undefined | Better HN

0 pointstptacek7y ago0 comments

It depends on the secret and the degree to which the secret is exposed. SSH creds should get rotated constantly; a one-hour SSH login cred is a significant exposure. But an API secret that is kept in Parameter Store and not exposed to developers doesn't really benefit from rotation every 3 months in proportion to the amount of mechanism required to do that.

0 comments

JoachimSchipper7y ago

What are you assuming about exposure? If a SSH key lives on a well-secured workstation or bastion host (and you ideally don't agent-forward it to insecure hosts), rotating that key once per hour doesn't seem a top priority to me? E.g. a sudo password is (lower-impact, but) more likely to get exposed to compromised hosts?

("Well-secured workstation" is arguably an oxymoron, of course...)

cassianoleal7y ago

Wait, you keep private SSH keys on bastion hosts?

It's much better practice to use the bastion as a proxy to the other hosts. This is easily achieved using the ProxyCommand option of OpenSSH.

No agent forwarding, no secrets kept in random hosts.

JoachimSchipper7y ago

No, keeping SSH keys on bastion hosts was the silliest reasonable thing I could think of.

scrollaway7y ago

Do you know a good guide with standard practices for setting up and securing bastion hosts (preferably on aws)?

1 more reply

jessaustin7y ago

...a one-hour SSH login cred is a significant exposure.

Does this refer to an SSH password or e.g. a 4096-bit RSA key, or possibly something completely different? If this refers to an RSA key then I'm quite confused.

apawloski7y ago

How are you managing your SSH keys to make <1HR rotation feasible?

tptacekOP7y ago

With an SSH CA.

kasey_junk7y ago

Is there one of those you’d recommend?

2 more replies

j / k navigate · click thread line to collapse

0 comments

JoachimSchipper7y ago

("Well-secured workstation" is arguably an oxymoron, of course...)

cassianoleal7y ago

Wait, you keep private SSH keys on bastion hosts?

It's much better practice to use the bastion as a proxy to the other hosts. This is easily achieved using the ProxyCommand option of OpenSSH.

No agent forwarding, no secrets kept in random hosts.

JoachimSchipper7y ago

No, keeping SSH keys on bastion hosts was the silliest reasonable thing I could think of.

scrollaway7y ago

Do you know a good guide with standard practices for setting up and securing bastion hosts (preferably on aws)?

1 more reply

jessaustin7y ago

...a one-hour SSH login cred is a significant exposure.

Does this refer to an SSH password or e.g. a 4096-bit RSA key, or possibly something completely different? If this refers to an RSA key then I'm quite confused.

apawloski7y ago

How are you managing your SSH keys to make <1HR rotation feasible?

tptacekOP7y ago

With an SSH CA.

kasey_junk7y ago

Is there one of those you’d recommend?

2 more replies

j / k navigate · click thread line to collapse