| 1 |
On 7/15/22 1:53 AM, J. Roeleveld wrote: |
| 2 |
> I agree, but that is a tedious process. |
| 3 |
|
| 4 |
Yes, it can be. That's where some automation comes into play. |
| 5 |
|
| 6 |
> I have multiple machines I use as desktop depending on where I am. And |
| 7 |
> either I need to securely share the private keys between them or set |
| 8 |
> up different keys per desktop. |
| 9 |
|
| 10 |
I /currently/ use unique keys /per/ /client/ /system/. |
| 11 |
|
| 12 |
I am /planing/ on starting to use unique keys /per/ /client/ /per/ |
| 13 |
/server/. Meaning that each client will use a different key for each |
| 14 |
remote server. I think that this combined with location restrictions in |
| 15 |
the authorized_keys file will mean that SSH keys (or certificates) can't |
| 16 |
be used from anywhere other than their approved location or for anything |
| 17 |
other than their intended purpose. |
| 18 |
|
| 19 |
> I assume the same is true for most people. |
| 20 |
|
| 21 |
Yes. It depends what security posture you / your organization want. |
| 22 |
|
| 23 |
> Never mind that access to the servers needs to be possible for others |
| 24 |
> as well. |
| 25 |
|
| 26 |
I assume that other users will use their own individual accounts to log |
| 27 |
into the target systems with a similar configuration. |
| 28 |
|
| 29 |
E.g. I log into remote systems as "gtaylor" and you log into remote |
| 30 |
systems as "joost", and Neil logs into remote systems as "neil". We |
| 31 |
would all then escalate to root via "su -" with the automation providing |
| 32 |
the password to su. |
| 33 |
|
| 34 |
> Either way, to do this automatically, all the desktop machines need |
| 35 |
> to be powered and running while changing the keys. |
| 36 |
|
| 37 |
No, they don't. |
| 38 |
|
| 39 |
You just need to account for current and prior keys. |
| 40 |
|
| 41 |
I've done exactly this on a fleet of about 800 Unix systems that I |
| 42 |
helped administer at my last job. You do something like the following: |
| 43 |
|
| 44 |
1) Log into the remote system explicitly using the prior key. |
| 45 |
2) Append the current key to the ~/.ssh/authorized_keys file. |
| 46 |
3) Logout of the remote system. |
| 47 |
4) Log into the remote system explicitly using the current key. |
| 48 |
5) Remove the prior key from the ~/.ssh/authorized_keys file. |
| 49 |
6) Logout of the remote system. |
| 50 |
|
| 51 |
This can be fairly easily automated. |
| 52 |
|
| 53 |
You can then loop across systems using this automation to update the key |
| 54 |
on systems that are online. |
| 55 |
|
| 56 |
You can relatively easily deal with systems that are offline currently |
| 57 |
later when they are back online. -- There are ways to differentiate |
| 58 |
between offline and bad credentials during day to day operations. So |
| 59 |
when you hit the bad credentials you leverage the automation that tries |
| 60 |
old credentials to update them. |
| 61 |
|
| 62 |
You end up bifurcating the pool of systems into different groups that |
| 63 |
need to be dealt with differently. Online and doing what you want; |
| 64 |
online but not doing what you want; and offline. |
| 65 |
|
| 66 |
> Changing passwords for servers and storing them in a password vault |
| 67 |
> is easier to automate. |
| 68 |
|
| 69 |
I disagree. |
| 70 |
|
| 71 |
Using passwords tends to negate things like authenticating to sudo with |
| 72 |
SSH keys / certificates, thus prompting the use of NOPASSWD:. |
| 73 |
|
| 74 |
|
| 75 |
|
| 76 |
-- |
| 77 |
Grant. . . . |
| 78 |
unix || die |
Archives