Nate

If you don’t want to buy a domain you can try a reverse DNS lookup, your ISP may already give you one. Mine was C-XX-XX-XX-XX.hsd1.pa.comcast.net and I could get a let’s encrypt certificate with that. I did end up buying a domain but it was good for personal use

Glad to hear it worked! I edited the comment in case anybody stumbles across it with the same issue

It’s not “best practice”, but a compromised key is a compromised key whether that key is used to connect 1 or 100 computers to a server. No, I can’t shut off access to exactly one machine, I do not however have any difficulty in shutting off access to every machine and replacing it with a new key. Your system and my system are no different with a single compromised key.

If I had 100 computers that I had to change identity files on each time it was compromised, and my keys were being compromised often, I would see a benefit from using multiple different keys.

Quit acting like I’ve left the front door to my house open when the door is locked but my roommate and I share the same key.

This is actually quite handy, I’ve got a yubikey already and didn’t know they could be used for ssh

Again, I know it’s not amazing security but it’s not inherently bad. The key (actually encrypted), if (not when) compromised would provide the same level of access to my system as having two keys with one compromised. Assuming I’m an all knowing wizard and can smell when a key is compromised, I can log in remotely and replace the old key with a freshly generated one. More likely however is that if anybody was going to actually do something with my compromised key, they’d clear my authorized_keys file and replace it with a key I don’t have access to. Don’t kid yourself into thinking having multiple keys suddenly makes you 10x more secure.

What’s more likely is someone finds my flashdrive on the ground, goes “oh boy free flashdrive full of Linux ISOs and recovery tools!” And proceeds to wipe it and use it for their own shit, while I regenerate a new key when I notice it missing.

I use the same identity file for all of my computers. I don’t have password auth enabled on my server and it’s an extreme inconvenience when I’m on a new machine and have to dig out a different machine to get a copy of my new key to the server. Best practice? Probably not, but I’d rather that than having password auth enabled. I keep an encrypted copy of my id_rsa on my thumb drive so I’ve always got it when I need it.

I had never personally heard of ConnectBot, but it says last updated in February of this year on Google Play. I don’t see a real reason to use it over Termux however.

Install termux [edit: grab from f-droid or their website, their play store version has been out of date for some time and repos likely wont work on it] on your phone and run pkg install x11-repo followed by pkg install putty-tools which should put a copy of puttygen on your phone. Open your file manager and “Termux” should appear like a USB drive (in Google files it’s under “other storage” at the bottom of the home screen), copy your key file there and Termux will be able to access it. puttygen keyfile.ppk -O private-openssh -o id_rsa Should let you convert to OpenSSH format and connect to trusted computers. You can also install OpenSSH in Termux to use it as an ssh client

It also looks like you can install putty in Termux as well, if that’s more convenient for you

nvm, it needs an x11 server, you’re likely better off with the aforementioned method

I just moved my registrar from namecheap to cloudflare since they started supporting .dev domains and it’s infinitely better. Was already using them for the dns challenges cuz I’m not paying for SSL certs.