Managing keys for Python-based targets

Private key storage

Each organization has a unique set of security policies related to private key storage. For example, using Bravura Safe is one of the recommended products to use for private key storage. Leaving private keys on a UNIX system, although convenient, is not a secure practice.

The scenarios below for generating keys is meant to show a simple strategy to target against a UNIX system, but public/private keys are ideally suited to sharing across an organization. Considerations should be made on how best to implement a security policy for targeting multiple UNIX systems using a minimal set of public/private keypairs.

Generating different key formats and encryptions

You can also change the algorithm to shorten the private key. A private secure RSA key now suggests a bit length of 2048. For example:

ssh-keygen -m PEM -t rsa -b 2048 -f user_ppk.pem

You would then use the ssh-copy-id command to copy the key to the authorized_keys file, for example:

ssh-copy-id <userid>@<hostname>
ssh-copy-id -i <keyfile> <userid>@<hostname>

Discovering Key Formats, Size, and Encryption

In most cases, RSA is still the industry standard for public/private pairs; however, if you are unsure as to which encryption method was used, run the following command:

ssh-keygen -lf <keyfile>

This command will indicate in the output the key format that was used.

When configuring SSH connections, there are two general scenarios.

The first involves generating a public/private key pair, adding the public key to the authorized key file of the target SSH system, then adding the private key value as the target system's administrator password.

This generates the private key unencrypted and using it as the administrator password. This method is preferred since the administrative password field is encrypted and this process does not require the added complexity of storing private keys on the filesystem.

The second scenario entails using a pre-existing public/private key pair, typically in PEM/PPK format, such as when authenticating to an AWS UNIX instance. The authentication key file is used and the passphrase is specified for the administrator password.

This scenario is suitable when creating a key pair from a self-signed certificate not certified by a CA signing authority. It uses a private key value as the administrator password for authentication.

This scenario is appropriate when importing a key pair from a signed certificate certified by a CA signing authority. It uses an authentication key file and a passphrase is used for the administrator password for authentication. The authentication key file is copied from the SSH server to the Bravura Security Fabric server.

When generating an SSH public/private key pair, OPENSSH PKCS#8 formatted private keys as administrative passwords is not supported. These types of keys use the following format:

-----BEGIN OPENSSH PRIVATE KEY-----<value>-----END OPENSSH PRIVATE KEY-----

The following may also appear in the logs:

agtpython.exe Warning: Failed to connect with Python fabric error [OPENSSH PKCS#8 format private keys as admin passwords not supported].

The PKCS#8 keys are generated using a command such as " ssh-keygen ". The underlying Python framework uses Paramiko and does not currently handle private keys as administrative passwords in PKCS#8 format.

Instead, the " -m pem " option must be used: ssh-keygen -m pem -t rsa.

When generating an SSH public/private key pair and using a command such as ssh-keygen -m pem -t rsa , the passphrase must be blank/empty. This is for Scenario One above when using a private key value as the administrator password.