I-D Action: draft-ylonen-sshkeybcp-01.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A New Internet-Draft is available from the on-line Internet-Drafts directories.


	Title           : Managing SSH Keys for Automated Access - Current Recommended Practice
	Author(s)       : Tatu Ylonen
                          Greg Kent
	Filename        : draft-ylonen-sshkeybcp-01.txt
	Pages           : 58
	Date            : 2013-04-03

Abstract:
   This document presents current recommended practice for managing SSH
   user keys for automated access.  It provides guidelines for
   discovering, remediating, and continuously managing SSH user keys and
   other authentication credentials.

   Various threats from poorly managed SSH keys are identified,
   including virus spread, unaudited backdoors, illegitimate access
   using leaked keys, lack of proper termination of access, use of
   legitimate access for unintended purposes, and accidental human
   errors.

   Hundreds of thousands, even over a million SSH keys authorizing
   access have been found from the IT environments of many large
   organizations.  This is many times more than they have interactive
   users.  These access-granting credentials have largely been ignored
   in identity and access management, and present a real risk to
   information security.

   A process is presented for discovering who has access to what,
   bringing an existing IT environment under control with respect to
   automated access and SSH keys.  The process includes moving
   authorized keys to protected locations, removing unused keys,
   associating authorized keys with a business process or application
   and removing keys for which no valid purpose can be found, rotating
   existing keys, restricting what can be done with each authorized key,
   and establishing an approval process for new authorized keys.  A
   process is also presented for continuous monitoring and controlled
   authorized key setup.

   Finally, recommendations are made for security policy makers for
   ensuring that automated access and SSH keys are properly addressed in
   an organization's security policy.

   Specific requirements are presented that address the security issues
   while keeping costs reasonable.

   Guidance is also provided on how to reduce operational cost while
   addressing the threats and how to use tools to automate the
   management process.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ylonen-sshkeybcp-01


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt




[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux