Practical SSH Key Management

3

1

As many users know, I run lots of Debian servers, for personal, work, and volunteer organizations. I'm seeing lots of posts recently on both Superuser and IT Security about disabling passwords, and just using key-based authentication.

I use key-based authentication for all my root access from my personal server, my work laptop, and the computer I use most of the time away from work. However, to get on any of the servers not using WinSCP (where I have my keys saved, at least for my Windows PC), I log in as my standard user account, then su to root, using the very long password.

On the servers I do not manage for work purposes, I keep these keys in just those three places, mainly for doing backups. I use very strong passwords (in my opinion), and only PermitRootLogin withoutpassword (I love when config files let me use them in sentences!). When I log in from another place, I use my regular account with a strong password, because I don't have a place I can keep my keys and pull up if I need to log in normally from a new device.

I see this as having two possible solutions:

  1. Storing the keys in plain text or encrypted somewhere remote, disabling all Password-based authentication methods to my servers. If so, where and how can I store them securely that they won't likely get compromised?
  2. Using a strong regular-user password, and changing every 90 days. This is a good practice, I'm sure, but my memory really sucks. I'm sure I'd keep using the same password anyways, just out of sheer habit, which breaks the whole point of doing this.

I'd really like to use method 1, but I don't know what would be the best practice with so many servers, and many of them using different passwords just to START logging in from a new location. For example, I regularly use my cell phone to tunnel home, or to check the status of a service at a remote site.

Canadian Luke

Posted 2016-02-03T05:55:42.430

Reputation: 22 162

Buy a smart card and put them there – Neil McGuigan – 2016-02-03T19:13:15.217

And how can I use that smart card with a mobile phone? – Canadian Luke – 2016-02-03T19:35:23.680

Yubikey Neo supports NFC https://www.yubico.com/products/yubikey-hardware/yubikey-neo/

– Neil McGuigan – 2016-02-03T19:40:01.397

Answers

1

Both experience and research have shown that the most secure passwords are those big in lenght rather than complex, which indeed sucks for those whose memory suck (me included!). Therefore, in my opinion, using key-based authentication is the right way to go when it comes to manage a big number of servers.

At the same time, anything involving security and storing remotely in the same sentence usually grates on ears. I'm not saying any remote place is potentially insecure, but you can't know if it actually is. On the other side, in terms of practicality, you'll have to store the SSH key in a remote place.

So, having these ingredients all mixed together, I have 2 suggestions:

Use an IT configuration manager

Examples are: Puppet, Chef server, or alikes.

You mention that you have a personal server. Probably this is the least worse place to host your central configuration server. You could create a module that would save your SSH-key in an encrypted form and allow your personal computer, your work laptop and potential new devices to deploy it.

We use Chef server to perform these tasks. It has a feature called data bags, and very interesting kind of these called encrypted data bags which indeed allow you store all your passwords, SSH-keys and any sensible data.

Chef-architecture

Regardless of which configuration manager you choose, you could use it to deploy the keys on both your servers and personal computers.

This approach has a big upside: If by any change your private key gets compromised, you change it on one place and it will get deployed on all servers and clients without wasting any time.

It has a downside, though. If you plan to access your servers from mobile devices such as mobile phones, tablets, etc., you probably won't have a Chef|Puppet|Put-your-favorite-configuration-handler-server-here client there.

More info on these:

Use an encrypted local-file manager

There are some software that will encrypt your keys, regardless if they are passwords, SSH-keys, or bank data. This has an evident downside: To protect your passwords you need a password (and you probably will want a very good one). In any case, if you like this approach, you can save your encrypted key to a pen-drive and take with you wherever you go.

This has another potential downside: You can lose your pen-drive, someone might steal it... In this case it's still encrypted, but you'll probably want to have a few cups of coffee to change the SSH-key on all your Debian servers and clients, which will probably take you to think that approach 1 is quite more scalable.

In any case, I only know one software of that kind which is secure enough to store all your keys (by the way: You can protect your passwords file with a password (as mentioned), a key file or both).

If you like this approach, you probably want to have a look at Keepass.

nKn

Posted 2016-02-03T05:55:42.430

Reputation: 4 960

You need to set the passphrase on your private keys, then it is encrypted. If you manage a lot of keys and servers, then Ansible Tower could be interesting too because of the delegation and reporting features. – bbaassssiiee – 2016-02-04T22:25:43.727

Asked: 2016-02-03T05:55:42.430

Viewed: 236 times

Active: 2016-02-03T06:49:43.620