[RndTbl] Hey security guys!

[Adam Thompson]

On 2014-03-20 13:38, Kevin McGregor wrote: 

> We have a pile of
Linux servers here at work. We'd like to set up the shared keys to
simplify admin via SSH. Here's the thing (quoted from an email I
received): 
> 
> We are thinking of putting public/private ssh keys on
all of our Linux servers. 
> 
> The purpose of this is so that our
central admin server can "do stuff' on all of our servers without
needing a password. We are wondering how far to go for convenience. 
>

> Below are restrictions that we can place on the key pair (there may
be others, but these are the ones of which I'm aware). Have a look at
each restriction and consider whether we should use the restriction or
not. Basically it would be most convenient to have none of the
restrictions. 
> 
> · We can create a password on the key pair 
> 
> o
This would defeat the whole purpose of using the key pair to avoid
passwords 
> 
> · We can limit which user can run things on the target
machine 
> 
> o Most likely, we would install the public key for the
user root (therefore things would run as user=root) 
> 
> · We can limit
what commands can be run on the target machine 
> 
> o We would like to
leave this wide open so we can run anything remotely 
> 
> · We can
limit the source machine that can initiate remote commands (ie -
commands can only come from the admin machine) 
> 
> o It would be nice
to not have this limit as we could move the private key onto other
machines (eg a VM on your desktop) to be able to run things remotely 
>

> o The downside is that if anybody gets the private key, they can do
anything 
> 
> Note that firewalls should prevent people from the
internet trying to connect to ssh. 
> 
> [Comments, anyone? -
Kevin]

I'd say you've correctly identified all the upsides and
downsides to key-based authentication, with one major exception (every
human should have their own key, not a single shared key) and one minor
(you can create accounts and require sudo instead of logging in directly
as root). 

I'm going through exactly the same issue right now; having a
centralized directory and authentication server makes your life much,
much easier, even if it's just old-fashioned YP/NIS. That way you have a
consistent UID/userid/password, and on each system you can enforce
whatever policies you want using sudo. Including allowing people to add
their key to /root/.ssh/authorized_keys if necessary. 

It's entirely
normal for some ssh accounts (usually "root") to have a dozen or so
authorized keys, IMHO. 

Now we'll wait for the Shawns/Seans to chime in
and tell us how this is horribly unsecure... 

-Adam 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20140320/1552a931/attachment.html>