Does anybody know a way of either converting (on android) a putty key to something I can use in ConnectBot, or a good android SSH app that can use Putty keys natively?

I am away from home without my laptop, which I would usually use. I only have my android phone with me.

A few months ago I tried creating RSA key pairs to use with Putty on my laptop and ConnectBot but for some reason I just could not crack it so gave up. I also used puttygen to create an RSA key but it would not work on ConnectBot

  • ElderWendigo@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    ·
    11 months ago

    No, you’re missing the point and creating a false choice here. You’re supposed to generate new keys for each client device and load their various public keys into the authorized keys file in your server user’s home folder. Copying around your private key like that is just BAD security and not how public key authentication is designed to work. It’s not as if the only two options are your bad way or passwords.

    As an example, you copy your single private key to various devices and even carry (a probably un encrypted) copy around with you on a thumb drive, while I generate a fresh key set from each client that I use to connect. When your private key is compromised (when, NOT if), you must remove that public key from your server to lock out the bad actor, but that also completely locks you out. Unless you have physical password access to the machine at the moment its compromised, you’re also locked out. When one of my keys is compromised, I can just exclude that machine’s key from my authorized keys list on the server and continue accessing my machine remotely via any of the other uncompromised clients.

    • Nate@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      4
      ·
      11 months ago

      Again, I know it’s not amazing security but it’s not inherently bad. The key (actually encrypted), if (not when) compromised would provide the same level of access to my system as having two keys with one compromised. Assuming I’m an all knowing wizard and can smell when a key is compromised, I can log in remotely and replace the old key with a freshly generated one. More likely however is that if anybody was going to actually do something with my compromised key, they’d clear my authorized_keys file and replace it with a key I don’t have access to. Don’t kid yourself into thinking having multiple keys suddenly makes you 10x more secure.

      What’s more likely is someone finds my flashdrive on the ground, goes “oh boy free flashdrive full of Linux ISOs and recovery tools!” And proceeds to wipe it and use it for their own shit, while I regenerate a new key when I notice it missing.

      • ElderWendigo@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        11 months ago

        No, it is inherently bad to copy around private keys. You have some fundamental misunderstandings of how key authentication security works. RTFM.

        • Nate@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          3
          ·
          11 months ago

          It’s not “best practice”, but a compromised key is a compromised key whether that key is used to connect 1 or 100 computers to a server. No, I can’t shut off access to exactly one machine, I do not however have any difficulty in shutting off access to every machine and replacing it with a new key. Your system and my system are no different with a single compromised key.

          If I had 100 computers that I had to change identity files on each time it was compromised, and my keys were being compromised often, I would see a benefit from using multiple different keys.

          Quit acting like I’ve left the front door to my house open when the door is locked but my roommate and I share the same key.

          • ElderWendigo@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            11 months ago

            None of what you’ve just said here is true. They don’t work like house keys. Your system and my system are VERY different because I’m not making copies of my private keys anywhere. They never leave the safe place I created them. I only ever transfer the public keys. I could post my public keys here and there would be no security compromise for me. You came here asking for help. I tried to help you. I’m sorry it wasn’t what you wanted to hear. Your attitude sucks.