SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
Authorized keys are configured separately for each user - usually in the
.ssh/authorized_keys file in the user's home directory. However, the location of the keys can be configured in SSH server configuration files, and is often changed to a root-owned location in more secure environments.
Technically, an authorized key looks like this:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+Mh3U/3We4VYtV1QmWUFIzFLTUeegl1Ao5/QGtCRGAZn8bxX9KlCrrWISIjSYAwCajIEGSPEZwPNMBoK8XD8Q= ylo@klar
Authorized keys configure access credentials and grant access to servers. They must be properly managed as part of identity and access management and are relevant for all compliance standards and cybersecurity-related laws, such as Sarbanes-Oxley for public companies, HIPAA for health care, and FISMA/NIST SP 800-53 for US government agencies.
Universal SSH Key Manager is a popular solution for managing the keys and establishing proper provisioning and termination processes.
Authorized keys are the only kind of credential that users are commonly able to self-provision. It is possible to prevent self-provisioning in SSH, but that requires a configuration change. The operation is often called lock-down, and it is usually one of the first steps in SSH key management.
Each SSH implementation has its own tools for creating and distributing SSH keys. Different implementations also use different formats for the key files.
The whole process is very simple and only takes a few minutes. With default configuration, anyone with access to a user account on a server can configure additional SSH keys for it.
Given that generating and and installing SSH keys is so easy, they can easily proliferate and expose the organization to attack spread and other disks. It is important to pay attention to key management and address it in security policies and audits early on. Even in an organization of only a few dozen people there can be hundreds or thousands of authorized keys. Some larger enterprises have several million keys granting access to their production servers.