4

I've been reading the FHS specification on http://www.pathname.com/fhs/pub/fhs-2.3.html to figure out where a (private) SSH keyfile should be stored that will be used for a VPS administration panel I am currently working on. This keyfile should only be available to the master server (the one it is placed on), and will be used to tunnel libvirt communication over SSH.

From my understanding, this means the keyfile should be stored in a subdirectory in /etc, as it is static and host-specific. Is this correct?

ewwhite
  • 194,921
  • 91
  • 434
  • 799
Sven Slootweg
  • 143
  • 2

3 Answers3

1

IMHO:

/etc would tell where to find the key.

/usr/local or the /var tree might be the better approach or ~/.ssh on the corresponding users.

Tabakhase
  • 318
  • 1
  • 4
  • Think you're having multiple MasterServers - `/usr/local` when they have unique keys, `/var` when one private key is shared on all masters || and `~/.ssh` when your panel is running 'as a user' – Tabakhase Apr 17 '12 at 10:39
1

The system I am on uses /etc/ssl/certs for certificates and /etc/ssl/private for keys. Protection on the /etc/ssl/private directory is 710. Root owns the directory and the group can only access keys if it knows their name. Careful use of groups and permissions can provide finer grain access to the keys by non-root users.

EDIT: As @UtahJarhead pointed out SSH is not SSL(TLS). SSH doesn't normally have any issues about key placement as they are placed by the tools. Both methods can be used to secure access. SSL/TLS uses CA (Certficate Authority) signed certificates stored as specified above.

SSH uses unsigned certificates. The server's (host's) keys are stored in /etc/ssh and the key has 600 permission allowing only root read access. These are generated and installed when the daemon is installed . Client/user keys are stored in ~/ssh (aka $HOME/ssh) and all the standard tools will place them accordingly. When a public key is copied for passwordless access it also is stored in ~/ssh for the target user on the target system.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Thanks for your answer. Definitely learned something new today :) – Sven Slootweg Apr 16 '12 at 23:40
  • 2
    Maybe I'm missing something, but SSH != SSL. – UtahJarhead Apr 17 '12 at 03:03
  • It's not the same indeed, but the type of the file is comparable to what I'm trying to store - a private key file. – Sven Slootweg Apr 17 '12 at 09:31
  • The usecase for ssl-priavte-keys is `unlock the certificate thats in the same folder and for this host` - your ssh private key is used to `unlock ALL the remote boxes` - `/etc/ssh` would be the deal when you where using `host_keys` what **is not recommended** – Tabakhase Apr 17 '12 at 10:33
  • If you are running an ssh daemon, it will use a host key to encrypt incoming connections. This is different from the client keys used to identify the incoming client. The public key from here will be added to the known hosts list of clients who connect. Changing this key will cause the host to become unknown to its clients. – BillThor Apr 18 '12 at 00:35
1

a private ssh key may not be host specific. A single ssh key pair can be used to connect a user to an unlimited number of hosts. ssh keys need to be able to be referenced on a per-login basis. In sshd_config there is an AuthorizedKeysFile that sets the location of where the private keys are stored. If you are interested in keeping it in /etc, this is feasible, however it is not "host-specific system configuration" as per the FHS guidelines. It appears to best fit in the default location in /home/${USER}/.ssh/authorized_keys since it should be unique to each user.

UtahJarhead
  • 908
  • 7
  • 14