|
|
| (30 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) |
| Zeile 1: |
Zeile 1: |
| '''topic''' kurze Beschreibung
| | #WEITERLEITUNG [[OpenSSH]] |
|
| |
|
| == Beschreibung ==
| |
| == Installation ==
| |
| # apt install openssh-server
| |
|
| |
| == Syntax ==
| |
| === Parameter ===
| |
| === Optionen ===
| |
| === Umgebungsvariablen ===
| |
| === Exit-Status ===
| |
|
| |
| == Konfiguration ==
| |
| === Dateien ===
| |
|
| |
| == Anwendung ==
| |
| == Sicherheit ==
| |
| == Dokumentation ==
| |
| === RFC ===
| |
| === Man-Pages ===
| |
| === Info-Pages ===
| |
| === Siehe auch ===
| |
|
| |
| == Links ==
| |
| === Projekt-Homepage ===
| |
| === Weblinks ===
| |
| === Einzelnachweise ===
| |
| <references />
| |
|
| |
| == Testfragen ==
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 1''
| |
| <div class="mw-collapsible-content">'''Antwort1'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 2''
| |
| <div class="mw-collapsible-content">'''Antwort2'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 3''
| |
| <div class="mw-collapsible-content">'''Antwort3'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 4''
| |
| <div class="mw-collapsible-content">'''Antwort4'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 5''
| |
| <div class="mw-collapsible-content">'''Antwort5'''</div>
| |
| </div>
| |
|
| |
| = TMP =
| |
| = Appendixes =
| |
| == Key material handling ==
| |
| Key material identifies the cryptographic secrets that compose a key. All key material must be treated as <span >RESTRICTED</span> data, meaning that: * Only individual with specific training and need-to-know should have access to key material.
| |
| * Key material must be encrypted on transmission.
| |
| * Key material can be stored in clear text, but only with proper access control (limited access).
| |
|
| |
| This includes: * OpenSSH server keys (<tt>/etc/ssh/ssh_host_*key</tt>)
| |
| * Client keys (<tt>~/.ssh/id_{rsa,dsa,ecdsa,ed25519}</tt> and <tt>~/.ssh/identity</tt>).
| |
|
| |
| == Client key size and login latency ==
| |
| In order to figure out the impact on performance of using larger keys - such as RSA 4096 bytes keys - on the client side, we have run a few tests:
| |
|
| |
| On an idle, i7 4500 intel CPU using OpenSSH_6.7p1, OpenSSL 1.0.1l and ed25519 server keys the following command is ran 10 times:
| |
|
| |
| <tt>time ssh localhost -i .ssh/id_thekey exit</tt>
| |
|
| |
| Results:
| |
|
| |
| {|| class="wikitable sortable"
| |
| |-
| |
| || '''Client key '''
| |
| || '''Minimum '''
| |
| || '''Maximum '''
| |
| || '''Average '''
| |
| |-
| |
| || RSA 4096
| |
| || 120ms
| |
| || 145ms
| |
| || 127ms
| |
| |-
| |
| || RSA 2048
| |
| || 120ms
| |
| || 129ms
| |
| || 127ms
| |
| |-
| |
| || ed25519
| |
| || 117ms
| |
| || 138ms
| |
| || 120ms
| |
| |-
| |
| |}
| |
|
| |
| Keep in mind that these numbers may differ on a slower machine, and that this contains the complete login sequence and therefore is subject to variations. However, it seems safe to say that the latency differences are not significant and do not impact performance sufficiently to cause any concern regardless of the type of key used.
| |
|
| |
| == Reference documents ==
| |
| * [https://wiki.mozilla.org/Security/Key_Management Key Management]
| |
| * [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS]
| |
| * [https://www.ietf.org/rfc/rfc4418.txt RFC4418 (umac)]
| |
| * [http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt umac draft]
| |
| * [https://safecurves.cr.yp.to/ Safe curves]
| |
| * [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html DJM blog]
| |
| * [https://stribika.github.io/2015/01/04/secure-secure-shell.html Stribika blog]
| |
| * [http://2013.diac.cr.yp.to/slides/gueron.pdf AES-GCM performance study]
| |
| * [https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html CHACHA20 vs AES-GCM performance study]
| |
| * [http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain PROTOCOL.certkeys]
| |
| * [https://wiki.gnupg.org/rfc4880bis rfc44880bis from GnuPG]
| |
| * [https://weakdh.org/ Weak Diffie-Hellman and the Logjam Attack]
| |
| * [https://jbeekman.nl/blog/2015/05/ssh-logjam/ On OpenSSH and Logjam, by Jethro Beekman]
| |
|
| |
|
| |
| [[Kategorie:Entwurf]]
| |
| [[Kategorie:SSH]] | | [[Kategorie:SSH]] |