Security and latency
SSH
An issue with the above solutions using 802.1x, IPsec, and so forth is that they'll generally need root access, and 802.1x can be tricky to manage remotely. SSH is a great way to connect disparate systems (everything supports it by default), especially at the user level. For example, simply using public/private key pairs, you can easily configure a program on one system to connect to another system and run a program, connect to a socket, or use some other form of communication channel. The downside of SSH is key management, and rotation can be tricky unless, of course, you use OpenSSH certificates [3].
OpenSSH Certificates
Traditional SSH relies simply on simple public/private key pairs. When you connect to a server, the public key is sent to you and you are asked whether you want to trust it. If this is the first time you're connecting to that server and you don't have some way to verify the key fingerprint, you really have no idea whether it is legitimate or not. In OpenSSH 5.4, support for a simple homegrown certificate protocol was added (for some reason, they wanted to avoid the complexity of X.509 certificates, and I tend to agree with them). Deployment and configuration are simple: You create a trusted signing key and then use it to sign host keys and user keys:
# ssh-keygen -f ssh_signing_key # ssh-keygen -h -s ssh_signing_key -I someid -V +365d -n hostname,hostname.example.org /etc/ssh/ssh_host_dsa_key.pub
You'll want the key signature to expire at some point (a year is good), and you'll need to specify the hostname and any aliases allowed for that host. The preceding command will drop the signed key into /etc/ssh/ssh_host_dsa_key-cert.pub
. To handle remote systems, you'll need to copy the key to your signing server, sign it, and then upload the signed copy to the original server and configure sshd_config
to use it:
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
Users will also need a copy of the public signing key so they can verify signatures made using the private signing key. The key itself needs to be in a text file with a @cert-authority
statement to let it know that it is the public part of a certificate-signing key pair:
@cert-authority * ssh-rsa [public key here]
You can then distribute that file manually and tell users to use the -oUserKnownHostsFile
command-line option; or, you can deploy it on all your systems in /etc/ssh
and use a GlobalKnownHostsFile
directive to point at the file so that all clients by default on that system trust the signing key. In future, new connections to any system with a signed public key will just work, so there will be no need to distribute the host keys manually and all that entails.
Kerberos and SSL Certificates
If you're not afraid of complexity, Kerberos and traditional SSL certificates can also work. However, you'll need to kerberize your services and clients or set everything up to handle SSL connections. Kerberos is especially well suited for large-scale deployments because it not only authenticates the client to the server but also the server to the client. Additionally, Kerberos uses several levels of tickets so that, ultimately, "service tickets" are used to connect to a service – such a ticket offers an attacker only minimal access at best.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
KDE Plasma 5.27 Beta is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.
-
Critical Linux Vulnerability Found to Impact SMB Servers
A Linux vulnerability with a CVSS score of 10 has been found to affect SMB servers and can lead to remote code execution.
-
Linux Mint 21.1 Now Available with Plenty of Look and Feel Changes
Vera has arrived and although it is still using kernel 5.15, there are plenty of improvements sure to please everyone.