========
SSH Keys
========

Key Submission
==============

Users create their key as documented in :doc:`OpenSSH Usage </software/openssh/usage>` on their own computer. They will give you the public key by attaching it to the OTRS ticket requesting the inclusion of the key for accessing any of our services.

Public keys are structured like this:

.. code-block:: bash

   ssh-ALGORITHM KEY COMMENT

Here is how an example public keys look like:

.. code-block:: bash

   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCv/oWUXJxTgT9fXW5DmYYCUgnk91O8Z3CITw5nYX0pFOZ5+XzNC18R1qTmBwqhOztNxCTMz97JvJNn6xgchtmxUe15KhB3bSybzr+xCeCpCLbb2F0s5oL4pyfctWLuvyuEaGDwndQ9s0jpkyhJGNg6ECnEUQpVZztnkW5PjAtvVNstCz/btkR6LKf01M69jVaGZoZANi4Uwhmcrji41xnLRVS4BuLaHr5tL0BSwG/9h86yIvzkbaOvYLxWKB/3UzuYRk96tolm2C/eciAeGDMoXnk6PHpl1yPPxM74MTz7OksISipgU7j17ZJtAH1sCkAtRhF07N9VLWY2duQJ81FiawxmH7KO7e9u/4FotBBBXbPet/sMYS+sfP2LAcKXuS5CXj16j/ftjZMT17nxQ2qp6N2nm/60ixvL9cBoxiqbyhaiaQPss+nXqA6qeG68i4e2ej5dCc2mwnZeaAvk98ptR9A9Zvb/c6JDMfgA4+axa0FDJRMm3Ky9stiUNtmYlnr0VBrQcDPhYVgYtvvXIttvX5ShNSkV0dR1rFdedzHaDLu7D8wAfwm5mrzEhgcGgcKXgVeGnoIM411l28o7S7tRyhJvu5qc/ksH6Dv9RR7agRlpbgeeMW8LiAl52bN8HORVJSRzPmdXk8fb2DQKZrOD0W1yvIiKzwrL0DxGo3/a9Q== daniel.baumann@bfh.ch

Check: Key Algorithm
---------------------

We only accept RSA keys for the time being. Reasoning can be found in :doc:`OpenSSH Best Practice </software/openssh/best-practice>`.

The following command will show the algorithm of a key:

.. code-block:: bash

   ssh-keygen -l -f KEYFILE.pub | awk '{ print $4 }'

If the key is not a RSA key, reject it and let the user submit another one.

Check: Key Length
-----------------

We only accept RSA keys with 4096 bit key length. If the key is shorter, reject the key and ask for a new one from the user. If they key is longer but not above 8192 bit, you can accept it as well. Reasoning can be found in :doc:`OpenSSH Best Practice </software/openssh/best-practice>`.

The following command will show the length of a key:

.. code-block:: bash

   ssh-keygen -l -f KEYFILE.pub | awk '{ print $1 }'

If the key has not a length between 4096 and 8192, reject it and let the user submit another one.

Check: `DSA-1571-1 <http://www.debian.org/security/2008/dsa-1571>`_ Vulnerability
---------------------------------------------------------------------------------

Make sure you have `openssh-client <http://packages.qa.debian.org/openssh>`_, `openssh-blacklist <http://packages.qa.debian.org/openssh-blacklist>`_, and `openssh-blacklist-extra <http://packages.qa.debian.org/openssh-blacklist>`_ packages installed.

The following command will show the vulnerability for DSA-1571-1:

.. code-block:: bash

   ssh-vulnkey -v KEYFILE.pub | awk -F: '{ print $3 }'

If the key is ``Not blacklisted`` the submitted key is ok. If the key is ``COMPROMISED``, reject it and let the user submit another one.

Check: Key Comment
------------------

Last but not least, we want the COMMENT within the public key to be consistent. If the comment isn't the email address (e.g. daniel.baumann@bfh.ch, not bad9@bfh.ch) please fix it with the text editor of your choice.

Key Deployment
==============

git.bfh.ch
----------

.. code-block:: bash

   git clone git@git.bfh.ch:gitolite-admin.git

ssh.bfh.ch
----------

.. code-block:: bash

   git clone git@git.its.bfh.ch:infrastructure/linux/services/ssh.bfh.ch.git