Best practices inquiry: tracking SSH host keys
Shumon Huque
shuque at isc.upenn.edu
Sun Jul 9 18:47:13 UTC 2006
On Thu, Jul 06, 2006 at 04:52:52PM -0400, Steven M. Bellovin wrote:
>
> SSH is a distributed single point of failure, just like the old thick
> yellow Ethernet. Remember how reliable and easy to debug that was?
>
> More seriously, the original virtue of SSH was that it could be deployed
> without centralized infrastructure. That's great for many purposes; it's
> exactly what you don't want if you're an ISP managing a lot of servers and
> network elements. You really do want a PKI, complete with CRLs. I know
> that (most) SSH implementations don't do that -- complain to your vendor.
> (Note: the CAs are also single points of failure. However, they can be
> kept offline or nearly so, booted from a FooLive CD that logs to a
> multi-session CD or via a write-only network port through a tight
> firewall, etc. Yes, you have to worry about procedures, physical access,
> and people, but you *always* have to worry about those.
>
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
The problem is how do you ensure that you've distributed the most
current CRLs to all your SSH clients. You might need to deploy
a redundant highly available set of OCSP responders. Which means
that at least a part of your centralized infrastructure is now
online and inline :-) Admittedly not the part that necessarily
needs access to the CA's private key, so not terrible from a
security paranoia point of view.
We already have a deployed key management infrastructure at our
site (Kerberos). If it were (practically) possible to authenticate
login sessions to routers with it, we'd definitely use it. I can't
see us deploying a PKI just to authenticate SSH host keys.
There is the general chicken-and-egg concern about using network
based authentication services to access critical network hardware.
But I think many (most?) of us have other means to access routers
during catastrophic failures or unavailability of the former. We
have an out of band ethernet connected to the router consoles, which
can be dialed into (needs authentication with a hardware token).
--Shumon.
More information about the NANOG
mailing list