Credentials and secrets management often focus on passwords. But there are also other credentials, like SSH keys, that serve the same purpose as passwords in the sense that they are access credentials just as well and, at the same time, are overlooked.
Why should you pay more attention to your SSH keys?
Vaulting private SSH keys to a central PAM system
Vaulting authorized keys into a central system (LDAPify)
Vaulting encryption keys is a bad way to manage them
From more ways to the best way to manage encryption keys
Unfortunately, many companies are oblivious to the SSH key problem, let alone to the best ways to manage their keys. This is not a surprise. Many PAM solution providers, who claim to manage SSH keys, fail to do so at an acceptable level. Traditional PAM solutions were built to manage passwords, but the same password vaulting approach just doesn’t work with keys.
Let’s explore a couple of typical ways that attempt to manage keys using key vaults.
Most PAM solutions try to vault encryption keys such as SSH keys. But SSH keys are functionally different, and therefore you cannot handle them like passwords.
Here are three top reasons why PAM tools fail in vaulting SSH keys:
LDAP (Lightweight Directory Access Protocol) can be used to store users' public key(s) and an SSH server that is customized to obtain authorization upon authentication from LDAP.
Some of the shortcomings of this approach include:
To cut a long story short, we recommend leaving the keys where they are and managing them at their native locations, instead of using key vaults. Vaulting keys requires making changes to the scripts and configurations you have set up for your environment, making change management a nightmare.
What’s more, solutions like traditional PAMs were not built to manage and vault SSH keys. We know this, since all our key management customers have a traditional PAM installed but found the solution wanting. Learn more about why traditional PAMs fail to manage SSH keys in our white paper.
There are naturally more ways to manage SSH keys than vaulting them, and I know you are itching to learn more. Luckily, we have just the piece for you. Just read this document to learn about the good, the bad, and the ugly ways to manage SSH keys.
At the end of the day, there is a stand-out solution to manage keys: our Zero Trust Suite. It manages the keys where they are, doesn’t require reconfiguring your scripts or configurations, finds hard-to-find keys along with their configuration files, and automates a ridiculous amount of manual work.
But you can take it a step further. Managing keys is good but you are better without having to manage them at all. You can migrate to a keyless approach in your management efforts, using an iterative approach illustrated in the image.
In fact, we suggest you manage your passwords AND keys with Zero Trust Suite which not only gives you control over your credentials but also helps you get rid of them with a passwordless and keyless approach.
Learn more about the best way to manage passwords here >>>