[LACNIC/Seguridad] Fwd: [OPS-AREA] SSH Key Management for Automated access

Fernando Gont fgont en si6networks.com
Mie Abr 10 07:23:55 BRT 2013


-------- Original Message --------
From: Tatu Ylonen <tyl en ssh.com>
Date: Sat, 6 Apr 2013 16:54:18 +0300
Message-Id: <C4D77D49-E8F0-47E0-9C7C-79BDD18E9DED en ssh.com>
To: ops-area en ietf.org
Mime-Version: 1.0 (Apple Message framework v1283)
X-Mailer: Apple Mail (2.1283)
X-Mailman-Approved-At: Wed, 10 Apr 2013 02:10:54 -0700
Subject: [OPS-AREA] SSH Key Management for Automated access
X-BeenThere: ops-area en ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OPS Area e-mail list <ops-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ops-area>,
<mailto:ops-area-request en ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ops-area>
List-Post: <mailto:ops-area en ietf.org>
List-Help: <mailto:ops-area-request en ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ops-area>,
<mailto:ops-area-request en ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ops-area-bounces en ietf.org
Errors-To: ops-area-bounces en ietf.org

A new draft "SSH Key Management for Automated Access - Current
Recommended Practice" has been published on managing SSH keys.  The
topic has been discussed in SAAG in the last two IETF meetings, and we
also had a side meeting on the topic in Orlando.  I'm sending this to
ops-area, because the topic relates to operations and management more
than technical details on security (though admittedly more to general
management of IT systems, especially unix/linux environments, than
management of routers or networks, but SSH is also very widely used for
managing routers and telecommunications networks).

The draft can be found at

The draft is relevant for anyone interested in SSH user key management
and more generally identity and access management for automated access
and/or based on the SSH protocol.  We have found hundreds of thousands
to millions of SSH authorized keys from the IT environments of many
large enterprises (many times more than they have interactive users),
and bringing key-based access under control is very important.  The
draft outlines the risks with unmanaged key-based access and presents a
process for remediating the situation in an existing environment and
implementing an ongoing process for monitoring and managing key-based
access (and other automated access).

I am hoping the draft will evolve into a BCP (Best Current Practice)
standard on managing SSH user keys in organizations.  The draft is
mostly about process and policy, not technical protocols, as SSH user
key management is really an identity and access management issue and the
problems involve policy, process, and auditing related to controlling
access to information systems in an organization, especially with
regards to automated machine-to-machine access.

A mailing list sshmgmt en ietf.org has been created for discussion about
the draft (and other issues related to managing SSH).  Please send
comments on the draft to the list.  To subscribe (or unsubscribe), go
to: https://www.ietf.org/mailman/listinfo/sshmgmt


Tatu Ylonen

OPS-AREA mailing list
OPS-AREA en ietf.org

Fernando Gont
e-mail: fernando en gont.com.ar || fgont en si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Más información sobre la lista de distribución Seguridad