Security/Guidelines/Key Management: Difference between revisions

Jump to navigation Jump to search

Security/Guidelines/Key Management (view source)

Revision as of 14:21, 8 January 2015

3,416 bytes removed ,  8 January 2015
Migrated openssh key handling to https://wiki.mozilla.org/index.php?title=Security/Guidelines/OpenSSH
(Deprecation precisions)
(Migrated openssh key handling to https://wiki.mozilla.org/index.php?title=Security/Guidelines/OpenSSH)
Line 81: Line 81:
== X509 certificates and keys==
== X509 certificates and keys==
== SSH ==
== SSH ==
=== Generation ===
See [[Security/Guidelines/OpenSSH]].
<source code="bash">
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"
 
# ECDSA keys are only compatible with OpenSSH 5.7+
$ ssh-keygen -t ecdsa -b 384 -f ~/.ssh/id_rsa_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"
</source>
 
=== Protection of user keys ===
* Protected by strong passphrase.
* Never copied to another system than your own workstation/personal physical disks/tokens.
* Use SSH forwarding or SSH tunneling if you need to jump between hosts. '''DO NOT''' maintain unnecessary agent forwarding when unused.
 
==== SSH agent forwarding ====
{| class="wikitable"
|-
! <span style="color:red;">'''ATTENTION'''</span>
|-
| SSH Agent forwarding exposes your authentication to the server you're connecting to. By default, an attacker with control of the server (i.e. root access) can communicate with your agent and use your key to authenticate to other servers without any notification (i.e. impersonate you).<br />For this reason, one must be careful when using SSH agent forwarding. Defaulting to always forwarding the agent is strongly discouraged.<br /> Note also that while the attacker can use your key as long as the agent is running and forwarded, he cannot steal/download the key for offline/later use.
|}
 
SSH forwarding allows you to jump between hosts while keeping your private key on your local computer. This is accomplished by telling SSH to forward the authentication requests back to the ssh-agent of your local computer. SSH forwarding works between as many hosts as needed, each host forwarding new authentication request to the previous host, until the ssh-agent that holds the private key is reached.
 
[[File:Ssh forwarding.png]]
 
On each host, two environment variables are declared for the user enabling ssh-agent:
* '''$SSH_AUTH_SOCK''' declares the location of the unix socket that can be used to forward an authentication request back to the previous host.(ex: /tmp/ssh-NjPxtt8779/agent.8779). Only present if using SSH agent forwarding.
* '''$SSH_CONNECTION''' shows the source IP and port of the previous host, as well as the local IP and port. (ex: 10.22.248.74 44727 10.8.75.110 22).
 
To use ssh-agent, add the flag -A to your ssh commands:
<source code="bash">
$ ssh -A user@ssh.mozilla.com
</source>
 
Alternatively, you can set the following configuration parameter in your local ssh configuration at ~/.ssh/config.
<source>
Host ssh.mozilla.com
    ForwardAgent yes
</source>
==== Alternative to SSH agent forwarding (safer) ====
 
It is possible to directly forward ports for single jumps instead of forwarding the agent. This has the advantage of never exposing your agent to the servers you're connecting to.
 
For example, you can add these lines to your ~/.ssh/config
<source>
Host *.mozilla.com
ProxyCommand ssh ssh.mozilla.com -W %h:%p
</source>
This will automatically forward the SSH connection over ssh.mozilla.com when you connect to a mozilla.com SSH server.
 
=== Protection of machine keys ===
When SSH keys are necessary for automation between systems, it is reasonable to use passphrase-less keys.
* The recommended settings are identical to the user keys.
* The keys must be accessible only by the admin user (root) and/or the system user requiring access.
Usage of machine keys should be registered in an inventory (a wiki page, ldap, an inventory database), to allow for rapid auditing of key usage across an infrastructure.


== PGP/GnuPG ==
== PGP/GnuPG ==
Gdestuynder
Confirmed users
502

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1045777"

Navigation menu