SSH Key Management Overview & 6 Best Practices
October 18th, 2018
Secure Socket Shell (SSH), also called Secure Shell, is a special network protocol leveraging public-key cryptography to enable authorized users to remotely access a computer or other device via access credentials called SSH keys. Because they are used to access sensitive resources and perform critical, highly privileged activities, it’s vital to properly manage SSH keys as you would other sensitive credentials.
While SSH keys are standard, and more frequently used, in Unix and Linux environments, they are also used in Windows systems.
Read on for an overview of SSH key management that will cover SSH security and authentication, how SSH keys work, the risks and benefits to consider with SSH keys, and strategies for improving SSH security and key management.
Overview of SSH Key Security Authentication
The Secure Shell, and the public-key cryptography (an encryption schema using two keys: one public, one private) that SSH keys use, is designed to provide strong, encrypted verification and communication between the user and a remote computer.
SSH technology is based on the client-server model and provides an ideal way to access remote devices over unsecured networks, like the internet. The technology is typically used by administrators for several functions including:
- Logging into remote computers/servers for support and maintenance
- Transferring of files from computer to computer
- Remote execution of commands
- Offering support and updates
Today, Telnet, one of the Internet’s first remote login protocols and in use since the 1960’s, has largely been supplanted by SSH, owing to the latter protocol’s enhanced security features.
Benefits of SSH Key Authentication
IT teams routinely use SSH keys to automate secure access to servers, bypassing the need to manually enter log-in credentials. The SSH network protocol encrypts all traffic between the client and the server while it is in transit. This means that anyone eavesdropping on the traffic, such as by packet sniffing, would not be able to improperly access and decrypt transmitted data.
SSH is also resistant to brute force attacks and protects against certain attack vectors being used to gain access to remote machines. Public key encryption ensures that passwords need not be sent over the network, providing an additional layer of security. SSH keys are an excellent way to stay secure and compliant with various regulations and mandates, provided that you use best practice to generate, store, manage, and remove them.
Due to the massive number of SSH keys that may be in use or exist across an enterprise at any time, SSH key management software can significantly lower the overhead and risk of manually managing and updating keys.
Generating SSH Keys
SSH keys are always generated in pairs. These pairs consist of one “public” SSH key, and one “private” SSH key. These keys are paired using extremely strong algorithms, making it infeasible to guess or “fake” a private key, even if you know the public key. While private keys should be kept secret by the authorized person wishing to gain access to a system, public keys may be freely shared.
SSH keys are usually generated by a user entering a passphrase or other information. Typically, public and private keys will be generated from phrases of a few words.
SSH Key Access
A remote computer identifies itself to a user using its public key. When a user attempts to connect, the remote computer issues a “challenge” derived from the public key, for which only someone possessing the paired private key could correctly decrypt and respond. Once the challenge is correctly answered, the remote computer provides access.
In almost all cases, generating keys, sharing public keys, issuing challenges, answering them, and gaining access is managed by SSH software, so the process is largely transparent to the end user.
SSH Key Sprawl Poses Security & Operational Risk
SSH key sprawl exposes organizations to considerable cyber risk, especially considering that they can provide such a high level of privileged access, such as root. In a study of over 400 IT security professionals conducted by Dimensional Research, over 90% of respondents reported that they lacked a complete and accurate inventory of SSH keys. Additionally, nearly two out of three of the cybersecurity professionals stated that they do not actively rotate SSH keys.
With typically 50 – 200 SSH keys per server, organizations may have upwards of a million SSH keys. While many of these SSH keys are long dormant and forgotten, they can provide a backdoor for hackers to infiltrate critical servers. And once one server and SSH key is cracked, an attacker could move laterally and find more hidden keys.
As with other types of privileged credentials (or passwords in general), when organizations rely on manual processes, there is a proclivity to reuse a passphrase across many SSH keys or to reuse the same public SSH key. This means that one compromised key can then be harnessed to infiltrate multiple servers.
6 SSH Key Security Best Practices
As with any other security protocols, it’s imperative to maintain strong standards and best practice around SSH network protocols and keys. NIST IR 7966 offers guidance for government organizations, businesses, and auditors on proper security controls for SSH implementations. The NIST recommendations emphasize SSH key discovery, rotation, usage, and monitoring.
In even modestly complex environments, manual SSH Key rotation is infeasible. For instance, you could identify accounts set up to use SSH keys, you could manually scan through authorized keys file in the hidden .SSH user folder, but this falls short of helping you identify who has the private key matching any of the public keys in the file.
Organizations who recognize the risks posed by SSH Key sprawl risk and take a proactive cybersecurity posture typically use a dedicated SSH key management or automated privileged password management (PPM) solution to generate unique key pairs for each system, and perform frequent rotation. Automated solutions dramatically simplify the process of creating and rotating SSH keys, eliminating SSH key sprawl, and ensuring SSH keys enable productivity without compromising security.
To tighten security controls around SSH Keys, you should also apply the following six best practices:
1. Discover all SSH Keys and Bring Under Active Management
A first step to eliminating SSH key sprawl and properly assessing SSH security risk is to discover and inventory all SSH keys, and then to reign in centralized control of all keys. This is also an appropriate juncture to determine who is using various keys and how the keys are being used.
2. Ensure SSH Keys Are Associated With a Single Individual
Tie SSH keys back to an individual, rather than just to an account that can be accessed by multiple users. This will provide an effective SSH audit trail and more direct oversight.
3. Enforce Minimal Levels of User Rights Through PoLP
Apply the principle of least privilege (PoLP), such as in tying SSH keys to granular areas of remote devices, so users can only access certain, necessary systems. This limits the potential fallout from misuse of SSH keys.
4. Stay Attentive to SSH Key Rotation
Implement diligent SSH Key rotation — force users to generate keys on a regular basis and disallow use of the same passphrases across multiple accounts or iterations. These actions help protect the organization from password re-use attacks. In organizations with a large SSH key estate, this can only be feasibly performed via an automated solution.
5. Eliminate Hardcoded SSH Keys
SSH Keys are one of the many types of credentials that can be embedded within code, such as in applications and files. This practice creates dangerous backdoors for malware and hackers to exploit. Embedded keys that use simple or default passphrases may be vulnerable to password-guessing and other attacks. Therefore, an important piece of SSH security is to uncover and eliminate embedded SSH keys, and bring them under centralized management.
6. Audit All Privileged Session Activity
Any privileged session started via a SSH Key authentication (or other means) should be recorded and audited to meet both cybersecurity and regulatory needs. Privileged session management activities can entail capturing keystrokes and screens (allowing for live view and playback). Ideally, you also layer on the ability to control (pause or terminate) privileged sessions in real-time to maintain strong oversight and a short leash over privileged activity.
SSH Key Management Resources
- Secure and Manage SSH Keys (data sheet)
- Simplified SSH Key Management (web page)
- Privileged Password Management Explained (white paper)
- Enterprise Credential Security (2-min video)
For more security terms explained, check out the BeyondTrust glossary.