IETF Logo Mail Archive

I-D Action: draft-ylonen-sshkeybcp-01.txt

internet-drafts@ietf.org Thu, 04 April 2013 02:04 UTC

Return-Path: <internet-drafts@ietf.org>
X-Original-To: i-d-announce@ietfa.amsl.com
Delivered-To: i-d-announce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5CFE21F93AA for <i-d-announce@ietfa.amsl.com>; Wed, 3 Apr 2013 19:04:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.541
X-Spam-Level:
X-Spam-Status: No, score=-102.541 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aa6wPW5xPW-L for <i-d-announce@ietfa.amsl.com>; Wed, 3 Apr 2013 19:04:39 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 35E6E21F939F for <i-d-announce@ietf.org>; Wed, 3 Apr 2013 19:04:39 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D Action: draft-ylonen-sshkeybcp-01.txt
X-Test-IDTracker: no
X-IETF-IDTracker: 4.43
Message-ID: <20130404020439.15181.23222.idtracker@ietfa.amsl.com>
Date: Wed, 03 Apr 2013 19:04:39 -0700
X-BeenThere: i-d-announce@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: internet-drafts@ietf.org
List-Id: Internet Draft Announcements only <i-d-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i-d-announce>, <mailto:i-d-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i-d-announce>
List-Post: <mailto:i-d-announce@ietf.org>
List-Help: <mailto:i-d-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i-d-announce>, <mailto:i-d-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 02:04:39 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.


	Title           : Managing SSH Keys for Automated Access - Current Recommended Practice
	Author(s)       : Tatu Ylonen
                          Greg Kent
	Filename        : draft-ylonen-sshkeybcp-01.txt
	Pages           : 58
	Date            : 2013-04-03

Abstract:
   This document presents current recommended practice for managing SSH
   user keys for automated access.  It provides guidelines for
   discovering, remediating, and continuously managing SSH user keys and
   other authentication credentials.

   Various threats from poorly managed SSH keys are identified,
   including virus spread, unaudited backdoors, illegitimate access
   using leaked keys, lack of proper termination of access, use of
   legitimate access for unintended purposes, and accidental human
   errors.

   Hundreds of thousands, even over a million SSH keys authorizing
   access have been found from the IT environments of many large
   organizations.  This is many times more than they have interactive
   users.  These access-granting credentials have largely been ignored
   in identity and access management, and present a real risk to
   information security.

   A process is presented for discovering who has access to what,
   bringing an existing IT environment under control with respect to
   automated access and SSH keys.  The process includes moving
   authorized keys to protected locations, removing unused keys,
   associating authorized keys with a business process or application
   and removing keys for which no valid purpose can be found, rotating
   existing keys, restricting what can be done with each authorized key,
   and establishing an approval process for new authorized keys.  A
   process is also presented for continuous monitoring and controlled
   authorized key setup.

   Finally, recommendations are made for security policy makers for
   ensuring that automated access and SSH keys are properly addressed in
   an organization's security policy.

   Specific requirements are presented that address the security issues
   while keeping costs reasonable.

   Guidance is also provided on how to reduce operational cost while
   addressing the threats and how to use tools to automate the
   management process.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ylonen-sshkeybcp-01


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

v2.23.0 | Report a Bug | By Email