1 |
On Friday, 15 July 2022 18:32:52 CEST Grant Taylor wrote: |
2 |
> On 7/15/22 1:53 AM, J. Roeleveld wrote: |
3 |
> > I agree, but that is a tedious process. |
4 |
> |
5 |
> Yes, it can be. That's where some automation comes into play. |
6 |
|
7 |
True, properly done automation is necessary to make our lives easier. |
8 |
|
9 |
> > I have multiple machines I use as desktop depending on where I am. And |
10 |
> > either I need to securely share the private keys between them or set |
11 |
> > up different keys per desktop. |
12 |
> |
13 |
> I /currently/ use unique keys /per/ /client/ /system/. |
14 |
> |
15 |
> I am /planing/ on starting to use unique keys /per/ /client/ /per/ |
16 |
> /server/. Meaning that each client will use a different key for each |
17 |
> remote server. I think that this combined with location restrictions in |
18 |
> the authorized_keys file will mean that SSH keys (or certificates) can't |
19 |
> be used from anywhere other than their approved location or for anything |
20 |
> other than their intended purpose. |
21 |
|
22 |
I tried this approach in the past and some levels of automation still use |
23 |
this, but for being able to login myself, I found having different keys become |
24 |
cumbersome and I ended up never actually replacing them. |
25 |
|
26 |
> > I assume the same is true for most people. |
27 |
> |
28 |
> Yes. It depends what security posture you / your organization want. |
29 |
|
30 |
The goal is to have whichever authentication system used, the passwords/keys |
31 |
to be replaced often with hard to brute-force passwords/keys. I can currently |
32 |
replace all passwords on a daily basis and not have a problem with accessing |
33 |
any system. |
34 |
|
35 |
> > Never mind that access to the servers needs to be possible for others |
36 |
> > as well. |
37 |
> |
38 |
> I assume that other users will use their own individual accounts to log |
39 |
> into the target systems with a similar configuration. |
40 |
> |
41 |
> E.g. I log into remote systems as "gtaylor" and you log into remote |
42 |
> systems as "joost", and Neil logs into remote systems as "neil". We |
43 |
> would all then escalate to root via "su -" with the automation providing |
44 |
> the password to su. |
45 |
|
46 |
For normal use, most systems don't need to be logged into a shell. For the few |
47 |
where this is needed, individual accounts exists. |
48 |
But, no individual account is a member of "wheel". |
49 |
For admin access, there are admin accounts on the machines. (they are all |
50 |
named individually and you won't find the same admin-account-username on more |
51 |
then 1 system) |
52 |
|
53 |
> > Either way, to do this automatically, all the desktop machines need |
54 |
> > to be powered and running while changing the keys. |
55 |
> |
56 |
> No, they don't. |
57 |
> |
58 |
> You just need to account for current and prior keys. |
59 |
> |
60 |
> I've done exactly this on a fleet of about 800 Unix systems that I |
61 |
> helped administer at my last job. You do something like the following: |
62 |
> |
63 |
> 1) Log into the remote system explicitly using the prior key. |
64 |
> 2) Append the current key to the ~/.ssh/authorized_keys file. |
65 |
> 3) Logout of the remote system. |
66 |
> 4) Log into the remote system explicitly using the current key. |
67 |
> 5) Remove the prior key from the ~/.ssh/authorized_keys file. |
68 |
> 6) Logout of the remote system. |
69 |
> |
70 |
> This can be fairly easily automated. |
71 |
|
72 |
True, but this needs to run from the client. Not the server. Which means it |
73 |
will need to be triggered manually and not scheduled. |
74 |
|
75 |
> You can then loop across systems using this automation to update the key |
76 |
> on systems that are online. |
77 |
> |
78 |
> You can relatively easily deal with systems that are offline currently |
79 |
> later when they are back online. -- There are ways to differentiate |
80 |
> between offline and bad credentials during day to day operations. So |
81 |
> when you hit the bad credentials you leverage the automation that tries |
82 |
> old credentials to update them. |
83 |
> |
84 |
> You end up bifurcating the pool of systems into different groups that |
85 |
> need to be dealt with differently. Online and doing what you want; |
86 |
> online but not doing what you want; and offline. |
87 |
> |
88 |
> > Changing passwords for servers and storing them in a password vault |
89 |
> > is easier to automate. |
90 |
> |
91 |
> I disagree. |
92 |
> |
93 |
> Using passwords tends to negate things like authenticating to sudo with |
94 |
> SSH keys / certificates, thus prompting the use of NOPASSWD:. |
95 |
|
96 |
I don't even have sudo installed on most systems, only where it's needed for |
97 |
certain scripts to work and there it's only used to avoid "setuid" which is an |
98 |
even bigger issue. |
99 |
|
100 |
-- |
101 |
Joost |