https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669132#M731452 Hey all,<BR /><BR />I'm looking for a better way than every 30 days generating new keys, splatting them all over the place by hand following a list of which users get which keys from other users on other hosts, etc. <BR /><BR />So, I'm wondering, who has a better way? How about Radius server for ssh key exchange? Is that what it's for? Can someone point me to a document that gives a nice high and mid-level overview layout of what the strategies could be?<BR /><BR />I've got to believe that there's a better way. I know I can get ssh to serve a users' public keys, but what about all keys for everyone and some receivership rules? <BR /><BR />Suggestions &amp; ideas on how my esteemed colleagues handle this best would be sincerely appreciated.<BR /><BR />Many thanks! Mon, 02 Aug 2010 13:12:47 GMT TwoProc 2010-08-02T13:12:47Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669132#M731452 Hey all,<BR /><BR />I'm looking for a better way than every 30 days generating new keys, splatting them all over the place by hand following a list of which users get which keys from other users on other hosts, etc. <BR /><BR />So, I'm wondering, who has a better way? How about Radius server for ssh key exchange? Is that what it's for? Can someone point me to a document that gives a nice high and mid-level overview layout of what the strategies could be?<BR /><BR />I've got to believe that there's a better way. I know I can get ssh to serve a users' public keys, but what about all keys for everyone and some receivership rules? <BR /><BR />Suggestions &amp; ideas on how my esteemed colleagues handle this best would be sincerely appreciated.<BR /><BR />Many thanks! Mon, 02 Aug 2010 13:12:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669132#M731452 TwoProc 2010-08-02T13:12:47Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669133#M731453 <!--!*#-->Why are you generating new keys every 30<BR />days? Do the old ones get rusty or<BR />something? Mon, 02 Aug 2010 14:11:27 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669133#M731453 Steven Schweda 2010-08-02T14:11:27Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669134#M731454 Shalom,<BR /><BR />These keys are good and can stay secure for years.<BR /><BR />If you have a master ssh server with its root key distributed to all other systems as authorized_user entry, that server can take care of maintenance issues.<BR /><BR />SEP Mon, 02 Aug 2010 15:16:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669134#M731454 Steven E. Protter 2010-08-02T15:16:14Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669135#M731455 If you are generating keys because of password aging you might want to disable password interactive login all together and remove the password expiration too.<BR /><A href="http://www.linuxquestions.org/questions/linux-security-4/how-to-deny-password-login-in-the-ssh-please-199730/" target="_blank">http://www.linuxquestions.org/questions/linux-security-4/how-to-deny-password-login-in-the-ssh-please-199730/</A><BR /><BR />Regards,<BR /> Andre Tue, 03 Aug 2010 07:17:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669135#M731455 Andre Cornelissen 2010-08-03T07:17:14Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669136#M731456 Aside from someone breaking the algorithm used in creating the keys, there should be no reason to ever regenerate them other than a host replacement.<BR /><BR />The example I can use would be the failure of using an appropriate level of randomness in generating the key pairs. This occurred about a year ago with respect to most SSH implementations.<BR /><BR />If you are protecting your key pairs properly this should never be a problem.<BR /><BR />If you are extremely paranoid, you could replace all key pairs at the time of departure of a highly trusted staff member. Otherwise, you are actually introducing risk.<BR /><BR />The intent of those keys, and especially the known_hosts lists is that you should always know your hosts. If you for some reason do not know the other hosts, it is clearly an unexpected state, whether accidental (keys changed, forgot to update host list), or malicious. Either way, you would want to investigate.<BR /><BR />That said, it's an interesting idea that you suggest to manage ssh key pairs in the same manner as you might manage a certificate authority for SSL keys through some sort of Public Key Infrastructure implementation.<BR /><BR />Perhaps you have the makings of a new product...<BR /><BR />Best regards,<BR />Don Wed, 04 Aug 2010 12:24:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669136#M731456 Don Mallory 2010-08-04T12:24:59Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669137#M731457 Thanks for the advice guys. But, PCI requirements, etc - expect keys replaced every 30 days. Did they explicity say THESE keys? No, but our consultant says THESE keys - so, I'm very happy to hear that it's uncommon to change these out, meaning the consultant is off his rocker. Thanks you guys! Wed, 04 Aug 2010 15:56:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669137#M731457 TwoProc 2010-08-04T15:56:37Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669138#M731458 <!--!*#-->&gt; [...] PCI requirements, etc - expect keys<BR />&gt; replaced every 30 days. [...]<BR /><BR />PCI? Peripheral Component Interconnect?<BR />Who???<BR /><BR />&gt; [...] our consultant says [...]<BR /><BR />Did you ask why? Did you get a reasonable<BR />answer? (Did you pay too much for the<BR />consultation?) Wed, 04 Aug 2010 16:30:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669138#M731458 Steven Schweda 2010-08-04T16:30:29Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669139#M731459 Payment Card Industry -- a very common term in the banking industry. Wikipedia offers a good overview:<BR /> <BR /><A href="http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard" target="_blank">http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard</A><BR /> <BR />And yes, like most emerging standards (especially banking), they take a decade to get going so "replacement keys" probably meant the desk and file cabinet keys. For a large enterprise where managing a lot of servers is a big task, the ability to transfer files and remotely manage them using ssh makes key replacement a very high risk procedure. It would take a lot of planning to prevent multi-server downtime for virtually no increase in security levels.<BR /> <BR />It can probably be scripted and scheduled but untangling servers that stopped completing their tasks because of a glitch in key distribution is going to be a highly visible event with lots of explaining to do.<BR /> <BR />I agree with Steven: Ask why. No procedural changes should ever be allowed without justification with industry standards. And eve then, upper management can issue a statement to cover exceptions to the findings. Thu, 05 Aug 2010 00:42:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669139#M731459 Bill Hassell 2010-08-05T00:42:05Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669140#M731460 thanks Bill for advice and input. Thanks Steve for responding. Fri, 06 Aug 2010 16:12:17 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-key-maintenance-advice/m-p/4669140#M731460 TwoProc 2010-08-06T16:12:17Z