OpenSSH key signing service?
David Newall
openssh at davidnewall.com
Mon Dec 25 16:54:48 AEDT 2017
On 25/12/17 00:11, John Devitofranceschi wrote:
> Besides ssh.com’s PrivX product, has anyone created a web service that can be used to issue temporary certkeys to authenticated users?
>
> Any pointers appreciated!
I expect that what I'm about to say is exactly what you're not
interested in hearing, but I think it's something that should be said
nonetheless.
The benefit of a central authority issuing a key so that a user can
authenticate himself or herself with it is dubious at best.
First, it's backwards. The principle of user authentication is that
users should be free to choose their own password with which to secure
their access, and that these passwords should be secrets known only to
the individual users. This is one reason why passwords are not stored.
A public/private key pair is an alternative form of password, but,
still, users should be free to generate their own keys, which they use
to say, "this is me." If a central authority generates the keys, then
they are effectively saying, "this is you." It's just backwards.
Second, it is more easily compromised. Here's why: the act of
generating a public and private key pair is approximately as secure if a
user generates them or if a central authority generates them, and the
act of transmitting half of the pair can be approximately as secure
transmitting one or the other. But, that's not to say that transmitting
the key is without risk. Somebody could intercept the transmission and
take a copy of the key. If it's a public key then nothing of great
value has been obtained. If it's a private key then the veracity of
authentication is completely compromised. The public key should be sent
from user to server; the private key must not be sent from server to user.
Third, it doesn't scale. If every SSH server generated keys (or had
them generated on their user's behalf), then every user would need as
many keys as SSH servers that they used. That's an n-squared growth of
keys. If users generate their own keys, they can use the same private
key for all servers, if that's what they want. That's a linear growth
of keys (grows by number of users, not number of servers.)
Fourth, it's putting faith in a demonstrably untrustworthy party. I'm
not saying that PrivX, to use your example, cannot be trusted; I'm
saying that no central authority can be trusted. So many have been
compromised that the only rational assumption is that none can be
trusted. Each user has his or her own security standard, and I'm
willing to accept that a central authority is less likely to be
compromised than a single user, but compromising a central authority
breaks the security of all of its users, not just of a single user.
For these reasons I advise do not use a web service to create the keys
that users can and should create for themselves. There is nothing that
I can see such a service offering that is of any real value, and there
is much damage that can be wreaked by them.
The particular question was about temporary keys. A key is only useful
if the public half is registered. If you want it to be temporary,
schedule a job to remove it after the requisite time. How? "man cron".
I apologise if my comments seem needlessly dismal or sermon-like. I
imagine the question was based on a notion that users are capable of
using SSH but not capable of generating their own keys. I reject that
notion. Users learn how to drive motor vehicles, and that's much harder
than generating SSH keys. Don't pander to mere laziness.
More information about the openssh-unix-dev
mailing list