add -c -t 4h'
so that I can continue to use ssh-add as normal and have not remember
to include these extra options.
I recently acquired an AnyTone AT-D878UV DMR radio which is unfortunately not supported by chirp, my usual go-to free software package for programming amateur radios.
Instead, I had to setup a Windows 10 virtual machine so that I could setup the radio using the manufacturer's computer programming software (CPS).
Install VirtualBox
Install VirtualBox:
apt install virtualbox virtualbox-guest-additions-iso
and add your user account to the vboxusers group:
adduser francois vboxusers
to make filesharing before the host and the guest work.
Finally, reboot to ensure that group membership and kernel modules are all set.
Create a Windows 10 virtual machine
Create a new Windows 10 virtual machine within VirtualBox. Then, download Windows
10 from
Microsoft then start the virtual machine mounting the .iso file as an
optical drive.
Follow the instructions to install Windows 10, paying attention to the various privacy options you will be offered.
Once Windows is installed, mount the host's
/usr/share/virtualbox/VBoxGuestAdditions.iso as a virtual optical drive
and install the VirtualBox guest additions.
Installing the CPS
With Windows fully setup, it's time to download the latest version of the computer programming software.
Unpack the downloaded file and then install it as Admin (right-click on the
.exe).
Do NOT install the GD driver update or the USB driver, they do not appear to be necessary.
Program the radio
First, you'll want to download from the radio to get a starting configuration that you can change.
To do this:
- Turn the radio on and wait until it has finished booting.
- Plug the USB programming cable onto the computer and the radio.
- From the CPS menu choose "Set COM port".
- From the CPS menu choose "Read from radio".
Save this original codeplug to a file as a backup in case you need to easily reset back to the factory settings.
To program the radio, follow this handy third-party guide since it's much better than the official manual.
You should be able to use the "Write to radio" menu option without any problems once you're done creating your codeplug.