Does Mackup still sync SSH keys by default?

[LandonSchropp]

Today I was using Mackup and I noticed this in the help documentation:

By default, Mackup syncs all application data (including private keys!) via Dropbox, but may be configured to exclude applications or use a different backend with a .mackup.cfg file.

I really like Mackup—it saves a ton of time when setting up a new computer. However, the idea of automatically syncing SSH keys by default really scares me. A few years ago I accidentally exposed an SSH key and someone used it to charge a few thousand dollars to AWS for my company. I'd really like to avoid doing anything like this again in the future.

In reading through #512 and #109, it looks like this behavior was turned off. However, the help documentation doesn't seem to indicate that. So which one is correct? I feel strongly that synching private keys by default is not obvious behavior, and it has the potential to have some serious consequences.

Also, will Mackup sync other types of sensitive information in the future? What scares me most about this is not necessarily what Mackup is syncing today, but what it might add in the future that I don't notice.

Thanks!

[lra]

No private keys are copied by default, see https://github.com/lra/mackup/blob/master/mackup/applications/ssh.cfg but if you don't specify any application to sync in the config, mackup by default syncs every application config it finds.

Asking for a tool that's supposed to be a oneline line install + launch to require text editing to do the most basic thing is counter productive and defeats its purpose IMO.

You can always use --verbose and --dry-run to figure out what it plans to do.

I'm open to better solutions, but so far, it's a conflict between users who want nothing done by default and lots of warnings vs others.

[LandonSchropp]

Thanks for taking the time to read this issue and the quick response!

No private keys are copied by default, see https://github.com/lra/mackup/blob/master/mackup/applications/ssh.cfg but if you don't specify any application to sync in the config, mackup by default syncs every application config it finds.

I think my understanding of the default behavior might be a little different. To me, default is what happens when you don't specify any config. I'm on board with the balance of wanting nothing done and wanting everything copied by default.

I think I fall into the camp of wanting everything done by default (as in no configuration file) except the operations that could potentially cause security issues. I think it's reasonable to have to opt into those.

• If the default is to exclude apps with sensitive keys, and somebody doesn't realize their keys aren't synced, then nothing bad happens. They can always add those apps later without any negative consequences.
• If the default is to include apps with sensitive keys, and somebody doesn't realize their keys are synced, then they could be exposing sensitive information by accident. They can remove those apps in the config, but they can't necessarily take back the consequences of exposing SSH keys.

[lra]

But the ssh config does not sync any key by default: https://github.com/lra/mackup/blob/master/mackup/applications/ssh.cfg

Are you talking about something else?

[LandonSchropp]

I think I might be misunderstanding. I was responding to this line of your reply:

if you don't specify any application to sync in the config, mackup by default syncs every application config it finds.

Does "every application" include SSH? Or are you saying that every application except the excluded ones?

[lra]

Yes, it includes SSH but only the files referenced in the SS config: https://github.com/lra/mackup/blob/master/mackup/applications/ssh.cfg

No private key is synced.

[LandonSchropp]

Okay, I think I understand. So can this line be removed from the help documentation?

By default, Mackup syncs all application data (including private keys!) via Dropbox, but may be configured to exclude applications or use a different backend with a .mackup.cfg file.

Specifically the "including private keys" part.

[lra]

Yes, you are right, it's outdated. Want to PR or want me to remove it?

[LandonSchropp]

I'm happy to tackle this. It's the least I can do. I'll try to wrap it up this weekend.

[lra]

please do ;)

[spuder]

I've been using mackup for years and I find that my private keys are backed up. I can find no record of where I would have manually configured that to be different than the default.

I have concerns about changing the default behavior. Programs should follow the principle of "least surprise". If 10 users install this program, what percentage of them would assume mackup backups private keys by default (opt out)? What percentage would assume it doesn't back them up by default (opt in).

I would argue 90% of people would assume a backup utility would backup things that are important by default. Furthermore not backing them up is dangerous since the average user wouldn't notice until they go to restore, when it is too late.

[abiusx]

With this now included, how can I include private keys? I have a ton of them and don't wanna manually sync on all boxes.

[joshmedeski]

@abiusx you can follow the instructions for syncing whatever files you want.

[abiusx]

I tried that, it didn't work. Apparently because there's already a .ssh config and files copied over.

[joshmedeski]

Correct, you can overwrite the existing mackup config file by giving it the same application name:

Create an ssh config file in your Mackup folder (ex: ~/Dropbox/mackup/.mackup/ssh.cfg

[application]
name = SSH <-- Naming this "SSH" will overwrite the default configuration

[configuration_files]
.ssh/config
.ssh/authorized_keys
.ssh/id_rsa <-- Add what you want to sync below
.ssh/id_rsa.pub <-- Add your keys below

Can you clarify

because there's already a .ssh config and files copied over

You can manually remove the symbolic links mackup creates and rerun mackup restore. It should recognize your custom SSH config.

[abiusx]

I did all of that. First, I don't wanna list all my 50 private keys in the config file (plus ones that will be added later).
Second, I had to modify the applications/ssh.cfg file directly, which is in a weird location when installing with homebrew.
Third, the new backup (using the directory instead of individual files) destroyed my .ssh/config file because it wasn't in the ~/.ssh folder, so I had to restore it from Dropbox web history!

I think just synching ~/.ssh/config file is not very useful for any setup. I pretty much had to do everything Mackup does manually for synching SSH keys and config.

[joshmedeski]

@abiusx yeah, that's a lot of keys! I wouldn't want to do that either.

Just change my steps above with this:

[application]
name = SSH

[configuration_files]
.ssh

This will sync the .ssh directory instead of the individual files inside.

Hope it helps.

[abiusx]

If you have already run mackup backup this will fail with errors. You need to restore (but how can you restore only 1 thing?) and then backup again. Or manually restore and backup again.
Figuring and doing all of that was definitely more work than just manually synching.

[joshmedeski]

The ability to backup or restore one app at a time hasn't been built (but suggested before). If you have any suggestions please share them with us.

I plan to write a guide on mackup this year, I'll keep this edge-case in mind to help future users :)