SSH Keys

Key Submission

Users create their key as documented in OpenSSH Usage on their own computer. They will give you the public key by attaching it to the OTRS ticket requesting the inclusion of the key for accessing any of our services.

Public keys are structured like this:

ssh-ALGORITHM KEY COMMENT

Here is how an example public keys look like:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCv/oWUXJxTgT9fXW5DmYYCUgnk91O8Z3CITw5nYX0pFOZ5+XzNC18R1qTmBwqhOztNxCTMz97JvJNn6xgchtmxUe15KhB3bSybzr+xCeCpCLbb2F0s5oL4pyfctWLuvyuEaGDwndQ9s0jpkyhJGNg6ECnEUQpVZztnkW5PjAtvVNstCz/btkR6LKf01M69jVaGZoZANi4Uwhmcrji41xnLRVS4BuLaHr5tL0BSwG/9h86yIvzkbaOvYLxWKB/3UzuYRk96tolm2C/eciAeGDMoXnk6PHpl1yPPxM74MTz7OksISipgU7j17ZJtAH1sCkAtRhF07N9VLWY2duQJ81FiawxmH7KO7e9u/4FotBBBXbPet/sMYS+sfP2LAcKXuS5CXj16j/ftjZMT17nxQ2qp6N2nm/60ixvL9cBoxiqbyhaiaQPss+nXqA6qeG68i4e2ej5dCc2mwnZeaAvk98ptR9A9Zvb/c6JDMfgA4+axa0FDJRMm3Ky9stiUNtmYlnr0VBrQcDPhYVgYtvvXIttvX5ShNSkV0dR1rFdedzHaDLu7D8wAfwm5mrzEhgcGgcKXgVeGnoIM411l28o7S7tRyhJvu5qc/ksH6Dv9RR7agRlpbgeeMW8LiAl52bN8HORVJSRzPmdXk8fb2DQKZrOD0W1yvIiKzwrL0DxGo3/a9Q== daniel.baumann@bfh.ch

Check: Key Algorithm

We only accept RSA keys for the time being. Reasoning can be found in OpenSSH Best Practice.

The following command will show the algorithm of a key:

ssh-keygen -l -f KEYFILE.pub | awk '{ print $4 }'

If the key is not a RSA key, reject it and let the user submit another one.

Check: Key Length

We only accept RSA keys with 4096 bit key length. If the key is shorter, reject the key and ask for a new one from the user. If they key is longer but not above 8192 bit, you can accept it as well. Reasoning can be found in OpenSSH Best Practice.

The following command will show the length of a key:

ssh-keygen -l -f KEYFILE.pub | awk '{ print $1 }'

If the key has not a length between 4096 and 8192, reject it and let the user submit another one.

Check: DSA-1571-1 Vulnerability

Make sure you have openssh-client, openssh-blacklist, and openssh-blacklist-extra packages installed.

The following command will show the vulnerability for DSA-1571-1:

ssh-vulnkey -v KEYFILE.pub | awk -F: '{ print $3 }'

If the key is Not blacklisted the submitted key is ok. If the key is COMPROMISED, reject it and let the user submit another one.

Check: Key Comment

Last but not least, we want the COMMENT within the public key to be consistent. If the comment isn’t the email address (e.g. daniel.baumann@bfh.ch, not bad9@bfh.ch) please fix it with the text editor of your choice.

Key Deployment

git.bfh.ch

git clone git@git.bfh.ch:gitolite-admin.git

ssh.bfh.ch

git clone git@git.its.bfh.ch:infrastructure/linux/services/ssh.bfh.ch.git