Poll: The most common way I've seen for SSH access...

nixCraft's posts Post Back to profile

nixCraft 🐧

Poll: The most common way I've seen for SSH access to #Linux or #Unix servers (please boost for reach. TIA):

Anonymous poll

Poll

Username and password

605

34.1%

SSH authorized_keys (pub key)

1,336

75.3%

SSH Certificates

4.6%

Other (I will reply below)

1.2%

1,774 people voted.
Voting ended 5 Jun 2023 at 5:27.

Like 29 May 2023 at 5:27 | Open on mastodon.social

37 comments

DELETED

@nixCraft If you aren't using certs for publicly accessible ssh servers... you are doing it wrong.

29 May 2023 at 5:29 | Open on infosec.exchange

kechpaja

@alex_02 @nixCraft What is the benefit of an SSH certificate over authorized_keys?

29 May 2023 at 5:38 | Open on social.kechpaja.com

max frühschütz – нет войне

@kechpaja @alex_02 @nixCraft i'd like to know as well!

29 May 2023 at 8:05 | Open on mastodon.social

Thomas H Jones II

@kechpaja @alex_02 @nixCraft

Baked-in maximum key-lifetime, key-revocability and better attribution/tracing, for starters.

29 May 2023 at 14:45 | Open on mastodon.social

Ramin Honary

@alex_02 @nixCraft I't not gonna lie, it never occurred to me to use certificates. I mean, don't you need to create your own CA and install it onto all of your machines, unless you want to go through the trouble of getting it signed by Lets Encrypt?

And it is just so easy to do ssh-copy-id, especially if you only need to network like 3 or 4 machines together.

29 May 2023 at 5:44 | Open on emacs.ch

DELETED

@ramin_hal9001 @nixCraft Security vs Convenience will always bite us in the ass. ;-;

Found a good article on ssh certificates:

https://goteleport.com/blog/how-to-configure-ssh-certificate-based-authentication/

29 May 2023 at 5:50 | Open on infosec.exchange

Chris Hessert 🇺🇸 🇺🇦

@alex_02 @ramin_hal9001 @nixCraft Thanks for that. 🙂

1 Jun 2023 at 11:58 | Open on mastodon.online

the vessel of morganna

@ramin_hal9001 @alex_02 @nixCraft SSH certificates are not the same as TLS certificates.

29 May 2023 at 8:12 | Open on social.treehouse.systems

Thomas H Jones II

@astraleureka @ramin_hal9001 @alex_02 @nixCraft

No, but you *can* configure newer SSH daemons to use x509s for authentication.

29 May 2023 at 15:14 | Open on mastodon.social

apgarcia

@ferricoxide @astraleureka @ramin_hal9001 @alex_02 @nixCraft newer ssh daemons? the globus toolkit was using x509 certs for authentication in the early 2000s...

1 Jun 2023 at 12:17 | Open on fosstodon.org

Thomas H Jones II

@apgarcia @astraleureka @ramin_hal9001 @alex_02 @nixCraft

"Newer" is relative. Not every OS vendor (*cough* Red Hat *cough*) is quick to update. Still not sure if OpenSSH (particularly the versions used by conservative distros like Red Hat and its clones) directly supports x509 or if they just support the more stripped-down SSH certificates.

1 Jun 2023 at 12:23 | Open on mastodon.social

Thomas H Jones II

@ramin_hal9001 @alex_02 @nixCraft

Problem with copying keys about - especially in a large scale environment – is the "how do you make sure ≤EX_EMPLOYEE>'s keys are all removed everywhere".

29 May 2023 at 15:12 | Open on mastodon.social

Fuzzysteve

@ferricoxide @ramin_hal9001 @alex_02 @nixCraft By pushing the keys via your centralized authentication system? So they don't exist on the box themselves. and that the centralized account is also removed?
Of course, then you also need something which is going to be checking every server to make sure no rogue accounts have been created.

1 Jun 2023 at 10:22 | Open on mastodon.social

Thomas H Jones II

@fuzzysteve @ramin_hal9001 @alex_02 @nixCraft

Yes. In general, offloading to a third-party key-auth mechanism is going to avoid the "stale keys" problem.

