Universal SSH Key Manager®
The vast majority of large enterprises rely on Secure Shell (SSH) to access servers in the cloud and in remote data centers. SSH is used for system administration, configuration management, file transfers, backups, network management, DevOps, and exchanging data between information systems.
Universal SSH Key Manager provides full life cycle management of SSH keys. They are a new type of access credential introduced by SSH. They've been around for 20 years, but have only recently gotten mainstream attention in the identity and access management and audit communities. It turns out many enterprises have more SSH keys on their corporate networks than they have traditional user names and passwords. Implementing proper life cycle management for SSH keys has become a critical priority.
- Why addressing SSH keys is important
- Full SSH key life cycle management
- Common fallacies and false claims
- Typical SSH key management project
- Strategic path to eliminating all credentials from servers
- Next steps
Why addressing SSH keys is important
SSH keys are access credentials like user names and passwords. Even a single credential is enough to grant access. Hackers routinely target them to spread within the enterprise. For example, recently leaked CIA hacking tools were custom built to capture SSH keys.
With so many SSH keys, they are an ideal tool for spreading an attack laterally from server to server. This can be done in a very stealthy way that is hard to detect by intrusion detection tools. They are the ideal way to leave persistent backdoors into systems for future cyberwarfare or cybercrime operations. Unmanaged SSH keys can realistically be used to take down a Fortune 500 enterprise and cause loss of billions of dollars of shareholder value.
The central issue is knowing who can access what systems and data. Every cybersecurity regulation includes controls on who can access systems and/or data. One cannot have any guarantees of confidentiality, integrity, or continuity if one doesn't know who has access to systems. This is especially true of root access, and approximately 10% of the keys grant root access in most enterprises. The likelihood of a breach is high, and the potental damage is very high. The SSH Risk Assessment service helps organizations understand their risk.
Any organization that doesn't control they SSH key based access is probably in breach of EU GDPR, Sarbanes-Oxley, PCI DSS, HIPAA, NIST SP 800-53 and banking regulations in several countries as applicable.
Many organizations are currently unable to change their SSH keys even if they know there has been a breach and the credentials have been compromised. Changing keys requires knowing all the places each key grants access to, and this is no easy feat without proper key management tools.
NIST has published guidance on managing and addressing SSH keys as NIST IR 7966.
Full SSH key life cycle management
It is important to manage the full life cycle for SSH keys, just as for any other credentials. This involves provisioning (and proper authorizations and controls for provisioning), periodic key rotation, and proper termination of access when a person leaves the organization or the need for access between information systems ceases to exist.
Controlled provisioning means that 1) there are controls on who can provision access, 2) provisioned access is properly approved and reasons for it are traceable, 3) the access is documented and auditable so that adherence to the process is verifiable and proper termination of access can be implemented.
Often, provisioning is integrated with existing identity and access management tools. We have implemented, for example, integrations with Oracle Identity Manager and several other IAM systems.
Usually one of the first steps in establishing a controlled provisioning process is to move the keys out from users' home directories into locations that can be written only by root. Often this location is under
/var. We provide scripts that make this easy and Universal SSH Key Manager fully supports relocating the keys.
Discovering and sorting out legacy credentials
Many established organizations have literally millions of SSH keys on their systems. Those systems aren't going to go away in the next 10 years, even if some servers are moved to run on cloud platforms. It is important to discover and remediate existing key-based access to those systems. We often do an initial discovery as part of a risk assessment in the very early stages when a customer starts to plan how address their SSH keys. This can be done quickly and at low cost.
Discovery is actually much more complicated than many people initially think. Enterprises have all sorts of legacy hardware and old operating systems, often dating back 10-20 years. Some parts of the enterprise store SSH keys in less common locations. Some organizations use custom OpenSSH builds with custom paths built in. Various privilege escalation methods are used in different parts of the enterprise. Thousands of user accounts may have their home directories and keys stored in shared NFS (Network File System) volumes. While doing SSH key management projects over several years in the largest IT environments in the world, we have built support for addressing these complications in an easy way.
Discovery alone is not enough. One cannot manually review millions of keys or just delete them. Thus we've built tools to optimize this process. Universal SSH Key Manager monitors syslog data to determine which keys are actually used and with what accounts and systems. This enables us to identify the 90% of keys that are not used in most organizations. A first quick win is to eliminate these unused keys.
We've also developed tools and reports to analyze which keys and access relationships violate policy. For example, most organizations don't permit key-based access from test and development into production servers, or generally from low-security or low-impact into high-security or high-impact systems. Key-based access from personal accounts to service accounts or root accounts is usually not permitted. These give another major quick win to reduce the number of keys.
