Your browser does not allow storing cookies. We recommend enabling them.

NIST Releases Draft Guidelines for Secure Shell Access Controls for Public Comment


Co-Authored by SSH CEO Tatu Ylönen, New Guidelines Help Federal Government Agencies Control Access to Secure Shell Environments

HELSINKI and WALTHAM, Mass., Aug. 21, 2014 – A compromised Secure Shell key granting a high level of access can put a wide swath of information assets at risk. SSH Communications Security today announced that the computer security division of NIST has released Interagency Report (IR) 7966 providing vital guidance for managing Secure Shell access to sensitive data. Co-authored by SSH CEO Tatu Ylönen, the report offers guidelines that comply with the security controls mandated in NIST 800-53 and the President’s Cyber Security Framework. For more information on the report, visit NIST IR 7966 page.

The report is a call to action for CIOs and CISOs within the federal government and commercial sector to assess Secure Shell access control procedures and remediate them if necessary.

NIST has identified the following vulnerabilities that Secure Shell users are most often exposed to:

  • Vulnerable Secure Shell implementations , including insecure versions and configuration weaknesses
  • Stolen, leaked and unterminated keys lead to lack of visibility and weakened process controls over key lifecycle management.
  • Backdoors to sensitive data are inadvertently created by unaudited user keys
  • Unintended key use resulting in lack of separation of duties and unintended privilege escalation
  • Incorrect user key location weakens access controls to sensitive Secure Shell public and private keys

Tatu Ylönen, CEO of SSH Communications Security, inventor of the SSH protocol, co-author of Interagency Report 7966, said:

“A lack of proper access controls in Secure Shell environments creates a significant security risk for government agencies. Malicious insiders and external attackers can utilize a lost or stolen Secure Shell user key to gain access to critical systems and assets. Over the past year, SSH has worked with NIST and the White House Office of Science and Technology on this critical and highly sensitive issue. We have worked directly with many organizations to address the vulnerabilities highlighted in this report and fully endorse its recommendations.”

About SSH Communications Security

SSH Communications Security is the market leader in developing advanced security solutions that enable, monitor and manage encrypted networks. Over 3,000 customers across the globe trust the company’s encryption, access control and encrypted channel monitoring solutions to meet complex compliance requirements, improve their security posture and save on operational costs. SSH Communications Security is headquartered in Helsinki and has offices in the Americas, Europe and Asia. The company’s shares (SSH1V) are quoted on the NASDAQ OMX Helsinki.

For more information on SSH Communications Security, please visit




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now