Similarly, combination of configuring SSH to ignore locally-staged keys, configuring sudo and/or SELinux to prevent random users from creating local accounts and having good monitoring/alerting in place goes a long way towards solving the "rogue accounts" problem.

1 Jun 2023 at 10:35 | Open on mastodon.social

Niels K.

@nixCraft I’ve seen mostly user/password but I strongly encourage to use ssh certificates when having to handle more than a couple of machines. They are awesome.

29 May 2023 at 5:29 | Open on mastodon.social

Chimmie Firefly 💙💜🤍

@nixCraft 16384 bit RSA key

29 May 2023 at 5:31 | Open on tech.lgbt

Chris McCabe

@nixCraft
Not a scooby, but will boost

29 May 2023 at 5:41 | Open on mastodon.social

Alan Hicks

@nixCraft I'm surprised and disappointed there are still so many using username password instead of secure alternatives 😢

29 May 2023 at 5:46 | Open on fosstodon.org

lynx

@AlanHicksLondon @nixCraft it's the initial method one has to use to 'ssh-copy-id' over one's public key. once that bootstrapping's done, it can be disabled.

sort of like using IE/Edge that one time to download a real web browser.

29 May 2023 at 12:25 | Open on mastodon.world

Canwr Ffug

@nixCraft This is just a data gathering attempt for phising later isn't it?

29 May 2023 at 5:55 | Open on defcon.social

Patrice

@nixCraft been mostly using AD integration with sssd for user accounts, SSH Keys (authorized_keys) for functional accounts (Ansible). No local user/password accounts on any machine. Access to the machines is being managed by moving users in/out of AD groups

29 May 2023 at 6:59 | Open on mastodon.social

🇨🇦 Josh Kellendonk

@nixCraft authorized keys are the way.

29 May 2023 at 7:02 | Open on fosstodon.org

Stephen Greenham

@nixCraft Yubikey paired with certs! 🥰

29 May 2023 at 7:44 | Open on mast.solarisfire.com

LievenBlancke

@nixCraft public key + FIDO2

29 May 2023 at 7:52 | Open on mastodon-belgium.be

Mynacol

@nixCraft SSH keypair, saved in a TPM where possible. I recommend https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md for setup instructions.

29 May 2023 at 9:27 | Open on ipv6.social

Thomas H Jones II

@nixCraft Wait: seen others or how I access?

29 May 2023 at 14:43 | Open on mastodon.social

🍉 دانیال بهزادی 🚁🗻

@nixCraft
Is there an article comparing ssh keys and certs login?

1 Jun 2023 at 10:09 | Open on persadon.com

Pratham Patel :ferrisdance:

@nixCraft pubkey auth for prod and passwds for local VMs and other stuff that doesn’t need security

1 Jun 2023 at 10:28 | Open on fosstodon.org

Mathieu Poussin

@nixCraft for my systems pubkeys, for work : https://goteleport.com/

1 Jun 2023 at 10:46 | Open on g33ks.coffee

Kyle Anderson 💙

@nixCraft Off topic: Math is harder for Mastodon than authn

1 Jun 2023 at 11:11 | Open on mastodon.social

Fritz Adalis

@kandersonus
@nixCraft
That's because it's checkboxes and not radio buttons.

1 Jun 2023 at 12:11 | Open on infosec.exchange

Thomas Jones

@nixCraft@mastodon.social

Depends on the environment.

In AD-integrated environments, it's a mix of GSSAPI tokens and password-based authentication.

In IPA-integrated environments, it's been a mix of GSSAPI tokens, SSH authorized_keys and passwords.

In "cattle" environments, it's been SSH authorized_keys (injected at deployment-time via cloud-init or subordinate processes).

A significant percentage of my customers are both RHEL-using and not-exactly-proactive in how they migrate to newer EL majors or (especially) retiring older EL majors. As such, migrating to SSH certificates is pretty much a non-starter since not every RHEL version supports their use (nor do they want instantiate the additional infrastructure to support it).