Saturday, May 25, 2013
SSH Security vs. Automation
by Marco Woitschitzky (ImmobilienScout24)
Saturday, 25.05.2013, London I, 14:45-15:15 Uhr
Are you still ignoring the WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! messages? Do you use “ssh -o StrictHostkeyChecking=no -o UserKnownHostsFile=/dev/null” to make SSH connections? How can you trust SSH keys in an environment where you install 10 new servers every day?
Many How-Tos and articles talk about SSH security but fail to put SSH security into the context of managing large data centers with a high degree of automation. Based upon recent research into these topics, this talk covers the ground with SSH security features and shows advanced usage scenarios like:
How to differentiat between human-machine and machine-machine communication and how to optimize SSH for each.
Best practice for establishing trust relationships between servers or user accounts.
When to use host-based authentication instead of user keys.
When you can us SSHFP to put SSH host key fingerprints into DNS and when it won't work.
Several ways to centrally manage the /etc/ssh/ssh_known_hosts file as suggested by the SSH man page
Introduction to using the SSH PKI with CA certificates (new feature in OpenSSH 5.4) to simplify host key management in large environment.
When it is better to not use SSH but rsh or other remote execution tools.
A special focus are automated environments and different strategies for handling new servers or frequent reinstallations of existing servers.
Links:
About the author Marco Woitschitzky:
Marco Woitschitzky works as a system engineer for ImmobilienScout24, Germany's leading real estate market place. There he develops low maintenance solutions based on open source software and automation in an agile minded team.
For him free software and open standards is not only a tool box but a way to ensure openness, flexibility and reliability. To extend this three values from technical environments to social habits he uses methods like Scrum and Kanban.
Further interests cover hardware related topics like power efficiency and performance.
Before working for IS24, he spent a year in Ireland working for Intel and Emutex as an Network Software Engineer.