[NZLUG] Key Management Service

Jim Cheetham jim at gonzul.net
Tue Jul 19 16:45:13 NZST 2016


Wouldn't standard system configuration marshalling software help you
to do that OK? Salt, Ansible, Puppet etc?

The workflow (TTL, revocation, etc) would be something you'd have to
specify yourself, but these tools would do all the work on the remote
systems. I haven't heard of anything in the standard open space that
does that though. Unless monkeysphere would work?

Salt specifically has a very mature non-ssh protocol (0MQ-based) for
instructing machines, which removes the inception-like nature of
trying to install and manage ssh keys over ssh itself. I currently use
salt as my only initial remote management option of a base OS install,
as I don't have a way to get to the console to gather the initial ssh
key fingerprints. When the salt minion comes up, it creates its own
pub/priv key pair, and calls out to the salt master. If I'm expecting
a new host I can approve the connect request more easily than I can
use TOFU-SSH to reach back out to it, I think (that's a risk
assessment decision, not an absolute one). Once the salt master is
connected, I dump sshd, delete the /etc/ssh/ssh_host_* files, and
restart sshd to get new ones from a 'better' entropy pool, because the
initial state of a brand-new install isn't that great.

This remote management method also means that private keys are being
generated on the remote host itself, and not centrally handled. Never
store more information that you need to!

Back in Enterprise space, there are products that manage things; we
like the look of CyberArk's Vault,
http://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/

This is a complete MITM for your connectivity - users auth to the
vault, and it uses rapidly-expiring credentials to do onward
connectivity, with full audit and session recording if you want.
There's no reason that "Joe the Engineer" even knows what username
he'll be using on the remote system, if he doesn't need to (well,
until he gets there!)

That product will handle ssh transparently, as well as RDP and a few others.

-jim


More information about the NZLUG mailing list