I've been reading the FHS specification on http://www.pathname.com/fhs/pub/fhs-2.3.html to figure out where a (private) SSH keyfile should be stored that will be used for a VPS administration panel I am currently working on. This keyfile should only be available to the master server (the one it is placed on), and will be used to tunnel libvirt communication over SSH.
From my understanding, this means the keyfile should be stored in a subdirectory in /etc
, as it is static and host-specific. Is this correct?
IMHO:
/etc
would tell where to find the key./usr/local
or the/var
tree might be the better approach or~/.ssh
on the corresponding users.The system I am on uses
/etc/ssl/certs
for certificates and/etc/ssl/private
for keys. Protection on the/etc/ssl/private
directory is 710. Root owns the directory and the group can only access keys if it knows their name. Careful use of groups and permissions can provide finer grain access to the keys by non-root users.EDIT: As @UtahJarhead pointed out SSH is not SSL(TLS). SSH doesn't normally have any issues about key placement as they are placed by the tools. Both methods can be used to secure access. SSL/TLS uses CA (Certficate Authority) signed certificates stored as specified above.
SSH uses unsigned certificates. The server's (host's) keys are stored in /etc/ssh and the key has 600 permission allowing only root read access. These are generated and installed when the daemon is installed . Client/user keys are stored in ~/ssh (aka $HOME/ssh) and all the standard tools will place them accordingly. When a public key is copied for passwordless access it also is stored in ~/ssh for the target user on the target system.
a private ssh key may not be host specific. A single ssh key pair can be used to connect a user to an unlimited number of hosts. ssh keys need to be able to be referenced on a per-login basis. In
sshd_config
there is anAuthorizedKeysFile
that sets the location of where the private keys are stored. If you are interested in keeping it in/etc
, this is feasible, however it is not "host-specific system configuration" as per the FHS guidelines. It appears to best fit in the default location in/home/${USER}/.ssh/authorized_keys
since it should be unique to each user.