alt Hacker NewsI’m sorry to be pedantic, that’s not exactly true. I agree in the sense that extracting hw based keys is next to impossible, but if your machine is compromised, there isn’t much stopping malware from using your hw based key (assuming 1. Left plugged in, 2. Unlocked with either ssh-agent or gpg-agent, and 3. You don’t have touch to auth turned on). Reduced risk? Absolutely. No risk? Absolutely not.
Replies
Never apologize for pedantry here
Sure. They can use my key while my machine is compromised, but even then I won't _need_ to rotate it after the compromise is cleared.
It still would be a good idea just to make sure that it's easier to analyze logs, but it's not strictly needed.
And if you want to be even more pedantic, shell access with a touch based key just means the attacker has to wait for you to auth, which makes touch based systems largely a waste of effort on the defenders part.
> there isn’t much stopping malware from using your hw based key
Except the three pretty major things that do stop malware that you mentioned ;)
Perhaps especially "3. You don’t have touch to auth turned on".