Securing SSH private key

Completed

I have concerns about SSH private key theft when used with CI.

I have done some research on the SSH key storage, and believe I can partially protect filesystem access by limiting user SSH/SFTP access to the Linux server.

https://www.jetbrains.com/help/teamcity/ssh-keys-management.html

 

However, my understanding is they can still access a key stored in the TeamCity Data Directory via the web interface.  How can I lock this down on Linux?

 

Lastly, is the SSH private key stored in the backups?

1 comment
Comment actions Permalink

Hi Scott,

I think I had answered your question through our email support, but I just noticed it here in our support forum as well. I will provide my response below for anyone else with a similar question.

The intention is that the Browse Data Directory feature is to be available only to accounts with Administrator privileges. So your users and project leaders should be assigned a role that isn't able to access the Browse Data Directory feature in the web interface. In most cases, it is advisable to limit the use of the Administrator account to times when actual administrative work is being done. See our documentation on roles and permissions: https://www.jetbrains.com/help/teamcity/role-and-permission.html#

Is it possible to completely disable browsing the Data Directory via the web interface?

Yes, the permission of "Change Server Settings" allows for Browse Data Directory, in addition to many other critical areas of server administration. Remove this permission from a role to prevent access via web interface.

Lastly, is the SSH private key stored in backups?

Yes, the SSH keys are stored in backups.

0

Please sign in to leave a comment.