Secure Socket Shell (SSH) Key Management, also called Secure Shell Management, is a special network protocol leveraging public-key cryptography to enable authorized users to remotely access a computer or other device via access credentials called SSH keys. Because they are used to access sensitive resources and perform critical, highly privileged activities, it’s vital to properly manage SSH keys as you would other sensitive credentials.
While SSH keys are standard, and more frequently used, in Unix and Linux environments, they are also used in Windows systems.
The Secure Shell, and the public-key cryptography (an encryption schema using two keys: one public, one private) that SSH keys use, is designed to provide strong, encrypted verification and communication between the user and a remote computer.
SSH technology is based on the client-server model and provides an ideal way to access remote devices over unsecured networks, like the internet. The technology is typically used by administrators for several functions including:
Logging into remote computers/servers for support and maintenance
Transferring of files from computer to computer
Remote execution of commands
Offering support and updates
Today, Telnet, one of the Internet’s first remote login protocols and in use since the 1960’s, has largely been supplanted by SSH, owing to the latter protocol’s enhanced security features.
The SSH network protocol encrypts all traffic between the client and the server while it is in transit. This means that anyone eavesdropping on the traffic, such as by packet sniffing, would not be able to improperly access and decrypt transmitted data. SSH is also resistant to brute force attacks and protects against certain attack vectors being used to gain access to remote machines. Public key encryption ensures that passwords need not be sent over the network, providing an additional layer of security.
SSH keys are an excellent way to stay secure and compliant with various regulations and mandates, provided that you use best practice to generate, store, manage, and remove them.
Due to the massive number of SSH keys that may be in use or exist across an enterprise at any time, SSH key management software can significantly lower the overhead and risk of manually managing and updating keys.
SSH keys are always generated in pairs. These pairs consist of one “public” SSH key, and one “private” SSH key. These keys are paired using extremely strong algorithms, making it infeasible to guess or “fake” a private key, even if you know the public key. While private keys should be kept secret by the authorized person wishing to gain access to a system, public keys may be freely shared.
SSH keys are usually generated by a user entering a passphrase or other information. Typically, public and private keys will be generated from phrases of a few words.
A remote computer identifies itself to a user using its public key. When a user attempts to connect, the remote computer issues a “challenge” derived from the public key, for which only someone possessing the paired private key could correctly decrypt and respond. Once the challenge is correctly answered, the remote computer provides access.
In almost all cases, generating keys, sharing public keys, issuing challenges, answering them, and gaining access is managed by SSH software, so the process is largely transparent to the end user.
SSH key sprawl exposes organizations to considerable cyber risk, especially considering that they can provide such a high level of privileged access, such as root. With typically 50 – 200 SSH keys per server, organizations may have upwards of a million SSH keys. While many of these SSH keys are long dormant and forgotten, they can provide a backdoor for hackers to infiltrate critical servers. And once one the server and SSH key is cracked, an attacker could move laterally and find more hidden keys.
As with other types of privileged credentials (or passwords in general), when organizations rely on manual processes, there is a proclivity to reuse a passphrase across many SSH keys or to reuse the same public SSH key. This means that one compromised key can then be harnessed to infiltrate multiple servers.
As with any other security protocols, it’s imperative to maintain strong standards and best practice around SSH network protocols and keys. NIST IR 7966 offers guidance for government organizations, businesses, and auditors on proper security controls for SSH implementations. The NIST recommendations emphasize SSH key discovery, rotation, usage, and monitoring.
In even modestly complex environments, manual SSH Key rotation is infeasible. For instance, you could identify accounts set up to use SSH keys, you could manually scan through authorized keys file in the hidden .SSH user folder, but this falls short of helping you identify who has the private key matching any of the public keys in the file.
Organizations who recognize the risks posed by SSH Key sprawl risk and take a proactive cybersecurity posture, typically use a dedicated SSH key management or automated privileged password management (PPM) solution to generate unique key pairs for each system, and perform frequent rotation. Automated solutions dramatically simplify the process of creating and rotating SSH keys, eliminating SSH key sprawl, and ensuring SSH keys enable productivity without compromising security.
To tighten security controls around SSH Keys, you should also apply the following six best practices:
Discover all SSH Keys and Bring Under Active Management: A first step to eliminating SSH key sprawl and properly assessing SSH security risk is to discover and inventory all SSH keys, and then to reign in centralized control of all keys. This is also an appropriate juncture to determine who is using various keys and how.
Ensure SSH Keys Are Associated With a Single Individual: Tie SSH keys back to an individual, rather than just to an account that can be accessed by multiple users. This will provide an effective SSH audit trail and more direct oversight.
Enforce Minimal Levels of User Rights Through PoLP: Apply the principle of least privilege (PoLP), such as in tying SSH keys to granular areas of remote devices, so users can only access certain, necessary systems. This limits the potential fallout from misuse of SSH keys.
Stay Attentive to SSH Key Rotation: Implement diligent SSH Key rotation — force users to generate keys on a regular basis and disallow use of the same passphrases across multiple accounts or iterations. These actions help protect the organization from password reuse attacks. In organizations with a large SSH key estate, this can only be feasibly performed via an automated solution.
Eliminate Hardcoded SSH Keys: SSH Keys are one of the many types of credentials that can be embedded within code, such as in applications and files. This practice creates dangerous backdoors for malware and hackers to exploit. Embedded keys that use simple or default passphrases may be vulnerable to password-guessing and other attacks. Therefore, an important piece of SSH security is to uncover and eliminate embedded SSH keys, and bring them under centralized management.
Audit All Privileged Session Activity: Any privileged session started via SSH Key authentication (or other means) should be recorded and audited to meet both cybersecurity and regulatory needs. Privileged session management activities can entail capturing keystrokes and screens (allowing for live view and playback). Ideally, you also layer on the ability to control (pause or terminate) privileged sessions in real-time to maintain strong oversight and a short leash over privileged activity.