Your browser does not allow storing cookies. We recommend enabling them.

NIST Launches Final Guidelines for Secure Shell Access Controls


Secure Shell Inventor and SSH Chief Innovation Officer Tatu Ylönen Co-Authors Guidelines to Help Federal Agencies Control Access to Secure Shell Environments

HELSINKI and WALTHAM, Mass., Nov. 12, 2015 – SSH Communications Security today announced that the computer security division of NIST has released the final version of Interagency Report (IR) 7966, providing critical guidance for organizations to follow in order to effectively manage Secure Shell access to sensitive data. Co-authored by Secure Shell inventor and SSH chief innovation officer Tatu Ylönen, the report offers specific guidelines that comply with the security controls mandated in NIST 800-53 and the President’s Cyber Security Framework. Download the report by clicking here.

This information helps IT professionals in both the public and private sectors understand Secure Shell-related interactive and automated access management in an enterprise, focusing on the management of Secure Shell user keys, so that they can remain compliant with NIST requirements and increase the safety of their networks.

The report describes the primary categories of vulnerabilities in Secure Shell-based interactive and automated access, including:

Improperly configured access controls that can lead to a variety of serious access-based vulnerabilities

Stolen, leaked, derived, and unterminated SSH user keys

Vulnerable Secure Shell implementations , including software flaws and protocol or configuration weaknesses

Pivoting, in which malware can be engineered to use SSH keys to spread when automated access is allowed

Lack of knowledge and human errors due to the complexity of SSH management and the lack of knowledge many administrators have regarding secure SSH configuration and management

Tatu Ylönen, founder and chief innovation officer, SSH Communications Security, co-author of Interagency Report 7966 , said:

“Too often, executive leadership and their organizations are unaware of how critical Secure Shell keys are in securing access to their organizations’ most sensitive data assets. Ultimately, Secure Shell keys are the same as user credentials and ought to be managed as such. We worked with NIST and the White House Office of Science and Technology to develop and share a clear framework for managing Secure Shell access to sensitive data and addressing vulnerabilities. Following these guidelines will help organizations protect their Secure Shell keys, thereby safeguarding access to critical information assets.”

About SSH Communications Security

As the inventor of the SSH protocol, we have a twenty-year history of leading the market in developing advanced security solutions that enable, monitor, and manage encrypted networks. Over 3,000 customers across the globe trust the company’s encryption, access control and encrypted channel monitoring solutions to meet complex compliance requirements, improve their security posture and save on operational costs. SSH Communications Security is headquartered in Helsinki and has offices in the Americas, Europe and Asia. The company’s shares (SSH1V) are quoted on the NASDAQ OMX Helsinki. For more information, visit

Europe & APAC Contact:

Shiho Hashimoto

SSH Communications Security

+358 40 549 3387

U.S. Contact:

Rueben Rodriguez

SSH Communications Security

+1 617-605-0292

Agency Contact:

Peggy Tierney Galvin

Nadel Phelan, Inc.

+1 831-440-2405




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now