LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SSH: passwords or keys?

SSH: passwords or keys?

Posted Jan 14, 2010 8:57 UTC (Thu) by iq-0 (subscriber, #36655)
Parent article: SSH: passwords or keys?

At our office we have a very simple policy regarding passwords and SSH:
- No normal user account has a password
- Root account has a password but is not allowed to login remotely using it
('PermitRootLogin without-password' in /etc/ssh/sshd_config)
- All automated processes must be key-based and never to the root-account
(if root access is necessary it should always be through some functionality
specific wrapper which will be explicitly allowed to be executed as root
through 'sudo' by that user)
- All other remote logins by admins and developers is done using smartcards
which make it impossible to copy the private key.

We also set additional information when a specific key is used so that we
have better auditing and also per user settings in role accounts.

The one thing that SSH is really missing (and which at some point some work
was being put into) was a PKI infrastructure. PKI infrastructures are
notoriously cumbersome, but for corporate settings they can easily be
integrated into the normal procedures. A PKI infrastructure makes
authorizing users and disabling compromised keys a lot more manageable when
you have 50+ servers.

(Log in to post comments)

SSH: passwords or keys?

Posted Jan 14, 2010 11:54 UTC (Thu) by marcH (subscriber, #57642) [Link]

Out of curiosity: why don't you completely disable remote root login and force all root wanabees to first go through a regular user login? This gives some auditing in a very simple way.

SSH: passwords or keys?

Posted Jan 14, 2010 13:09 UTC (Thu) by iq-0 (subscriber, #36655) [Link]

Because 90% of our servers are heavy-weight appliances and only consist of
role accounts. We don't want to sync our personnel file with all instances.
And 'su' from a role account to another role account is not really sensible.

And now people who have enough privileges can directly copy files from/to
the server or trigger mass updates accross all machines (which is trickier
to do if you want to do that via a regular user account).

Currently we only have to update the authorized_keys file of the role
accounts and in the case of separate role acccounts we'd probably need some
sort of password verification for the su/sudo behaviour, which is now done
through the smartcard key-based login.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds