Saturday, March 22, 2014

How To: Manage Digital RSA keys for SSH

Now each organization must ask itself roughly about: digital key creation and expiration. Does the client create the key pair? All the private keys have a passphrase? If so, what's the minimum length? Do the keys expire? What types of keys are allowed/accepted? The private keys can be copied and then cracked so these are all things to keep in consideration. In the IT world, it is important to stay abreast of security and on ahead of new vulnerabilities.

Passphrases that have also few (or too easily guessed) alphanumeric characters (including spaces) don't last. Changing the password in one private key doesn't changes it in all other copies either. In other words, changing the passphrase in the "private" official key doesn't create a ripple effect that changes the passphrase in all other copies.

You will need to also figure out your key strength.

Right now, there is no serious reason to prefer one type over any other, assuming large enough keys (2048 bits for RSA or DSA, 256 bits for ECDSA). You may specify the key size in ssh-keygen using the -b argument.

ssh-keygen -t rsa -b 4096 ~/.ssh/id_rsa

A remaining question to ask, is: how will your organization associate any key pair with each specific user? Will they use one private key to access all of your infrastructure? Will there be a separate key for each system? How many keys are allowed to access each account? What kind of accounts are allowed to be shared? This organization specific detail is best mapped  out with a security professional.