It is a good practice to create backup copy of wallet files and have a second ssh public key handy; however,
keeping these backup files encrypted is a must for good security measures. Start by generating a passphrase:
Generating Strong Passphrase
STRONGPASSPF=$(openssl rand -base64 24)
STRONGPASSPF=${STRONGPASSPF//\//0} # Replace '/' characters with '0'
STRONGPASSPF=${STRONGPASSPF//+/1} # Replace '+' characters with '1'
STRONGPASSPF=${STRONGPASSPF//=/} # Replace '=' characters with ''
STRONGPASSPF=${STRONGPASSPF//O/0} # Replace 'O' (o) characters with '0'
STRONGPASSPF=${STRONGPASSPF//l/1} # Replace 'l' (L) characters with '1'
echo $STRONGPASSPF | sudo tee /root/passphrase
STRONGPASSPF="" # Erase from memory
sudo chmod 400 /root/passphrase
Record (by Hand) the Passphrase(store in a safe place)
sudo cat /root/passphrase
Verify Hand Written Passphrase
# Type in the passphrase in substitution of $TYPED_HANDWRITTENPASSPHRASE (keep the quotes)
sed -i '/# SSH Fail Safe/d' ~/.ssh/authorized_keys # Delete preexisting "Fail Safe Key" if it exists
cat ~/.ssh/ssh_key_failsafe.pub | sudo tee -a ~/.ssh/authorized_keys # Add "Fail Safe Key" to list of authorized keys
sudo cat ~/.ssh/authorized_keys # Verify fail safe key was successfully added to authorized_keys file
Verify Passphrase is Enforced
echo "passphrase:" $(sudo cat /root/passphrase) # Verify a strong passphrase is being referenced
ssh-keygen -y -P $(sudo cat /root/passphrase) -f ~/.ssh/ssh_key_failsafe # If output matches pub key, referenced passphrase is in use!
Note: For this SSH Fail Safe to be of any use, the private key needs to exist outside this node (i.e. backed up).
It is used to login when other remote login methods have failed (e.g. lose your YubiKey).
Last edited by mqpickens on Wed May 17, 2023 4:10 am, edited 9 times in total.