Stop SSH promiscuity

When asked for a public key authorization an SSH client will, in its default configuration, try all the keys available to it. This means it will expose all the keys you might have to any server that ask. Here is how to fix it if you value your privacy, .

Have a default deny and only allow keys to the servers you specify. Edit ~/.ssh/config and add the following to the end

# identitiesonly forces you to specify an idenitity, to prevent ssh trying all identities it can find
Host *
    PubkeyAuthentication no
    IdentitiesOnly yes

Now, you probably will want this in the beginning:

#localhost for local vms and port forwarded ssh
Host localhost
    PubkeyAuthentication yes

and then for each server that you care about:

Host server-root
    HostName server.com
    User root
    PubkeyAuthentication yes
    IdentityFile ~/.ssh/id_rsa

to connect simply use ssh server-root

You could also omit hostname if it matches the host entry and use ssh hostname as usual

Tags: OpSec Privacy