[saag] SSH user key management - new draft and mailing list
Tatu Ylonen <tyl@ssh.com> Wed, 10 April 2013 08:49 UTC
Return-Path: <tyl@ssh.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6A4621F891D for <saag@ietfa.amsl.com>; Wed, 10 Apr 2013 01:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.796
X-Spam-Level: **
X-Spam-Status: No, score=2.796 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, RCVD_IN_SORBS_WEB=0.619, RDNS_DYNAMIC=0.1, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 45N2NVIBIprB for <saag@ietfa.amsl.com>; Wed, 10 Apr 2013 01:49:27 -0700 (PDT)
Received: from ip-194-137-52-209.ssh.com (ip-194-137-52-209.ssh.com [194.137.52.209]) by ietfa.amsl.com (Postfix) with ESMTP id 3E08721F888C for <saag@ietf.org>; Wed, 10 Apr 2013 01:49:27 -0700 (PDT)
Received: from [192.168.43.158] (ma92836d0.tmodns.net [208.54.40.169]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by allman.clausal.com (Postfix) with ESMTPSA id 8A42A780171 for <saag@ietf.org>; Sat, 6 Apr 2013 16:55:05 +0300 (EEST)
From: Tatu Ylonen <tyl@ssh.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 06 Apr 2013 16:45:12 +0300
Message-Id: <C9EF51A9-241D-4C7F-A428-A1AA03C18DC0@ssh.com>
To: saag@ietf.org
Mime-Version: 1.0 (Apple Message framework v1283)
X-Mailer: Apple Mail (2.1283)
X-Mailman-Approved-At: Wed, 10 Apr 2013 08:02:48 -0700
Subject: [saag] SSH user key management - new draft and mailing list
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2013 08:49:27 -0000
A new draft "SSH Key Management for Automated Access - Current Recommended Practice" is now available at https://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 The draft is relevant for anyone interested in SSH user key management and more generally identity and access management. We have found hundreds of thousands to millions of SSH authorized keys from the IT environments of many large enterprises (many times more than they have interactive users), and bringing key-based access under control is very important. The draft outlines the risks with unmanaged key-based access and presents a process for remediating the situation in an existing environment and implanting an ongoing process for monitoring and managing key-based access (and other automated passwordless access). I am hoping the draft will evolve into a BCP (Best Current Practice) standard on managing SSH user keys in organizations. The draft is mostly about process and policy, not technical protocols, as SSH user key management is really an identity and access management issue and the related problems largely policy, process, and auditing issues related to controlling access to information systems in an organization, especially with regards to automated machine-to-machine access. A mailing list sshmgmt@ietf.org has been created for discussion about the draft (and other issues related to managing SSH). Please send comments on the draft to the list. To subscribe (or unsubscribe), go to: https://www.ietf.org/mailman/listinfo/sshmgmt Regards, Tatu Ylonen