Post AWFMu7ZTWkfQQ0LEye by ferricoxide@mastodon.social
 (DIR) More posts by ferricoxide@mastodon.social
 (DIR) Post #AWFMnrUmNqMsp5A0n2 by nixCraft@mastodon.social
       2023-05-29T05:27:26Z
       
       0 likes, 2 repeats
       
       Poll: The most common way I've seen for SSH access to #Linux  or #Unix servers (please boost for reach. TIA):
       
 (DIR) Post #AWFMnsIlO0LnK6XvhQ by mynacol@ipv6.social
       2023-05-29T09:27:12Z
       
       1 likes, 0 repeats
       
       @nixCraft SSH keypair, saved in a TPM where possible. I recommend https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md for setup instructions.
       
 (DIR) Post #AWFMsFD89VrtX6zl2m by kravietz@agora.echelon.pl
       2023-06-01T12:06:50.097118Z
       
       0 likes, 0 repeats
       
       @nixCraft SSH in FIDO2 hardware keys does work pretty well already.
       
 (DIR) Post #AWFMu5yDTnGlS9tyGO by alex_02@infosec.exchange
       2023-05-29T05:29:08Z
       
       0 likes, 0 repeats
       
       @nixCraft If you aren't using certs for publicly accessible ssh servers... you are doing it wrong.
       
 (DIR) Post #AWFMu6jidBGbpU7uIy by ramin_hal9001@emacs.ch
       2023-05-29T05:44:14Z
       
       0 likes, 0 repeats
       
       @alex_02 @nixCraft I't not gonna lie, it never occurred to me to use certificates. I mean, don't you need to create your own CA and install it onto all of your machines, unless you want to go through the trouble of getting it signed by Lets Encrypt?And it is just so easy to do ssh-copy-id, especially if you only need to network like 3 or 4 machines together.
       
 (DIR) Post #AWFMu7ZTWkfQQ0LEye by ferricoxide@mastodon.social
       2023-05-29T15:12:42Z
       
       0 likes, 0 repeats
       
       @ramin_hal9001 @alex_02 @nixCraft Problem with copying keys about - especially in a large scale environment – is the "how do you make sure ≤EX_EMPLOYEE>'s keys are all removed everywhere".
       
 (DIR) Post #AWFMu8d3av7thP1cCO by fuzzysteve@mastodon.social
       2023-06-01T10:22:26Z
       
       0 likes, 0 repeats
       
       @ferricoxide @ramin_hal9001 @alex_02 @nixCraft By pushing the keys via your centralized authentication system? So they don't exist on the box themselves. and that the centralized account is also removed?Of course, then you also need something which is going to be checking every server to make sure no rogue accounts have been created.
       
 (DIR) Post #AWFMu9G3FwJneLGkym by ferricoxide@mastodon.social
       2023-06-01T10:35:33Z
       
       1 likes, 0 repeats
       
       @fuzzysteve @ramin_hal9001 @alex_02 @nixCraft Yes. In general, offloading to a third-party key-auth mechanism is going to avoid the "stale keys" problem.Similarly, combination of  configuring SSH to ignore locally-staged keys, configuring sudo and/or SELinux to prevent random users from creating local accounts and having good monitoring/alerting in place goes a long way towards solving the "rogue accounts" problem.