Lead Image © scanrail, 123RF.com
Cryptographic key access in the cloud
Gimme the Key
Cryptographic keys are usually stored on the hard disk, a smart card, a hardware security module (HSM), or a USB token. Applications that typically use such cryptographic keys are SSH, GnuPG, and crypto frameworks like OpenSSL, NSS, or GnuTLS.
Agent Forwarding
To begin, I'll take a look at SSH. If a user wants to log on to a remote computer by way of public key authentication, the user's public key must be available on the remote computer, usually provided with the help of the ssh-copy-id application. Of course, the user's private key does not leave the local computer, but what happens if the user needs to move on from the remote computer, for example, because it is only a kind of jump host from which you can then log on to other systems in the back end?
Access to the user's private SSH key is required, then, on the remote computer, which is what ssh-agent can deliver. Any private SSH key can be passed to this agent by ssh-add, which then stores the key in memory. If access to one of these keys is necessary, the agent can be addressed through a socket file. The name of this file can be found in the SSH_AUTH_SOCK variable:
# echo "$SSH_AUTH_SOCK" /tmp/ssh-j3OzPSWatFUl/agent.2395
Agent forwarding allows remote computers to access these agents. When establishing a connection over SSH, you can use the -A option. Alternatively, the option can be stored in the SSH configuration file; the option here is ForwardAgent, which is set to no by default. If you activate forwarding by changing no to yes, all keys known by the SSH agent are displayed after logging in on a remote computer and calling ssh-add -l. Now you can establish another SSH connection by public key-based authentication simply by accessing the key material of the SSH
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Portable home directory with state-of-the-art security
The systemd Homed service makes it easy to move your home directory, and FIDO2 or PKCS#11 can secure the stored files. -
TLS 1.3 and the return of common sense
After a decade in service, TLS 1.2 is showing many signs of aging. Its immediate successor, TLS 1.3, has earned the approval of the IETF. Some major changes are on the way. -
Secure microservices with centralized zero trust
SPIFFE and SPIRE put strong workload identities at the center of a zero-trust architecture. They improve reliability and security by taking the responsibility for identity creation and management away from individual services and workloads. -
Kubernetes k3s lightweight distro
The k3s lightweight and secure Kubernetes distribution can handle both unattended workloads in remote locations with minimal resources and clusters of IoT appliances. -
VPN clients for Android and iOS
Smartphones and tablets using hotspots and mobile data connections are susceptible to spying. iOS and Android each supply a tunneled VPN connection out of the box. We take a look at their apps, as well as third-party apps to see if they offer more.