SSH: Best practices

284 点作者 cujanovic超过 9 年前

22 条评论

The article didn't make mention multiplexing and MaxSessions defaults in OpenSSH. The default is 10 which means you auth once, and all subsequent logins are without auth and without syslog entries. If you manage secure systems and have 2FA, this allows bypassing 2FA and logging.All I have to do is trick your folks into testing a ruby / python / perl / bash script for me that will drop a key on your machine, fire up ssh using that key and tunnel back to my host. Now I have full control of your secure (banking, government, eCommerce) environment, completely bypassing 2 factor authentication. Just one link to one of your email distros and up to 10% of your folks will run it.Combine this with sudo credential caching and now I have root on all of your systems without having to bother finding vulns.Thx to Prandium for the demo of this simple social engineering exploit.

评论 #11054785 未加载

评论 #11053817 未加载

hackercomplex超过 9 年前

Developer laptop compromise is probably the biggest security risk that any startup company faces, because the developer laptop is an uncontrolled environment with a lot of "attack surface" which may have been previously compromised.In my view there are emerging best practices in this area. There are two ways to reduce this risk and both are controversial:1. Force developers to only develop software using an SSH terminal (by first connecting to a developer VPN via 2FA and then sshing into their secure development environment where may use tools like tmux, vi, and their programming language of choice to get the job done). In this scheme copying source codes or security credentials to a developer laptop is considered a violation and becomes a fireable offense no questions asked.2. Require all developers to run a private USB-bootable linux desktop shell which is known to be clean. In this case they remain free to utilize modern desktop editors and code emulators (such as android simulator). It's even possible to setup secure persistence in these environments so that the developer's browser configuration, network/vpn config, dotfiles, apt installs, etc are stored on an encrypted filesystem on USB device. The reason why a USB image is preferred is because it's annoying to ask a new employee to repartiation her personal harddrive.My suspicion is that as more of the tools developers need to rely on are cloud-based: (example: github, cloud9, jenkins, etc) we will eventually see these modern best practices against client-side attacks being adopted more broadly. The quality and reliability of hot-bootable ultra secure cloud operating systems has gone thru the roof over the past couple of years and I assume this trend will only accellerate due to the fact that Google Chrome OS continues to penerate more of the market and consumers are getting used to it.TLDR: ssh keys existing on developer harddrives is an info-sec anti-pattern, they should only ever exist in system memory or in an encrypted partition on a USB stick.

评论 #11056527 未加载

评论 #11056159 未加载

评论 #11056163 未加载

评论 #11056418 未加载

heinrichhartman超过 9 年前

Cached version <a href="https://webcache.googleusercontent.com/search?q=cache:BZ3ZeqaqyLAJ:https://blog.0xbadc0de.be/archives/300+&cd=1&hl=de&ct=clnk&gl=de" rel="nofollow">https://webcache.googleusercontent.com/search?q=cache:BZ3Zeq...</a>

评论 #11053130 未加载

jsn超过 9 年前

The part about gateway hosts says:<pre><code> > Host B > ProxyCommand ssh -W B:22 A </code></pre> That could be improved:<pre><code> > Host B > ProxyCommand ssh -W %h:%p A </code></pre> Then you can use wildcards for B ("Host 10.11.12.*"), and use custom ports ("ssh -p 2222 10.11.12.13").

评论 #11063174 未加载

r0muald超过 9 年前

I thought using per-service SSH keys was an useful mitigation against e.g. GitHub public keys being exposed:- <a href="https://blog.benjojo.co.uk/post/auditing-github-users-keys" rel="nofollow">https://blog.benjojo.co.uk/post/auditing-github-users-keys</a>- <a href="http://arstechnica.com/security/2015/06/assume-your-github-account-is-hacked-users-with-weak-crypto-keys-told/" rel="nofollow">http://arstechnica.com/security/2015/06/assume-your-github-a...</a>- <a href="https://news.ycombinator.com/item?id=9645703" rel="nofollow">https://news.ycombinator.com/item?id=9645703</a>

评论 #11053245 未加载

noondip超过 9 年前

Here's a brief guide for setting up SSH with YubiKey as a smartcard which complements this article nicely - <a href="https://github.com/drduh/YubiKey-Guide" rel="nofollow">https://github.com/drduh/YubiKey-Guide</a>

评论 #11055073 未加载

评论 #11055902 未加载

eeZi超过 9 年前

Good advice, except the "remove all system passwords" part. Do not do this. It's a really bad idea. There are occasions where you do need to authenticate using a password, most importantly on the local console - what if your server lost network access?And that sudo workaround is bad since it requires agent key forwarding, which you shouldn't use for the reasons the author himself noted a few paragraphs up.

bisby超过 9 年前

Weird, where I work we're not allowed to use key auth. They claim it's for PCI since they can't enforce that the keys are passworded/encrypted.

