HPE Community
Operating System - HP-UX
1834465 Members
3354 Online
110067 Solutions
New Discussion

ssh key maintenance advice

 
SOLVED
Go to solution
TwoProc
Honored Contributor

‎08-02-2010 06:12 AM

‎08-02-2010 06:12 AM

ssh key maintenance advice

Hey all,

I'm looking for a better way than every 30 days generating new keys, splatting them all over the place by hand following a list of which users get which keys from other users on other hosts, etc.

So, I'm wondering, who has a better way? How about Radius server for ssh key exchange? Is that what it's for? Can someone point me to a document that gives a nice high and mid-level overview layout of what the strategies could be?

I've got to believe that there's a better way. I know I can get ssh to serve a users' public keys, but what about all keys for everyone and some receivership rules?

Suggestions & ideas on how my esteemed colleagues handle this best would be sincerely appreciated.

Many thanks!
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
8 REPLIES 8
Steven Schweda
Honored Contributor

‎08-02-2010 07:11 AM

‎08-02-2010 07:11 AM

Re: ssh key maintenance advice

Why are you generating new keys every 30
days? Do the old ones get rusty or
something?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-02-2010 08:16 AM

‎08-02-2010 08:16 AM

Re: ssh key maintenance advice

Shalom,

These keys are good and can stay secure for years.

If you have a master ssh server with its root key distributed to all other systems as authorized_user entry, that server can take care of maintenance issues.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Andre Cornelissen
Advisor

‎08-03-2010 12:17 AM

‎08-03-2010 12:17 AM

Re: ssh key maintenance advice

If you are generating keys because of password aging you might want to disable password interactive login all together and remove the password expiration too.
http://www.linuxquestions.org/questions/linux-security-4/how-to-deny-password-login-in-the-ssh-please-199730/

Regards,
Andre
0 Kudos
Reply
Don Mallory
Trusted Contributor

‎08-04-2010 05:24 AM

‎08-04-2010 05:24 AM

Re: ssh key maintenance advice

Aside from someone breaking the algorithm used in creating the keys, there should be no reason to ever regenerate them other than a host replacement.

The example I can use would be the failure of using an appropriate level of randomness in generating the key pairs. This occurred about a year ago with respect to most SSH implementations.

If you are protecting your key pairs properly this should never be a problem.

If you are extremely paranoid, you could replace all key pairs at the time of departure of a highly trusted staff member. Otherwise, you are actually introducing risk.

The intent of those keys, and especially the known_hosts lists is that you should always know your hosts. If you for some reason do not know the other hosts, it is clearly an unexpected state, whether accidental (keys changed, forgot to update host list), or malicious. Either way, you would want to investigate.

That said, it's an interesting idea that you suggest to manage ssh key pairs in the same manner as you might manage a certificate authority for SSL keys through some sort of Public Key Infrastructure implementation.

Perhaps you have the makings of a new product...

Best regards,
Don
0 Kudos
Reply
TwoProc
Honored Contributor

‎08-04-2010 08:56 AM

‎08-04-2010 08:56 AM

Re: ssh key maintenance advice

Thanks for the advice guys. But, PCI requirements, etc - expect keys replaced every 30 days. Did they explicity say THESE keys? No, but our consultant says THESE keys - so, I'm very happy to hear that it's uncommon to change these out, meaning the consultant is off his rocker. Thanks you guys!
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎08-04-2010 09:30 AM

‎08-04-2010 09:30 AM

Re: ssh key maintenance advice

> [...] PCI requirements, etc - expect keys
> replaced every 30 days. [...]

PCI? Peripheral Component Interconnect?
Who???

> [...] our consultant says [...]

Did you ask why? Did you get a reasonable
answer? (Did you pay too much for the
consultation?)
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎08-04-2010 05:42 PM

‎08-04-2010 05:42 PM

Solution

Re: ssh key maintenance advice

Payment Card Industry -- a very common term in the banking industry. Wikipedia offers a good overview:

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

And yes, like most emerging standards (especially banking), they take a decade to get going so "replacement keys" probably meant the desk and file cabinet keys. For a large enterprise where managing a lot of servers is a big task, the ability to transfer files and remotely manage them using ssh makes key replacement a very high risk procedure. It would take a lot of planning to prevent multi-server downtime for virtually no increase in security levels.

It can probably be scripted and scheduled but untangling servers that stopped completing their tasks because of a glitch in key distribution is going to be a highly visible event with lots of explaining to do.

I agree with Steven: Ask why. No procedural changes should ever be allowed without justification with industry standards. And eve then, upper management can issue a statement to cover exceptions to the findings.


Bill Hassell, sysadmin
Reply
TwoProc
Honored Contributor

‎08-06-2010 09:12 AM

‎08-06-2010 09:12 AM

Re: ssh key maintenance advice

thanks Bill for advice and input. Thanks Steve for responding.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.