Secure and Manage SSH Keys

Privileged Password and Privileged Session Management

Secure Shell (SSH) is a tool used to enable secured systems management, file transfers, and application automation that ships standard with every Unix, Linux, and Mac system and is widely used on Windows. SSH keys are commonly used by privileged users and applications to automate secured sessions by enabling login over SSH without typing a password. As with passwords, unmanaged SSH keys create an opportunity for compromise by both insiders and external hackers. Common challenges include:

  • Inappropriate sharing of SSH keys with unauthorized persons
  • Loss of SSH keys providing a backdoor to systems and resources
  • Stolen SSH keys by insiders or external hackers
  • SSH key sprawl

Traditional methods of SSH key management are very labor intensive, causing many organizations to not properly rotate their keys. Additionally, it is common practice for administrators to share keys. Between the lack of rotation and the sharing of keys, organizations lose accountability over their systems, which could lead to those systems being vulnerable to exploits. To highlight the risks associated with unmanaged SSH keys, the National Institute for Standards and Technology (NIST) published NIST IR 7966 in 2016. This provides guidance for enterprises, government agencies, and auditors for properly managing and securing SSH implementations. Best practice recommendations include SSH key discovery, rotation, usage, and monitoring.

Simplified SSH Key Management with PowerBroker Password Safe

PowerBroker Password Safe adds security and simplifies the management of SSH keys by automatically rotating SSH keys according to a defined schedule and enforcing granular access control and workflow. Private keys stored in Password Safe can be leveraged to automatically log users onto systems through a proxy with no user exposure to the key, and with full privileged session recording.

  • Automatically discover assets and unmanaged SSH keys
  • Create a SSH Key Management Group DSS Key rule to specify key type, bit size, and passphrase controls
  • Assign SSH key rule to managed accounts, specify password failover, and set key rotation interval
  • Configure access policy to include factors such as location, certificate, date/time controls, and real-time alerts
  • Configure access policy to include options for integrated session recording of all privileged activities
  • Configure approval processes for SSH key usage and tracking
  • From a central console, view SSH key usage, approved/unapproved activity, and session logs through delegated reporting mechanisms
  • Directly connect and automatically launch SSH sessions by simply passing a connection string to the proxy

Secure SSH Keys with PowerBroker Password Safe

PowerBroker Password Safe greatly simplifies the management and secures the use of SSH keys for better control, accountability, and security over Unix and Linux systems. Password Safe SSH key management features include:

  • Storing private keys, like any other privileged credential
  • Automatically rotating SSH keys according to a defined schedule
  • Manual upload of externally generated keys, or automatic key pair generation according to defined DSS key policy
  • Automatic push of the public key into the managed account’s authorized keys file
  • Allowing designated ‘secondary’ accounts and SSH keys to be grouped to a ‘primary’ account to manage rotation interval, complexity, and duration of SSH keys
  • Enforcing granular access control and workflow
  • Alerting when a key is released
  • Automatically logging users onto Unix or Linux systems through the proxy with no user exposure
  • Enabling users to request access to SSH key sessions instantly, or via workflow
  • Never revealing SSH keys to the end-user
  • Real-time alerting of SSH key release
  • Recorded, full-motion video playback of all SSH key usage
  • Offering failover to a managed password for complete redundancy

Read the complete Data Sheet!

Download Now