Session

Solved: SSH Security vs. Automation

Are you still ignoring the WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! messages? Do you use “ssh -o StrictHostkeyChecking=no -o UserKnownHostsFile=/dev/null” to make SSH connections? How can you trust SSH keys in an environment where you install 10 new servers every day? Where a server lives less than a day in average?

Many How-Tos and articles talk about SSH security but fail to put SSH security into the context of managing large data centers or cloud environments with a high degree of automation. This talk covers the ground with SSH security features and shows advanced usage scenarios like:

* How to differentiat between human-machine and machine-machine communication and how to optimize SSH for each
* Best practice for establishing trust relationships between servers or user accounts
* When to use host-based authentication instead of user keys
* When you can us SSHFP to put SSH host key fingerprints into DNS and when it won't work
* Several ways to centrally manage the /etc/ssh/ssh_known_hosts file as suggested by the SSH man page
* Introduction to using the SSH PKI with CA certificates (new feature in OpenSSH 5.4) to simplify host key management in large environment
* When it is better to not use SSH but rsh or other remote execution tools

A special focus are automated environments and different strategies for handling new servers or frequent reinstallations of existing servers.

See also Embedding SSH Key in SSH URL (http://blog.schlomo.schapiro.org/2017/05/embedding-ssh-key-in-ssh-url.html), Automated OpenSSH Configuration Tests (http://blog.schlomo.schapiro.org/2014/04/automated-openssh-configuration-tests.html), and SSH with Personal Environment (http://blog.schlomo.schapiro.org/2014/02/ssh-with-personal-environment.html)

Schlomo Schapiro

Agile IT & Open Source Enthusiast

Berlin, Germany

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top