Poll: The most common way I've seen for SSH access to #Linux or #Unix servers (please boost for reach. TIA):
Poll
Voting ended 5 Jun 2023 at 5:27.
Poll: The most common way I've seen for SSH access to #Linux or #Unix servers (please boost for reach. TIA): Anonymous poll
Poll
Username and password
605
34.1%
SSH authorized_keys (pub key)
1,336
75.3%
SSH Certificates
81
4.6%
Other (I will reply below)
1,774 people voted. 21
1.2%
Voting ended 5 Jun 2023 at 5:27. 37 comments
Baked-in maximum key-lifetime, key-revocability and better attribution/tracing, for starters. @alex_02 @nixCraft I't not gonna lie, it never occurred to me to use certificates. I mean, don't you need to create your own CA and install it onto all of your machines, unless you want to go through the trouble of getting it signed by Lets Encrypt? And it is just so easy to do @ramin_hal9001 @nixCraft Security vs Convenience will always bite us in the ass. ;-; Found a good article on ssh certificates: https://goteleport.com/blog/how-to-configure-ssh-certificate-based-authentication/ @ramin_hal9001 @alex_02 @nixCraft SSH certificates are not the same as TLS certificates. @astraleureka @ramin_hal9001 @alex_02 @nixCraft No, but you *can* configure newer SSH daemons to use x509s for authentication. @ferricoxide @astraleureka @ramin_hal9001 @alex_02 @nixCraft newer ssh daemons? the globus toolkit was using x509 certs for authentication in the early 2000s... @apgarcia @astraleureka @ramin_hal9001 @alex_02 @nixCraft "Newer" is relative. Not every OS vendor (*cough* Red Hat *cough*) is quick to update. Still not sure if OpenSSH (particularly the versions used by conservative distros like Red Hat and its clones) directly supports x509 or if they just support the more stripped-down SSH certificates. @ramin_hal9001 @alex_02 @nixCraft Problem with copying keys about - especially in a large scale environment – is the "how do you make sure ≤EX_EMPLOYEE>'s keys are all removed everywhere". @ferricoxide @ramin_hal9001 @alex_02 @nixCraft By pushing the keys via your centralized authentication system? So they don't exist on the box themselves. and that the centralized account is also removed? @fuzzysteve @ramin_hal9001 @alex_02 @nixCraft Yes. In general, offloading to a third-party key-auth mechanism is going to avoid the "stale keys" problem. Similarly, combination of configuring SSH to ignore locally-staged keys, configuring sudo and/or SELinux to prevent random users from creating local accounts and having good monitoring/alerting in place goes a long way towards solving the "rogue accounts" problem. @nixCraft I'm surprised and disappointed there are still so many using username password instead of secure alternatives 😢 @AlanHicksLondon @nixCraft it's the initial method one has to use to 'ssh-copy-id' over one's public key. once that bootstrapping's done, it can be disabled. sort of like using IE/Edge that one time to download a real web browser. @nixCraft SSH keypair, saved in a TPM where possible. I recommend https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md for setup instructions. @nixCraft pubkey auth for prod and passwds for local VMs and other stuff that doesn’t need security @nixCraft Channeling the Enterprise Security Architect vibe... Don't you know that somebody might rEplAcE filEs oR aDd a kEy?? Are you committed to security at all?? |
@nixCraft If you aren't using certs for publicly accessible ssh servers... you are doing it wrong.