Your browser does not allow storing cookies. We recommend enabling them.

NIST Releases Draft Guidelines for Secure Shell Access Controls for Public Comment


Co-Authored by SSH CEO Tatu Ylönen, New Guidelines Help Federal Government Agencies Control Access to Secure Shell Environments

HELSINKI and WALTHAM, Mass., Aug. 21, 2014 – A compromised Secure Shell key granting a high level of access can put a wide swath of information assets at risk. SSH Communications Security today announced that the computer security division of NIST has released Interagency Report (IR) 7966 providing vital guidance for managing Secure Shell access to sensitive data. Co-authored by SSH CEO Tatu Ylönen, the report offers guidelines that comply with the security controls mandated in NIST 800-53 and the President’s Cyber Security Framework. For more information on the report, visit NIST IR 7966 page.

The report is a call to action for CIOs and CISOs within the federal government and commercial sector to assess Secure Shell access control procedures and remediate them if necessary.

NIST has identified the following vulnerabilities that Secure Shell users are most often exposed to:

  • Vulnerable Secure Shell implementations , including insecure versions and configuration weaknesses
  • Stolen, leaked and unterminated keys lead to lack of visibility and weakened process controls over key lifecycle management.
  • Backdoors to sensitive data are inadvertently created by unaudited user keys
  • Unintended key use resulting in lack of separation of duties and unintended privilege escalation
  • Incorrect user key location weakens access controls to sensitive Secure Shell public and private keys

Tatu Ylönen, CEO of SSH Communications Security, inventor of the SSH protocol, co-author of Interagency Report 7966, said:

“A lack of proper access controls in Secure Shell environments creates a significant security risk for government agencies. Malicious insiders and external attackers can utilize a lost or stolen Secure Shell user key to gain access to critical systems and assets. Over the past year, SSH has worked with NIST and the White House Office of Science and Technology on this critical and highly sensitive issue. We have worked directly with many organizations to address the vulnerabilities highlighted in this report and fully endorse its recommendations.”

About SSH Communications Security

SSH Communications Security is the market leader in developing advanced security solutions that enable, monitor and manage encrypted networks. Over 3,000 customers across the globe trust the company’s encryption, access control and encrypted channel monitoring solutions to meet complex compliance requirements, improve their security posture and save on operational costs. SSH Communications Security is headquartered in Helsinki and has offices in the Americas, Europe and Asia. The company’s shares (SSH1V) are quoted on the NASDAQ OMX Helsinki.

For more information on SSH Communications Security, please visit


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more