[OPS-AREA] SSH Key Management for Automated access
Tatu Ylonen <tyl@ssh.com> Wed, 10 April 2013 08:59 UTC
Return-Path: <tyl@ssh.com>
X-Original-To: ops-area@ietfa.amsl.com
Delivered-To: ops-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7810521F901B for <ops-area@ietfa.amsl.com>; Wed, 10 Apr 2013 01:59:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.796
X-Spam-Level: **
X-Spam-Status: No, score=2.796 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, RCVD_IN_SORBS_WEB=0.619, RDNS_DYNAMIC=0.1, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9kESEOhPO26A for <ops-area@ietfa.amsl.com>; Wed, 10 Apr 2013 01:59:30 -0700 (PDT)
Received: from ip-194-137-52-209.ssh.com (ip-194-137-52-209.ssh.com [194.137.52.209]) by ietfa.amsl.com (Postfix) with ESMTP id DA2A121F905A for <ops-area@ietf.org>; Wed, 10 Apr 2013 01:59:29 -0700 (PDT)
Received: from [192.168.43.158] (ma92836d0.tmodns.net [208.54.40.169]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by allman.clausal.com (Postfix) with ESMTPSA id ABDB3780190 for <ops-area@ietf.org>; Sat, 6 Apr 2013 17:04:43 +0300 (EEST)
From: Tatu Ylonen <tyl@ssh.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 06 Apr 2013 16:54:18 +0300
Message-Id: <C4D77D49-E8F0-47E0-9C7C-79BDD18E9DED@ssh.com>
To: ops-area@ietf.org
Mime-Version: 1.0 (Apple Message framework v1283)
X-Mailer: Apple Mail (2.1283)
X-Mailman-Approved-At: Wed, 10 Apr 2013 02:10:54 -0700
Subject: [OPS-AREA] SSH Key Management for Automated access
X-BeenThere: ops-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OPS Area e-mail list <ops-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ops-area>, <mailto:ops-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ops-area>
List-Post: <mailto:ops-area@ietf.org>
List-Help: <mailto:ops-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ops-area>, <mailto:ops-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2013 08:59:30 -0000
A new draft "SSH Key Management for Automated Access - Current Recommended Practice" has been published on managing SSH keys. The topic has been discussed in SAAG in the last two IETF meetings, and we also had a side meeting on the topic in Orlando. I'm sending this to ops-area, because the topic relates to operations and management more than technical details on security (though admittedly more to general management of IT systems, especially unix/linux environments, than management of routers or networks, but SSH is also very widely used for managing routers and telecommunications networks). The draft can be found at https://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 The draft is relevant for anyone interested in SSH user key management and more generally identity and access management for automated access and/or based on the SSH protocol. We have found hundreds of thousands to millions of SSH authorized keys from the IT environments of many large enterprises (many times more than they have interactive users), and bringing key-based access under control is very important. The draft outlines the risks with unmanaged key-based access and presents a process for remediating the situation in an existing environment and implementing an ongoing process for monitoring and managing key-based access (and other automated access). I am hoping the draft will evolve into a BCP (Best Current Practice) standard on managing SSH user keys in organizations. The draft is mostly about process and policy, not technical protocols, as SSH user key management is really an identity and access management issue and the problems involve policy, process, and auditing related to controlling access to information systems in an organization, especially with regards to automated machine-to-machine access. A mailing list sshmgmt@ietf.org has been created for discussion about the draft (and other issues related to managing SSH). Please send comments on the draft to the list. To subscribe (or unsubscribe), go to: https://www.ietf.org/mailman/listinfo/sshmgmt Regards, Tatu Ylonen