odoo/enterprise
1
0
Fork 0
mirror of https://github.com/odoo/enterprise.git synced 2026-04-24 05:56:15 -06:00
Code Issues Projects Releases Packages Wiki Activity
Page: SSH Security Requirements
Pages
Debugging GIT Cheatsheet SSH Security Requirements Security Welcome
3 SSH Security Requirements
Olivier Dony (ODO) edited this page 2023-03-20 11:23:56 +01:00
Table of Contents

Requirements for staff members having SSH access to any Odoo system

This applies to your main work laptop and to any secondary computer/device where you store your SSH private key.

1. Setup full disk encryption on your laptop

(This should be the case already - all laptops are delivered with FDE, but please double-check!)

  • For Linux, choose full disk encryption (LUKS) during the (re)installation of your OS, or verify that it's present.
  • For Windows, install VeraCrypt and setup full disk encryption, or the equivalent with BitLocker.
  • For Mac, enable FileVault in the System Preferences.

2. Use a strong local password (10+ chars) + auto-lock with a timeout

Don't leave your laptop unattended when unlocked! Use the shortest timeout that makes you comfortable and take the habit to manually lock your screen. No requirement on the content of your password except the length, but please make it good.

Suggestion: A very good way of obtaining a strong and memorable password is the Diceware approach aka XKCD's correct-horse-battery-staple. Both Bitwarden and 1Password have online generators, just choose the "passphrase" mode. 4 or 5 random words provide a good entropy, and a relatively fast typing speed, considering that they're only letters and hyphens. Feel free to use spaces or other separators if that's easier for you to type.

3. Use different SSH keys for server access and for source code access

Most source code platforms like Github, Gitlab and Bitbucket publish an index of SSH public keys of users. Even if there is no immediate threat, this opens up some interesting attack possibilities (see here and here for example). Using a dedicated SSH key for source code prevents trivially compromising Odoo servers if a source code key is ever broken. Keys used for only source code are easier to rotate, too.

How to generate a new, dedicated, private key, e.g for github:

$ ssh-keygen -f ~/.ssh/id_github_25519 -t ed25519

How to force a specific key for ssh to github.com (rinse and repeat for gitlab, bitbucket, sf.net etc.):
Add this to your ~/.ssh/config file:

Host github.com
    IdentityFile ~/.ssh/id_github_25519

4. Encrypt your SSH keys

Make sure your ssh key is stored encrypted with a strong passphrase. It should be fine to use your login password because of previous requirements. You can test the passphrase with ssh-keygen -y.
No password prompt = no encryption! If you have no passphrase, be sure to set one immediately with ssh-keygen -p.

5. Secure all copies of your SSH keys

It's often tempting to have a copy of your SSH key on your home computer. Or you may have a old clone of your hard drive lying around, with a copy of your SSH keys included. Or a backup of your key on a thumb drive somewhere. It's important that those copies are protected in the same fashion as your main copy (encrypted!). For secondary copies, it is strongly recommended to only use manual unlocking, as you don't need to unlock it very often. And whenever possible, secure-wipe hard drives before disposing of them.

6. Use a password manager

Use unique passwords for all Odoo related activities, and store them in a password manager (this includes your SSH passphrase if different from your login password).
Suggested password managers: Enpass, KeePassXC, 1Password, Bitwarden.

7. Be security conscious

Be smart and proactive about security, we trust you! Follow best practices, and contact security@odoo.com if you notice anything suspicious (on your devices or on the Odoo servers). If your devices with SSH keys are ever lost or stolen, please contact security@odoo.com too, and proceed with password change and key rotation as soon as possible.

Thanks! 😘

Odoo Internal Wiki