Confirmed users
529
edits
Security/Guidelines/Key Management: Difference between revisions
Jump to navigation
Jump to search
Security/Guidelines/Key Management (view source)
Revision as of 21:22, 23 October 2014
, 23 October 2014→Protection of User Keys
(→SSH) |
|||
| Line 92: | Line 92: | ||
* Protected by strong passphrase. | * Protected by strong passphrase. | ||
* Never copied to another system than your own workstation/personal physical disks/tokens. | * Never copied to another system than your own workstation/personal physical disks/tokens. | ||
* Use SSH forwarding or SSH tunneling if you need to jump between hosts. '''DO NOT''' maintain unnecessary agent forwarding when unused. | |||
==== SSH Agent Forwarding ==== | |||
{| class="wikitable" | |||
|- | |||
! <span style="color:red;">'''ATTENTION'''</span> | |||
|- | |||
| SSH Agent forwarding exposes your authentication to the server you're connecting to. By default, an attacker with control of the server (i.e. root access) can communicate with your agent and use your key to authenticate to other servers without any notification (i.e. impersonate you).<br />For this reason, one must be careful when using SSH agent forwarding. Defaulting to always forwarding the agent is strongly discouraged.<br /> Note also that while the attacker can use your key as long as the agent is running and forwarded, he cannot steal/download the key for offline/later use. | |||
|} | |||
SSH forwarding allows you to jump between hosts while keeping your private key on your local computer. This is accomplished by telling SSH to forward the authentication requests back to the ssh-agent of your local computer. SSH forwarding works between as many hosts as needed, each host forwarding new authentication request to the previous host, until the ssh-agent that holds the private key is reached. | |||
[[File:Ssh forwarding.png]] | |||
On each host, two environment variables are declared for the user enabling ssh-agent: | |||
* '''$SSH_AUTH_SOCK''' declares the location of the unix socket that can be used to forward an authentication request back to the previous host.(ex: /tmp/ssh-NjPxtt8779/agent.8779). Only present if using SSH agent forwarding. | |||
* '''$SSH_CONNECTION''' shows the source IP and port of the previous host, as well as the local IP and port. (ex: 10.22.248.74 44727 10.8.75.110 22). | |||
To use ssh-agent, add the flag -A to your ssh commands: | |||
<source code="bash"> | |||
$ ssh -A user@ssh.mozilla.com | |||
</source> | |||
Alternatively, you can set the following configuration parameter in your local ssh configuration at ~/.ssh/config. | |||
<source> | |||
Host ssh.mozilla.com | |||
ForwardAgent yes | |||
</source> | |||
==== Alternative to SSH agent forwarding (safer) ==== | |||
It is possible to directly forward ports for single jumps instead of forwarding the agent. This has the advantage of never exposing your agent to the servers you're connecting to. | |||
For example, you can add these line to your ~/.ssh/config | |||
<source> | |||
Host *.mozilla.com | |||
ProxyCommand ssh ssh.mozilla.com -W %h:%p | |||
</source> | |||
This will automatically forward the SSH connection over ssh.mozilla.com when you connect to a mozilla.com SSH server. | |||
=== Protection of Machine Keys === | === Protection of Machine Keys === | ||