Confirmed users
100
edits
Security/Guidelines/OpenSSH: Difference between revisions
Jump to navigation
Jump to search
→OpenSSH client: add section on how to audit existing keys
(→Key generation: clarify what's the best key generation procedure, reorder to make logical sense) |
(→OpenSSH client: add section on how to audit existing keys) |
||
| Line 223: | Line 223: | ||
* Usage of machine keys should be registered in an inventory (a wiki page, ldap, an inventory database), to allow for rapid auditing of key usage across an infrastructure. | * Usage of machine keys should be registered in an inventory (a wiki page, ldap, an inventory database), to allow for rapid auditing of key usage across an infrastructure. | ||
* The machine keys should be unique per usage. Each new usage (different service, different script called, etc.) should use a new, different key. | * The machine keys should be unique per usage. Each new usage (different service, different script called, etc.) should use a new, different key. | ||
== Auditing your existing machine keys == | |||
It's a good idea to make sure your existing keys are up to our security requirements. | |||
Look in <code>~/.ssh/</code> for <code>id_*</code> files: | |||
<code>ls -l ~/.ssh</code> | |||
To print information about an specific key, use <code>ssh-keygen -l -f <file></code>. | |||
For example, <code>ssh-keygen -l -f ~/.ssh/id_rsa</code> will give you an output similar to this: | |||
<source> | |||
2048 bc:4f:46:2b:3d:f1:e2:0f:ac:40:99:49:ed:c9:81:a2 you@mozilla.com (RSA) | |||
^---- key length | |||
^--- fingerprint | |||
^-- associated | |||
address | |||
^- | |||
cipher | |||
type | |||
</source> | |||
If any of your keys is using DSA as cipher, or if you have an RSA key and the key length is 1024 or smaller, '''please regenerate your SSH keys immediately''', because your keys aren't secure enough. | |||
== SSH agent forwarding == | == SSH agent forwarding == | ||