Organizations are usually able to remove 90-98% of all their SSH keys, significantly removing their risk. They also identify proper reasons for the remaining keys and establish a proper termination process for them, thus achieving compliance with laws and regulations.
Involving Application Owners
Often, only application teams and application owners know what access should be incoming and outgoing between their systems and other information systems. Universal SSH Key Manager provides a user portal that enables application owners to oversee and approve access into and out of the information systems they are responsible for. The centralized IT organization often does not have the information needed to make these access decisions.
Like other authentication credentials or encryption keys, SSH keys should be rotated periodically. This means that the keys should be changed and replaced by new keys. This applies to both authorized keys and identity keys.
Key rotation is an important last step in remediating existing legacy keys. It is also something that should be performed periodically every year, and especially if there has been a breach where private keys may have leaked.
Universal SSH Key Manager fully automates key rotation. It generates new keys, installs the new authorized keys and identity keys, and removes the old keys in a manner that does not disrupt operations.
Univeral SSH Key Manager continuously monitors the environment to detect if someone adds an unauthorized key using root access. The product re-discovers all keys on all systems every day, and compares them against what has been authorized. It generates alerts about any unauthorized activity. It also monitors system logs to determine the source and destination of every SSH connection using keys. This way, it knows exactly which keys are used and where they are being used from.
The SSH key manager can also automatically insert restrictions on source IP addresses on authorized keys to make it more difficult for anyone to abuse a key if it leaks.
Universal SSH Key Manager keeps track of approvals for each key. Keys can be given a limited life time, so that they automatically expire after a given period of time.
Access termination may also be triggered by integration with other systems, such as identity management.
Common fallacies and false claims
Various competitors frequently make misleading claims around SSH key management. We want to respond to a few.
- SSH key management is not a
check boxfeature. It is a highly complex and security-critical set of functionality with requirements that are not always initially understood. It is important to understand what the full life cycle management means and what functionality securing the customer's environment requires. NIST IR 7966 is a good starting point for this.
- Vaulting private keys does not help much. Access is granted by public keys, i.e., authorized keys. The really important part is eliminating keys that are not needed and establishing proper provisioning and termination processes - full credential life cycle management.
- SSH keys are fundamentally access credentials. While technically cryptographic keys, they do not behave like cryptographic keys. It is not about managing or changing a single key; it is about managing access relationships and passwordless connections between systems. Justifying why someone should have access. It is about roles, automation, scripts, and products using the keys.
- Key rotation needs due care to avoid causing outages. It is not the first thing to do; you must first do through discovery to do it safely.
- Those quick wins that help you eliminate 90% of all keys and distribute the work to application team can save 90% of the overall project cost.
Typical SSH key management project
Easy and fast to deploy without disruption
Our approach to bringing SSH keys under management is non-intrusive and causes zero disturbance in the operation of the environment. We automate as many of the tedius tasks as possible: discovery, lock-down, monitoring, quick wins to eliminate 90% of the keys, and interaction with application teams. We minimize risk by always having the ability to roll back changes.
Our experience and know-how guarantees successful deployments and SSH key remediation projects for your critical infrastructure.
APIs for integrating with identity management
We support integration with Active Directory out of the box. We provide APIs that can be used to integrate with identity management and ticketing systems in the enterprise. We've built existing integrations for several systems, including Oracle Identity Management, Remedy ticketing, and Powerbroker privilege escalation.
Strategic path to eliminating all credentials from servers
PrivX On-Demand Access Manager is a related product for privileged access management. It can completely eliminate permanent SSH keys and passwords from servers. It makes its access grants based on real-time information in Active Directory group memberships and other rules.
Our recommendation is to use Universal SSH Key Manager and PrivX On-Demand Access Manager in combination. The key manager takes control of legacy environments for the next 10-20 years, while PrivX is the path to a future keyless and passwordless architecture. PrivX also fits perfectly into the cloud and elastic environments. It helps make all identities and credentials centrally managed, whether with Active Directory or with some other LDAP-based directory.
Fill the Contact Us form more information, use chat on this page, or give us a call now by clicking the phone icon in the upper right corner of the page.
Contact us to arrange an SSH Risk Assessment to determine the level of exposure to SSH key based risks in your network.
Try Universal SSH Key Manager online now
Try Universal SSH Key Manager live online right away.
- IDC whitepaper on SSH and IAM -
The gaping hole in your IAM strategy
- Universal SSH Key Manager Data Sheet
- NIST guidance on SSH keys - NIST IR 7966