SSH Keys: How to Protect the Neglected with Privileged Identity Management

By Eric Noonan • July 18, 2016

Organizations continue to expand their application infrastructure at an alarming rate, whether it be in the cloud or on-site. Studies vary, but an estimated 48% to 65% of servers worldwide are run on some flavor of UNIX. The latest report from the Linux Foundation found that Linux is winning the battle in the cloud with an estimated 79% of cloud deployments running the operating system. Many of these UNIX devices are using SSH keys for authentication instead of passwords for the sake of convenience.

SSH keys are similar to privileged accounts, except they replace the need to use a traditional username and password. They allow the user, or an application, to authenticate with a username and key file instead. This removes the need to remember a password for each server, and instead just reference a file stored on your machine. SSH keys work in a public-private setup, where the public key is stored on the target device and the private key is what you use to connect to it with. These UNIX devices could include anything from your standard Red Hat Enterprise Linux server to many of the Internet of Things (IoT) devices.

Unfortunately, SSH key management is commonly overlooked and neglected. These SSH keys should be treated with the same security and care as privileged account credentials if your organization uses them. It’s common for users to simply store SSH keys on their local storage with no protection, making them vulnerable to theft. Many application and scripts are hardcoded to use SSH keys to communicate to.

In February of this year, cloud infrastructure hosting company Linode, LLC came dangerously close to causing a major breach for their clients. The company provided a common Ubuntu Linux cloud image to customers that utilized identical SSH keys, leaving the servers vulnerable to man-in-the-middle attacks. More recently on June 2nd, GitHub, an online project repository, revoked an “unknown number of cryptographic keys” when CloudFlare engineer Ben Cox discovered that a nearly decade-old vulnerability had left a “statistically significant” number of SSH keys vulnerable. Cox stated that the official repositories of Python, Spotify, and the UK Government we’re likely accessed using the compromised keys.

Organizations should implement a robust SSH key management program to reign in all the SSH keys and improve their security posture. While at first glance, this may appear to be a daunting task, mature Privileged Account Management solutions like CyberArk include tools that allow the identification, collection, organization, and storage of SSH keys in a simple, easy to use process. The CyberArk SSH Key Manager uses the Discovery and Audit (DNA) tool to detect and find all the SSH keys being used and creates a map reflecting the trusts formed by keys and target machines. The SSH Key Manager can determine which keys are being used, which are rouge, and which are expired to keep the environment clean.

Furthermore, the Privileged Account Management suite allows organizations to automatically rotate SSH keys, connect to target systems securely, monitor SSH key usage, and remove hardcoded keys. This allows companies to take advantage of all the same security features they use to manage their privileged accounts for their privileged SSH keys. With these tools, there is no excuse for why companies should not be taking the first steps to managing their SSH keys.

Let CyberSheath’s engineers help your organization establish an appropriate and effective SSH key management solution. You can learn more about our approach by viewing our Privileged Access Management service area.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.