ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Managing SSH Keys

    Scheduled Pinned Locked Moved IT Discussion
    39 Posts 4 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said:

      @anonymous said:

      @scottalanmiller said:

      You do not make a root key, except in extreme cases you want to avoid that.

      For the root account I was going to make the password super long, and make root only available via console access. Anything else I should consider?

      Is this for YOU or for a company? If this is for you, that's perfectly fine.

      WWNTGD? We use an officer + breakglass system. This is approved and in the process of being implemented. We have super hard passwords like you mention. They go ON PAPER to two people - COO and the retired CFO. If someone needs access to the root passwords they have to go to one of those two people and "break the glass", literally ripping open paper so that the "seal" is broken. Once this happens, everyone is aware that the glass was broken, the root account is officially compromised and once the emergency is over the password is reset by either Art or myself, the passwords put into envelopes, sealed and handed over to the accountable parties.

      It's a fairly standard system for high security passwords that are only needed in extreme emergencies. Easy to get, but obvious that they have to be immediately reset.

      LOL - I do the same thing for the domain Administrator account - the envelope lives in Safety Deposit Box down the street.

      A 1 Reply Last reply Reply Quote 1
      • A
        Alex Sage @scottalanmiller
        last edited by

        @scottalanmiller I guess you assume that they both will not have a house fire at the same time 😄

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • A
          Alex Sage @Dashrender
          last edited by

          @Dashrender said:

          LOL - I do the same thing for the domain Administrator account - the envelope lives in Safety Deposit Box down the street.

          Down the street? What happens in the case of natural disaster?

          DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
          • DashrenderD
            Dashrender @Alex Sage
            last edited by

            @anonymous said:

            @Dashrender said:

            LOL - I do the same thing for the domain Administrator account - the envelope lives in Safety Deposit Box down the street.

            Down the street? What happens in the case of natural disaster?

            Luckily if we lost our domain there would be little if anything lost other than time. Our main application is cloud based and on someone else's shoulder. If we have a natural disaster, having access to that password is the least of our concerns and probably means all of our infrastructure is gone - I'd be rebuilding everything. Frankly, at that point I'd be happy to be able to rebuild the whole thing from the ground up - might even ditch Windows domain controllers and move to Linux ones.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Alex Sage
              last edited by

              @anonymous said:

              @scottalanmiller I guess you assume that they both will not have a house fire at the same time 😄

              Let's hope not! Not just that, that they don't both have one at the same time AND that we don't lose our normal admin access at the same time. It's not two things but three that would have to happen at once.

              1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller @Alex Sage
                last edited by

                @anonymous said:

                @Dashrender said:

                LOL - I do the same thing for the domain Administrator account - the envelope lives in Safety Deposit Box down the street.

                Down the street? What happens in the case of natural disaster?

                Things that cause loss of keys or accounts and things that cause loss of data are almost never related. Can be, of course, but there is almost no chance of that.

                1 Reply Last reply Reply Quote 1
                • A
                  Alex Sage
                  last edited by

                  How often should I change my SSH keys? Only when I think they are exposed, or every X years?

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Alex Sage
                    last edited by

                    @anonymous said:

                    How often should I change my SSH keys? Only when I think they are exposed, or every X years?

                    Every few years is fine. I know huge shops that never, ever change them. Just be sure to use really long ones, like 4096 bits.

                    1 Reply Last reply Reply Quote 1
                    • stacksofplatesS
                      stacksofplates @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      Real world example of how NTG does this which I hope illustrates how to do this effectively for a "Key Managed Environment."

                      We have a "user deployment script" that we run on new CentOS boxes. The script has a list of users and their user IDs from the jump box (this does not have to be done but it makes user management so much better) and the script creates all of the users, creates their home directories, sets directory permissions, sets up default groups and finally copies the users' public keys into their .ssh directories. The public keys are hard coded into the script, it just "echos" them out to the file. That's all. Super simple and no matter how many servers we deploy, just one script with all of the public keys already in it. They don't change.

                      Did you manually write the users, uid's, and gid's in or does it pull them from /etc/passwd?

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        I manually wrote the script, it does not pull from anywhere. We use the script as the master, not one of the servers. Sounds "manual" but the other option is to just move the manual process somewhere else.

                        We match user IDs to, of all things, PBX extensions. Odd, but it works.

                        stacksofplatesS 1 Reply Last reply Reply Quote 1
                        • stacksofplatesS
                          stacksofplates @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          I manually wrote the script, it does not pull from anywhere. We use the script as the master, not one of the servers. Sounds "manual" but the other option is to just move the manual process somewhere else.

                          We match user IDs to, of all things, PBX extensions. Odd, but it works.

                          I was just curious since you said "from the jump box."

                          I might end up doing this, it sounds fairly simple. What about the root password when you create a new server? How do you add that if it's in the envelope?

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • stacksofplatesS
                            stacksofplates
                            last edited by

                            Oh wait, I reread it. So you have an envelope for each server?

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @stacksofplates
                              last edited by

                              @johnhooks said:

                              I might end up doing this, it sounds fairly simple. What about the root password when you create a new server? How do you add that if it's in the envelope?

                              Lots of choices there. You could have the password memorized by a trusted party who makes it. I've worked places where the envelope was digital and handled automatically. Or you can have an envelope for each machine, of course. Or do it by groups. There is no super simple answer. A single, shared root password for an SMB is generally best. Something that you can automate or semi-automate for builds and then store somewhere. Whoever types it in has to be assumed that they have memorized it even if it seems unlikely. So unless you have it fully automated and hidden from all humans, someone "knows" the password.

                              1 Reply Last reply Reply Quote -1
                              • scottalanmillerS
                                scottalanmiller @stacksofplates
                                last edited by

                                @johnhooks said:

                                Oh wait, I reread it. So you have an envelope for each server?

                                For us it will be groups because we have groups that make sense to share and some that don't. So a hybrid approach.

                                1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller
                                  last edited by

                                  Just adding this note as it was asked about breakglass passwords... one of the things that we are doing to make breakglass passwords easier to manage is setting them in a system template so that every system created with that template gets the same secret root password and no need for the person creating the new system to know the password!

                                  1 Reply Last reply Reply Quote 2
                                  • 1
                                  • 2
                                  • 1 / 2
                                  • First post
                                    Last post