Sergey Nivens - Fotolia


How SSH key management and security can be improved

The widespread use of SSH keys is posing security risks for enterprises due to poor tracking and management. Expert Michael Cobb explains how some best practices can regain control over SSH.

There are various initiatives underway to remove passwords as our default means of authentication. Organizations...

like the FIDO Alliance are making more effective authentication technologies a reality, and most major websites now offer some form of two-factor authentication, including using biometric factors.

However, it's not just poor passwords that are a threat to network access. Tatu Ylonen, the creator of the SSH cryptographic network protocol and founder of SSH Communications Security, spoke to SearchSecurity about the growing risks of SSH key proliferation and the lack of sound SSH key management.

Two examples he gave showed the extent of these problems. A recent audit by Ylonen's team at a Wall Street bank, which employs approximately 220,000 people, found three million SSH keys, 10% of which granted root access to live production servers. The audit covered 15,000 servers and 500 business applications -- only around a quarter of the entire IT infrastructure. 90% of the keys found at the bank were no longer in use. Another colleague of Ylonen's, during a visit to a healthcare organization at which he'd worked as a consultant 10 years previously, found that his old SSH key was still valid.

SSH uses public key cryptography to authenticate a remote computer to a user and vice versa, and to create a secure communications channel. It is incorporated into many software applications and is widely used by network administrators for managing systems and applications remotely, as it provides a secure channel over an unsecured network. SSH is also being widely used in the firmware of internet of things (IoT) devices, adding to the number of keys an enterprise must manage.

SSH keys provide the same access as usernames and passwords, but allow users or programs to log in without having to specify a password. They often grant access to privileged accounts on production servers, databases, routers, firewalls, payment systems and so on. The compromise of a root account gives the attacker complete control of a system, yet SSH key management tends to be overlooked in identity and access management planning, implementation and audits.

As Ylonen's examples show, the lifecycle of SSH keys from creation to retirement is often woefully managed, causing a major gap in identity and access control. This puts enterprise infrastructures and data at risk, as malicious insiders or external hackers can use the keys to bypass access management controls and access accounts without generating accurate audit records. The attack against Sony Pictures in 2014, which resulted in five films being maliciously leaked, is thought to have involved the abuse of compromised SSH keys. There is even a black market for stolen keys.

The situation is so dire that the National Institute of Standards and Technology (NIST) published NISTIR 7966, "Security of Interactive and Automated Access Management Using Secure Shell (SSH)," which offers best practice recommendations for SSH key discovery, rotation, usage and monitoring. The guidance it provides for managing and securing SSH implementations is essential reading, but the first task for most enterprises is to find and catalog existing keys within their environment: in the data center, on servers and desktops, on mobile and IoT devices, and in the cloud.

Alarmingly, paper or spreadsheet-based SSH key management systems are used by 57% of companies, according to the Ponemon Institute's "2016 Global Encryption Trend Study." Such schemes are too prone to human error and oversight, and could lead many IT departments to lose control of the keys within their organization. Enterprises need to deploy a product or service, such as SSH Communications Security's Universal SSH Key Manager, BeyondTrust's PowerBroker Password Safe or Venafi's TrustAuthority, which can automate SSH key management and discovery.

SSH key management best practices

Once existing keys have been brought under control, polices and processes for provisioning, monitoring, auditing and terminating keys need to be strictly enforced. Again, automated tools can greatly ease the burden. Finally, administrators, database managers, developers and other employees who need to use SSH keys should be trained in best practices, as a lack of awareness regarding the risks of poorly protected keys is a major contributor to the problem.

Information security starts by controlling who is given access to systems and data. Enterprises need to understand that SSH keys are like passwords, and therefore require robust management and protection. If there is no control over access, there is no security.

Next Steps

Learn about the risks presented by SSH implementations on IoT devices

Find out what security risks SSH tunneling through a firewall can create

Discover how to update your enterprise's identity and access management strategy

This was last published in May 2017

Dig Deeper on Identity and access management