I am currently running SSH on a Raspberry Pi which is always on. I do this so that, if I want, I can boot my desktop machine (with WoL) and access files, etc., when I'm elsewhere with my laptop and retrieve files and the like, I can also log in on my Blackberry, which is nice. That bit is all good -- I run SSH on a non-standard port to keep the script kiddies out of my log files and I use public key to, hopefully, further avoid the brute-forcers.
Where it falls down is twofold:
1) I currently allow password login on my desktop machine (NAT'd so SSH not exposed to the internet) even though I have a valid key on my laptop because I don't want to put my key on the Pi in case, for some reason, the pi becomes compromised. I know that with only SSH exposed to the internet (it has MPD and HTTP exposed internally) and using WPA2 with a fairly strong password that's not too much of a risk, but it still worries me a little. Would there be a way to use keys on my desktop but be more secure? Is that what the password option for SSH keys is for?
2) I cannot log into the Pi form unknown machines, however. I could, on Linux hosts, use my encrypted USB stick with a backup of my data to add the relevant key on a friend's machine (people I trust with my life) however if they're running Windows (or perhaps even MAC) then I can't access LUKS encrypted USB stick. I could, of course, carry my key unencrypted but that seems silly given that my backup is encrypted and, while it is a remote possibility that anyone stealing my wallet (where I keep my backup) is stored would work out what the key is and use it it still feels wrong.

So, does anybody have any comments or suggestions which could make things as little clearer and more logical for me?

Also, I have installed Fail2Ban but am beginning to doubt that it does anything in its default configuration -- ought I to look into changing it's configuration?

Pi runs Raspbian and desktop runs Sid. Laptop runs Windows 8.1 with puTTY and may dual boot with Sid also.

Yes, you should be protecting your ssh keys with a password/phrase. Also, if you use ssh-agent, you can ssh -a to your PI, and then ssh to your desktop by forwarding your ssh agent. Then, no key is needed on the PI.

1 members found this post helpful.

Thanks, I'll do some reading up on SSH-agent is sounds like it could be useful to me.

After reading your post I'm still very unclear on what you have setup or what your goal is...

It's looks like you want to know how to login to your rpi via ssh from various computers but don't want to do it with the key as it would require unlocking a usb drive?
Not sure what you mean by "put your key on the rpi"
There's not much risk of copying your public key to the rpi to permit easy access. Public keys are meant to be copied to servers so it knows how to encrypt the symmetric key that the session will use.

You can permit password access to your rpi, but understand the inherent security risks behind that. Make sure root login is disabled and the user permitted to login to the rpi has very limited permissions & test your fail2ban config by attempting multiple bad entries & seeing if it bans you. Of course, make it a strong password.

You can ensure only one user (such as bob) is permitted to connect from a external network by adding this in your rpi's /etc/ssh/sshd_config. I presume your lan starts with 192.168.1.

AllowUsers *@192.168.1.*,bob

See this post for more info on conditional statements

Sorry, I know I rambled.
Briefly, the issue with logging on with other machines is that if I'm using a windows machine I have no access to any private key so can't use the usual SSH method to lo on and would have to resort to password which seems far too insecure.
The issue with the RPi is that if I keep a key on that which allows access to my desktop then anybody who compromises the RPi gets to wake the desktop and do that they like to it under my standard user account -- which is not acceptable.

How much of a variety of computers are you accessing? Are we talking possibly any computer, or a small group?
Reason I am asking is if you document the ips you will be connecting from (ips of friends you trust your life would be a good start) you can use that to restrict password entry to just those computers.
you can do a search (or ask your friends to) like this https://duckduckgo.com/?t=lm&q=what+...ress&ia=answer
or in terminal -> curl myexternalip.com/raw
to get the external ip address

For example, if your friends computers are located at 423.36.214.6, 323.456.35.6, 732.646.88.32 and you want user 273 to login, you can put in this at the bottom of your sshd_config file (make sure to set the default PasswordAuthentication as no!) Everywhere else would require pub key only

Per the second issue, if you are worried your rpi could be compromised, set your ssh_config on your desktop to permit just password_auth.

1 members found this post helpful.

Thanks, I'd not thought of the IP restrictions. The friends are few but the locations and machines could be any OS anywhere in the world at least initially. We travel and we use computers which we don't own in hotels and the like.
I'm wondering now about a user account just for accessing media remotely...

I suggest creating a new user with no permissions to anything with a very strong password. Then give them the min amount to access the media, or write if you want but nothing else. Presume beforehand it is compromised, what would you be willing to let the account have access or write access too?

Do you need a interactive shell? If you're just accessing media, you could use the ftp procotol (sftp) or sshfs.
have a match statement would limit it in external connections only.

https://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP

There is a alternative that occured to me.

Basically you are worried about two things:
Having just a password exposes you to cracking attempts (brute force or otherwise)
Having just a key pair exposes you to accidently permitting someone to get full access should you lose it. Plus, the media it's on is encrypted, so windows is out.

Try this:

Create a new ssh-keypair with rsa encryption, 4096 bit with 100 rounds (makes brute forcing the key more difficult)
Make sure to put in a strong password when it asks for it. This is not required but a smart thing to do
If you follow the command exactly, your keypair will be located at ~/ as outnabout_rsa (private key) and outnabout.pub (public)
Windows putty will not be able to open this file, however can convert it. When you have time get both keypairs. If windows putty cannot convert the key because it's encrypted, re-generate the key without the password and then convert the key.

Don't store this key on any encrypted medium windows cannot access, even if it doesn't have a password.

Now, let's setup your openssh server so that you can only access if you have both the key and password. But only from a external network and only permit your user to login

Append your public key to the servers ~/.authorized_keys (or use ssh-copy-id).
Now, even if someone knows your password, they cannot access unless they have your key. Same for vice versa, if they have your key but not your password it's still useless.
If you encrypt your key, it's even more useless

It's a bit overkill, so it only applies to external networks and your username.
Feel free to copy this private key to your own account of each of your friends (only this key!). But if you do this, there is one loose end we need to tie up.
We need to make sure that the private key can only be used from external networks. Technically, if your friends at some point go into your lan, they would have full access to your server.
Edit the ~/.authorized_keys file and go to your public key line. (If you just added it, it's at the bottom)
the line should start with ssh-rsaAAAAblahblah
Prepend it with the following which means, any network but anything starting with 192.168.1.
so it looks like this:
Now the key is only useable in a external network, where if used requires a password & key auth. However is useless in LAN. Since you created it only for this purpose, it's perfect.
Use your normal private key to do everything else.

1 members found this post helpful.

Thanks, I'll have a play with that also. It's nice to have options.

Another option would be a dongle like Yubikey to provide one-time passwords for that account. That would entail carrying something around but you would not have to worry about a key or password getting reused by keyloggers on the Windows machines.

Putty, along with its ssh-agent ("pageant" ... cute, huh?) ought to be able to do all of the things you need with regards to digital certificates. Including the handling of encrypted ones.