SSH Keys: How to Protect the Neglected with Privileged Identity Management

By Eric Noonan • July 18, 2016

Organizations continue to expand their application infrastructure at an alarming rate, whether it be in the cloud or on-site. Studies vary, but an estimated 48% to 65% of servers worldwide are run on some flavor of UNIX. The latest report from the Linux Foundation found that Linux is winning the battle in the cloud with an estimated 79% of cloud deployments running the operating system. Many of these UNIX devices are using SSH keys for authentication instead of passwords for the sake of convenience.

SSH keys are similar to privileged accounts, except they replace the need to use a traditional username and password. They allow the user, or an application, to authenticate with a username and key file instead. This removes the need to remember a password for each server, and instead just reference a file stored on your machine. SSH keys work in a public-private setup, where the public key is stored on the target device and the private key is what you use to connect to it with. These UNIX devices could include anything from your standard Red Hat Enterprise Linux server to many of the Internet of Things (IoT) devices.

Unfortunately, SSH key management is commonly overlooked and neglected. These SSH keys should be treated with the same security and care as privileged account credentials if your organization uses them. It’s common for users to simply store SSH keys on their local storage with no protection, making them vulnerable to theft. Many application and scripts are hardcoded to use SSH keys to communicate to.

In February of this year, cloud infrastructure hosting company Linode, LLC came dangerously close to causing a major breach for their clients. The company provided a common Ubuntu Linux cloud image to customers that utilized identical SSH keys, leaving the servers vulnerable to man-in-the-middle attacks. More recently on June 2nd, GitHub, an online project repository, revoked an “unknown number of cryptographic keys” when CloudFlare engineer Ben Cox discovered that a nearly decade-old vulnerability had left a “statistically significant” number of SSH keys vulnerable. Cox stated that the official repositories of Python, Spotify, and the UK Government we’re likely accessed using the compromised keys.

Organizations should implement a robust SSH key management program to reign in all the SSH keys and improve their security posture. While at first glance, this may appear to be a daunting task, mature Privileged Account Management solutions like CyberArk include tools that allow the identification, collection, organization, and storage of SSH keys in a simple, easy to use process. The CyberArk SSH Key Manager uses the Discovery and Audit (DNA) tool to detect and find all the SSH keys being used and creates a map reflecting the trusts formed by keys and target machines. The SSH Key Manager can determine which keys are being used, which are rouge, and which are expired to keep the environment clean.

Furthermore, the Privileged Account Management suite allows organizations to automatically rotate SSH keys, connect to target systems securely, monitor SSH key usage, and remove hardcoded keys. This allows companies to take advantage of all the same security features they use to manage their privileged accounts for their privileged SSH keys. With these tools, there is no excuse for why companies should not be taking the first steps to managing their SSH keys.

Let CyberSheath’s engineers help your organization establish an appropriate and effective SSH key management solution. You can learn more about our approach by viewing our Privileged Access Management service area.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security