SSH Keys: How to Protect the Neglected with Privileged Identity Management

By Eric Noonan • July 18, 2016

Organizations continue to expand their application infrastructure at an alarming rate, whether it be in the cloud or on-site. Studies vary, but an estimated 48% to 65% of servers worldwide are run on some flavor of UNIX. The latest report from the Linux Foundation found that Linux is winning the battle in the cloud with an estimated 79% of cloud deployments running the operating system. Many of these UNIX devices are using SSH keys for authentication instead of passwords for the sake of convenience.

SSH keys are similar to privileged accounts, except they replace the need to use a traditional username and password. They allow the user, or an application, to authenticate with a username and key file instead. This removes the need to remember a password for each server, and instead just reference a file stored on your machine. SSH keys work in a public-private setup, where the public key is stored on the target device and the private key is what you use to connect to it with. These UNIX devices could include anything from your standard Red Hat Enterprise Linux server to many of the Internet of Things (IoT) devices.

Unfortunately, SSH key management is commonly overlooked and neglected. These SSH keys should be treated with the same security and care as privileged account credentials if your organization uses them. It’s common for users to simply store SSH keys on their local storage with no protection, making them vulnerable to theft. Many application and scripts are hardcoded to use SSH keys to communicate to.

In February of this year, cloud infrastructure hosting company Linode, LLC came dangerously close to causing a major breach for their clients. The company provided a common Ubuntu Linux cloud image to customers that utilized identical SSH keys, leaving the servers vulnerable to man-in-the-middle attacks. More recently on June 2nd, GitHub, an online project repository, revoked an “unknown number of cryptographic keys” when CloudFlare engineer Ben Cox discovered that a nearly decade-old vulnerability had left a “statistically significant” number of SSH keys vulnerable. Cox stated that the official repositories of Python, Spotify, and the UK Government we’re likely accessed using the compromised keys.

Organizations should implement a robust SSH key management program to reign in all the SSH keys and improve their security posture. While at first glance, this may appear to be a daunting task, mature Privileged Account Management solutions like CyberArk include tools that allow the identification, collection, organization, and storage of SSH keys in a simple, easy to use process. The CyberArk SSH Key Manager uses the Discovery and Audit (DNA) tool to detect and find all the SSH keys being used and creates a map reflecting the trusts formed by keys and target machines. The SSH Key Manager can determine which keys are being used, which are rouge, and which are expired to keep the environment clean.

Furthermore, the Privileged Account Management suite allows organizations to automatically rotate SSH keys, connect to target systems securely, monitor SSH key usage, and remove hardcoded keys. This allows companies to take advantage of all the same security features they use to manage their privileged accounts for their privileged SSH keys. With these tools, there is no excuse for why companies should not be taking the first steps to managing their SSH keys.

Let CyberSheath’s engineers help your organization establish an appropriate and effective SSH key management solution. You can learn more about our approach by viewing our Privileged Access Management service area.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO