| 1 |
On Friday, 15 July 2022 18:32:52 CEST Grant Taylor wrote: |
| 2 |
> On 7/15/22 1:53 AM, J. Roeleveld wrote: |
| 3 |
> > I agree, but that is a tedious process. |
| 4 |
> |
| 5 |
> Yes, it can be. That's where some automation comes into play. |
| 6 |
|
| 7 |
True, properly done automation is necessary to make our lives easier. |
| 8 |
|
| 9 |
> > I have multiple machines I use as desktop depending on where I am. And |
| 10 |
> > either I need to securely share the private keys between them or set |
| 11 |
> > up different keys per desktop. |
| 12 |
> |
| 13 |
> I /currently/ use unique keys /per/ /client/ /system/. |
| 14 |
> |
| 15 |
> I am /planing/ on starting to use unique keys /per/ /client/ /per/ |
| 16 |
> /server/. Meaning that each client will use a different key for each |
| 17 |
> remote server. I think that this combined with location restrictions in |
| 18 |
> the authorized_keys file will mean that SSH keys (or certificates) can't |
| 19 |
> be used from anywhere other than their approved location or for anything |
| 20 |
> other than their intended purpose. |
| 21 |
|
| 22 |
I tried this approach in the past and some levels of automation still use |
| 23 |
this, but for being able to login myself, I found having different keys become |
| 24 |
cumbersome and I ended up never actually replacing them. |
| 25 |
|
| 26 |
> > I assume the same is true for most people. |
| 27 |
> |
| 28 |
> Yes. It depends what security posture you / your organization want. |
| 29 |
|
| 30 |
The goal is to have whichever authentication system used, the passwords/keys |
| 31 |
to be replaced often with hard to brute-force passwords/keys. I can currently |
| 32 |
replace all passwords on a daily basis and not have a problem with accessing |
| 33 |
any system. |
| 34 |
|
| 35 |
> > Never mind that access to the servers needs to be possible for others |
| 36 |
> > as well. |
| 37 |
> |
| 38 |
> I assume that other users will use their own individual accounts to log |
| 39 |
> into the target systems with a similar configuration. |
| 40 |
> |
| 41 |
> E.g. I log into remote systems as "gtaylor" and you log into remote |
| 42 |
> systems as "joost", and Neil logs into remote systems as "neil". We |
| 43 |
> would all then escalate to root via "su -" with the automation providing |
| 44 |
> the password to su. |
| 45 |
|
| 46 |
For normal use, most systems don't need to be logged into a shell. For the few |
| 47 |
where this is needed, individual accounts exists. |
| 48 |
But, no individual account is a member of "wheel". |
| 49 |
For admin access, there are admin accounts on the machines. (they are all |
| 50 |
named individually and you won't find the same admin-account-username on more |
| 51 |
then 1 system) |
| 52 |
|
| 53 |
> > Either way, to do this automatically, all the desktop machines need |
| 54 |
> > to be powered and running while changing the keys. |
| 55 |
> |
| 56 |
> No, they don't. |
| 57 |
> |
| 58 |
> You just need to account for current and prior keys. |
| 59 |
> |
| 60 |
> I've done exactly this on a fleet of about 800 Unix systems that I |
| 61 |
> helped administer at my last job. You do something like the following: |
| 62 |
> |
| 63 |
> 1) Log into the remote system explicitly using the prior key. |
| 64 |
> 2) Append the current key to the ~/.ssh/authorized_keys file. |
| 65 |
> 3) Logout of the remote system. |
| 66 |
> 4) Log into the remote system explicitly using the current key. |
| 67 |
> 5) Remove the prior key from the ~/.ssh/authorized_keys file. |
| 68 |
> 6) Logout of the remote system. |
| 69 |
> |
| 70 |
> This can be fairly easily automated. |
| 71 |
|
| 72 |
True, but this needs to run from the client. Not the server. Which means it |
| 73 |
will need to be triggered manually and not scheduled. |
| 74 |
|
| 75 |
> You can then loop across systems using this automation to update the key |
| 76 |
> on systems that are online. |
| 77 |
> |
| 78 |
> You can relatively easily deal with systems that are offline currently |
| 79 |
> later when they are back online. -- There are ways to differentiate |
| 80 |
> between offline and bad credentials during day to day operations. So |
| 81 |
> when you hit the bad credentials you leverage the automation that tries |
| 82 |
> old credentials to update them. |
| 83 |
> |
| 84 |
> You end up bifurcating the pool of systems into different groups that |
| 85 |
> need to be dealt with differently. Online and doing what you want; |
| 86 |
> online but not doing what you want; and offline. |
| 87 |
> |
| 88 |
> > Changing passwords for servers and storing them in a password vault |
| 89 |
> > is easier to automate. |
| 90 |
> |
| 91 |
> I disagree. |
| 92 |
> |
| 93 |
> Using passwords tends to negate things like authenticating to sudo with |
| 94 |
> SSH keys / certificates, thus prompting the use of NOPASSWD:. |
| 95 |
|
| 96 |
I don't even have sudo installed on most systems, only where it's needed for |
| 97 |
certain scripts to work and there it's only used to avoid "setuid" which is an |
| 98 |
even bigger issue. |
| 99 |
|
| 100 |
-- |
| 101 |
Joost |
Archives