评论 #11055863 未加载

评论 #11055003 未加载

评论 #11055011 未加载

评论 #11063190 未加载

评论 #11057846 未加载

评论 #11054931 未加载

akerro超过 9 年前

I bookmarked something similar: <a href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" rel="nofollow">https://stribika.github.io/2015/01/04/secure-secure-shell.ht...</a>

评论 #11053986 未加载

rphlx超过 9 年前

Also, move sshd to a random & rarely-used TCP port. Won't help much against a skilled & determined targeted attack, however the "security through obscurity" is not entirely worthless. Using something other than 22 is quite effective at avoiding spray-n-pray scans and exploits.For extra credit, set up port knocking.

评论 #11056334 未加载

STRML超过 9 年前

SSH's new AuthenticationMethods directive is extremely useful for pairing SSH keys with a password and/or 2FA. You should absolutely use keys everywhere, and encourage your users to encrypt their keys, but enforcing a password as well ensures that logins are "something you have" (the SSH key) and "something you know" (the password) as a sort of 2FA.As a cherry on top you can put the password in LDAP or RADIUS server and hook up traditional 2FA (Google Auth, Yubikey, Email, SMS) for that legendary 3FA (ah... "something (else) you have"). Sounds hokey, but defense is best in depth.

评论 #11053770 未加载

rodionos超过 9 年前

Org question. We use a shared key and a shared account to manage our servers. When someone leaves the team we have to regenerate the key for the account. I'm sure it's not recommended, so what's a good way to manage ssh access in a team setting? I'd like avoid sharing the key so that access can be revoked from user without regenerating the key for everyone?

评论 #11054915 未加载

评论 #11055161 未加载

评论 #11054976 未加载

评论 #11055224 未加载

tbe超过 9 年前

> f=$(mktemp) && ssh-keyscan korell > $f && ssh-keygen -l -f $f && rm $f> Unfortunately ssh-keygen does not support input from stdin, so this example is slightly more complicated than it should.Any shell that supports process substitution can fix this for you with something like;ssh-keygen -l -f <(ssh-keyscan korell)

mfontani超过 9 年前

How about <a href="https://github.com/ccontavalli/ssh-ident" rel="nofollow">https://github.com/ccontavalli/ssh-ident</a> ? Is that still a "best practice", since the author doesn't mention it in this blog entry?

评论 #11054951 未加载

sapereaude超过 9 年前

Great post!BTW, you can also now use hardware devices (like TREZOR and KeepKey) to perform "ssh-agent" functionality in hardware, with minimal setup work.Blog post: <a href="https://medium.com/@satoshilabs/trezor-firmware-1-3-4-enables-ssh-login-86a622d7e609" rel="nofollow">https://medium.com/@satoshilabs/trezor-firmware-1-3-4-enable...</a>Source code: <a href="https://github.com/romanz/trezor-agent" rel="nofollow">https://github.com/romanz/trezor-agent</a> (the README has several demo screencasts).

antoniomika超过 9 年前

I remember reading about a tool Instagram used for SSH management, but that might not be a "best practice". (<a href="http://instagram-engineering.tumblr.com/post/11399488246/simplifying-ec2-ssh-connections" rel="nofollow">http://instagram-engineering.tumblr.com/post/11399488246/sim...</a>)

balgan超过 9 年前

And yet we still see things like <a href="https://blog.binaryedge.io/2015/11/10/ssh/" rel="nofollow">https://blog.binaryedge.io/2015/11/10/ssh/</a>

gdamjan1超过 9 年前

It would be a cool to have a `forward agent connection once` option to ssh. when I know I'd have to `git pull` once on the server but don't need the agent forwarding after that.

carlisle_超过 9 年前

>Do not SSH cross-serverThis doesn't make sense. You can safely setup SSH agent forwarding to ssh from server to server without storing your ssh private key anywhere but your local host.

评论 #11054712 未加载

RRRA超过 9 年前

Has anyone used ProxyCommand to chain through 2 or more gateways and has a config example to show?

评论 #11055512 未加载

评论 #11065710 未加载

hobarrera超过 9 年前

What amazes me about these articles is that they keep recommending NOT to use password-based logins for SSH: Why are people still using that?

评论 #11065721 未加载

n1000超过 9 年前

Still a big fan of the BetterCrypto guide: <a href="https://bettercrypto.org/" rel="nofollow">https://bettercrypto.org/</a>

评论 #11053676 未加载