@alex_02 @nixCraft I't not gonna lie, it never occurred...

@alex_02 @nixCraft I't not gonna lie, it never occurred to me to use certificates. I mean, don't you need to create your own CA and install it onto all of your machines, unless you want to go through the trouble of getting it signed by Lets Encrypt?

And it is just so easy to do ssh-copy-id, especially if you only need to network like 3 or 4 machines together.

Like 29 May 2023 at 5:44 | Wall-to-wall | Open on emacs.ch

9 comments

DELETED

@ramin_hal9001 @nixCraft Security vs Convenience will always bite us in the ass. ;-;

Found a good article on ssh certificates:

https://goteleport.com/blog/how-to-configure-ssh-certificate-based-authentication/

29 May 2023 at 5:50 | Open on infosec.exchange

Chris Hessert 🇺🇸 🇺🇦

@alex_02 @ramin_hal9001 @nixCraft Thanks for that. 🙂

1 Jun 2023 at 11:58 | Open on mastodon.online

the vessel of morganna

@ramin_hal9001 @alex_02 @nixCraft SSH certificates are not the same as TLS certificates.

29 May 2023 at 8:12 | Open on social.treehouse.systems

Thomas H Jones II

@astraleureka @ramin_hal9001 @alex_02 @nixCraft

No, but you *can* configure newer SSH daemons to use x509s for authentication.

29 May 2023 at 15:14 | Open on mastodon.social

apgarcia

@ferricoxide @astraleureka @ramin_hal9001 @alex_02 @nixCraft newer ssh daemons? the globus toolkit was using x509 certs for authentication in the early 2000s...

1 Jun 2023 at 12:17 | Open on fosstodon.org

Thomas H Jones II

@apgarcia @astraleureka @ramin_hal9001 @alex_02 @nixCraft

"Newer" is relative. Not every OS vendor (*cough* Red Hat *cough*) is quick to update. Still not sure if OpenSSH (particularly the versions used by conservative distros like Red Hat and its clones) directly supports x509 or if they just support the more stripped-down SSH certificates.

1 Jun 2023 at 12:23 | Open on mastodon.social

Thomas H Jones II

@ramin_hal9001 @alex_02 @nixCraft

Problem with copying keys about - especially in a large scale environment – is the "how do you make sure ≤EX_EMPLOYEE>'s keys are all removed everywhere".

29 May 2023 at 15:12 | Open on mastodon.social

Fuzzysteve

@ferricoxide @ramin_hal9001 @alex_02 @nixCraft By pushing the keys via your centralized authentication system? So they don't exist on the box themselves. and that the centralized account is also removed?
Of course, then you also need something which is going to be checking every server to make sure no rogue accounts have been created.

1 Jun 2023 at 10:22 | Open on mastodon.social

Thomas H Jones II

@fuzzysteve @ramin_hal9001 @alex_02 @nixCraft

Yes. In general, offloading to a third-party key-auth mechanism is going to avoid the "stale keys" problem.

Similarly, combination of configuring SSH to ignore locally-staged keys, configuring sudo and/or SELinux to prevent random users from creating local accounts and having good monitoring/alerting in place goes a long way towards solving the "rogue accounts" problem.

1 Jun 2023 at 10:35 | Open on mastodon.social