Confirmed users
502
edits
Security/Guidelines/OpenSSH: Difference between revisions
→Client keys handling
Gdestuynder (talk | contribs) (reordering) |
Gdestuynder (talk | contribs) |
||
| Line 211: | Line 211: | ||
</source> | </source> | ||
== Key generation == | |||
Large key sizes are used as SSH keys are not renewed very often (see also [[Security/Key_Management]]). | Large key sizes are used as SSH keys are not renewed very often (see also [[Security/Key_Management]]). | ||
| Line 224: | Line 223: | ||
</source> | </source> | ||
=== Protection of user keys === | |||
* Protected by strong passphrase. | * Protected by strong passphrase. | ||
* Never copied to another system than your own workstation/personal physical disks/tokens. | * Never copied to another system than your own workstation/personal physical disks/tokens. | ||
* Use SSH forwarding or SSH tunneling if you need to jump between hosts. '''DO NOT''' maintain unnecessary agent forwarding when unused. | * Use SSH forwarding or SSH tunneling if you need to jump between hosts. '''DO NOT''' maintain unnecessary agent forwarding when unused. | ||
=== Protection of machine keys === | |||
When SSH keys are necessary for automation between systems, it is reasonable to use passphrase-less keys. | When SSH keys are necessary for automation between systems, it is reasonable to use passphrase-less keys. | ||
* The recommended settings are identical to the user keys. | * The recommended settings are identical to the user keys. | ||
| Line 235: | Line 234: | ||
Usage of machine keys should be registered in an inventory (a wiki page, ldap, an inventory database), to allow for rapid auditing of key usage across an infrastructure. | Usage of machine keys should be registered in an inventory (a wiki page, ldap, an inventory database), to allow for rapid auditing of key usage across an infrastructure. | ||
== SSH agent forwarding == | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
| Line 262: | Line 261: | ||
</source> | </source> | ||
=== Hardening the Agent forwarder === | |||
It is possible to require confirmation every time the agent is used (i.e. when you connect to a server through the SSH agent) by using the <code>-c</code> flag: | It is possible to require confirmation every time the agent is used (i.e. when you connect to a server through the SSH agent) by using the <code>-c</code> flag: | ||
| Line 297: | Line 296: | ||
}} | }} | ||
=== Safer alternative to SSH agent forwarding === | |||
It is possible to directly forward ports for single jumps instead of forwarding the agent. This has the advantage of never exposing your agent to the servers you're connecting to. | It is possible to directly forward ports for single jumps instead of forwarding the agent. This has the advantage of never exposing your agent to the servers you're connecting to. | ||