[LINK] Poorly Managed SSH Keys

Karl Auer kauer at biplane.com.au
Mon Feb 24 15:11:53 AEDT 2014


On Mon, 2014-02-24 at 03:18 +0000, Stephen Loosley wrote:
> However, i guess it doesn't necessarily mean it's not truly reflected
> in the wild. In my limited experience of this area this does ring
> true. So, could you Scott, or any Linker guestimate SSH key security
> with respect to company management?

ssh security is technically excellent. If it fails, it fails through
mismanagement and human error, like any other security element. In the
following list, everything is about using the mechanism correctly - not
about the mechanism itself.

Important:
- use lots of bits in your keys
- protect every ssh key with a passphrase[1]
  (unattended command access is the exception)
- use long, strong passphrases
- use long, strong passwords
- turn off remote password logins - require publickey
- don't allow root logins at all

Fairly important:
- don't allow direct logins from the Internet
- use separate, limited accounts for command access
  (especially for keys without passphrases!)
- log everything

Less important
- change ssh keys at random, moderately frequent intervals
- change passphrases at random, moderately frequent intervals
- limit the number of failed attempts


In my experience, the commonest problem with ssh usage is people who
don't use passphrases, use the same passphrase for everything, or use
weak passwords and passphrases. This is not unique to ssh, of course,
and is endemic amongst people who damn well should know better.

Regards, K.

[1] for those not familiar with ssh, a passphrase is a "key's key". It's
a human-usable key that protects the actual key. When you go to use a
passphrase-protected ssh key, you are prompted for the passphrase. ssh
can't use the key without the right passphrase being provided (not won't
- *can't*). The idea is that if someone does steal a key, they won't be
able to use it.
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A





More information about the Link mailing list