I love OpenSSH. It's a wonderfully versatile way of securing logins and data in transit between systems. One bugbear of mine is how difficult it becomes to manage authentication keys. I've posted about this in the long distant past (the Internet has a long memory) and the subject just won't die, at least not in my mind. So why does this still bug me?
In truth little has changed over the years in the way SSH keys are handled. Keys are managed in userland, with each user being able to add keys that are trusted for authentication their account. This is all well and good until the web of trust between host accounts, keys and key owners becomes unmanageable. Who owns or possesses each of the keys in the authorized_keys files, for every user on every host? Are the private keys well protected?
One solution might be to centralise SSH key management and move key management to a more strictly controlled environment. I imagine it working something like traditional Unix account management; a file where, unlike the Unix shadow file, more than one authentication token can be linked to an account. This file is owned by root and special tools (like passwd) must be used so less privileged users can update and maintain the list of keys linked to their user account. This would allow for management and auditing of SSH keys from a single location.
There are other benefits to be gained from this type of key management. Rules could be added to enforce storage of additional metadata along with the key such as who owns it an expiry date to limit the lifetime of a key. Maybe I should dust off my C++ textbooks and take a look at the OpenSSH source...
Monday 26 July 2010
Subscribe to:
Posts (Atom)