Hacker News new | past | comments | ask | show | jobs | submit login

What are some good ways to protect against that?

My first thought is to create an entry in my ~/.ssh/config with an entry for the untrusted host I'm going to ssh in to, using the "IdentityFile" keyword to point to some bogus/misleading identity file. How does that sound?




In your .ssh/config file:

    Host *
    # Do not send pubkey to each and any host
    PubkeyAuthentication no
    # Use Agent
    IdentitiesOnly       yes
Then override 'PubkeyAuthentication' to yes for each known server you want to connect to.


A simple solution would be to create a dummy account and use that for sshing into untrusted hosts.


I wonder if you can turn off automatic use of public keys for "*", and then enable it in .ssh/config on an as-needed basis.


Totally possible, I do this. Also I have a different key per host (using %h in IdentityFile)


Do you use pass-phrases with your per-host keys? I wanted to do this, but was unable to make it manageable. ssh-agent will only try so many keys before moving on.


No, I don't use key pass-phrases.


Just use a different key for github than for everything else. You can specify this in your ssh config using the IdentityFile directive.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: