removing ssh access in an emergency

[Ian Malone]

Mikkel L. Ellertson wrote:
> Ian Malone wrote:
>> This occurred to me this morning:
>>
>> I log into my home machine remotely using an ssh
>> authorised key which I keep on a USB stick.  In the
>> event it was lost or stolen it's pretty unlikely anyone
>> would use it to try to break into my machine, but
>> ideally you would want a remote way to disable the key.
>> Has anyone thought about this?
>>
>> My first thought was a user account with password
>> authentication that instead of a login shell would run a
>> program which deleted the authorized_keys file in
>> question.  Is this open to exploitation? (other than
>> running the risk that someone cracks the password
>> and prevents me logging in)
>>
> Well, if you have a good pass phrase on the private key on the USB
> stick, it will take them a while to break it and be able to use the
> key. This should give you more then enough time to remove the public
> key of the key pair from the authorized key file on the machines in
> question. If you have ether a second authorized key for that
> account, or another account with a different authorized key, you can
> use that to remove the first key. Just make sure that you do not
> keep both private keys on the same media, or stored together in a
> way that would result in someone getting both keys at the same time.
> It is also a good idea to use a different pass phrase for each key.
> 

To be honest, what I would actually do is just generate a new key
when I got home and I tend to use seemingly random long alpha-numeric
mixed case strings with punctuation as passwords.  I was wondering
if there was a neater solution than using another key.

-- 
imalone