| 1 |
On 7/17/22 11:24 PM, J. Roeleveld wrote: |
| 2 |
> If I have 1 desktop and 1 laptop, that means 2 client machines. |
| 3 |
> Add 5 servers/vms. |
| 4 |
|
| 5 |
/Clients/ need (non-host) key pairs. Servers shouldn't need non-host |
| 6 |
key pairs. Servers should only need the clients' public keys on them. |
| 7 |
|
| 8 |
> That means 10 ssh-keys per person to manage and keep track off. |
| 9 |
|
| 10 |
If you're using per-host-per-client key pairs, sure. If you're only |
| 11 |
using per-client key pairs and copying the public key to the server, no. |
| 12 |
|
| 13 |
> When a laptop gets replaced, I need to ensure the keys get removed |
| 14 |
> from the authorized_keys section. |
| 15 |
|
| 16 |
If the new key pair would be using the same algorithm and bit length and |
| 17 |
there is no reason to suspect compromise, then I see no reason to |
| 18 |
replace the key pair. I'd just copy the key pair from the old client to |
| 19 |
the new client and destroy it on the old client. This is especially |
| 20 |
true if the authorized_keys file has a from stanza on the public key. |
| 21 |
|
| 22 |
> Same goes for when the ssh-keys need refreshing. Which, due to the |
| 23 |
> amount, I never got round to. |
| 24 |
|
| 25 |
I've not run into any situation where policy mandates that a key pair be |
| 26 |
replaced unless when there isn't any reason to suspect it's compromise. |
| 27 |
|
| 28 |
> I actually have more then the amount mentioned above, the amount of |
| 29 |
> ssh-keys gets too much to manage without an automated tool to keep |
| 30 |
> track of them and automate the changing of the keys. I never got the |
| 31 |
> time to create that tool and never found anything that would make |
| 32 |
> it easier. |
| 33 |
|
| 34 |
As I think about it, I'd probably leverage the comment stanza of the |
| 35 |
public key so that I could do an in place delete with sed and then |
| 36 |
append the new public key. E.g. have a comment that consists of the |
| 37 |
client's host name, some delimiter, and the date. That way it would be |
| 38 |
easy to remove any and all keys for the client in the future. |
| 39 |
|
| 40 |
> When hosts can get added and removed regularly for testing purposes, |
| 41 |
> this requires a management tool. |
| 42 |
|
| 43 |
It depends on how you configure things. |
| 44 |
|
| 45 |
It seems as if it's possible to use the "%h" parameter when specifying |
| 46 |
the IdentityFile. So you could have a wild card stanza that would look |
| 47 |
for a file based on the host name. |
| 48 |
|
| 49 |
> You could put "root" without a valid password, making it impossible to |
| 50 |
> "su -" into and add a 2nd uid/gid 0 account with a valid password. I |
| 51 |
> know of 1 organisation where they had a 2nd root account added which |
| 52 |
> could be used by the orgs sys-admins for emergency access. (These |
| 53 |
> were student owned servers directly connected to the internet) |
| 54 |
|
| 55 |
I absolutely hate the idea of having multiple accounts using the same |
| 56 |
UID. I'd be far more likely to have a per host account with UID=0 / |
| 57 |
GID=0 and have the root account have a different UID / GID. |
| 58 |
|
| 59 |
I'll need to try this at some point in the future. |
| 60 |
|
| 61 |
> I expect the "wheel" group to only be for changing into "root", |
| 62 |
> that's what it's advertised as. |
| 63 |
|
| 64 |
I've seen some binaries in the wheel group and 0550 permission. |
| 65 |
|
| 66 |
> Still needs the clients to be actually running when the server runs |
| 67 |
> the script. Or it needs to be added to a schedule and gets triggered |
| 68 |
> when the client becomes available. This would make the scheduler |
| 69 |
> too complex. |
| 70 |
|
| 71 |
Why can't the script that's running ssh simply start an agent, run ssh, |
| 72 |
then stop the agent? There's no coordination necessary. |
| 73 |
|
| 74 |
> I agree, but root-access is only needed for specific tasks, like |
| 75 |
> updates. Most access is done using service-specific accounts. I only |
| 76 |
> have 2 where users have shell-accounts. |
| 77 |
|
| 78 |
Many people forget about problems on boot that require root's password. |
| 79 |
|
| 80 |
> I'd love to implement Kerberos, mostly for the SSO abilities, |
| 81 |
> but haven't found a simple to follow howto yet which can be easily |
| 82 |
> adjusted so it can be added to an existing environment. |
| 83 |
|
| 84 |
ACK |
| 85 |
|
| 86 |
|
| 87 |
|
| 88 |
-- |
| 89 |
Grant. . . . |
| 90 |
unix || die |
Archives