Skip to main content
banner image
venafi logo

4 Ways to Start Protecting Your SSH Keys

4 Ways to Start Protecting Your SSH Keys

protecting ssh keys
February 11, 2022 | David Bisson

Although Secure Shell (SSH) is the most broadly used security protocol for remotely managing Unix/Linux, routers, firewalls, and other systems, most organizations have limited or no formal SSH policies or management in place, as Paul Turner has spelled out in this forum. "Many security practitioners and managers outside of the Unix teams have only a cursory knowledge of SSH—many may not be able to tell you whether SSH uses certificates or public keys, let alone how broadly it is used or the risks it poses if not properly managed," Turner says. 


When organizations don't properly manage their Secure Shell (SSH) keys, they can expose themselves to significant security risks. Those risks commonly arise from the fact that companies routinely use SSH for privileged access but don’t recognize the high-level access that they grant. This ignorance can become even more dangerous when SSH keys are used for automating processes across routers, firewalls, and other mission-critical systems. Once cyber criminals gain access to this interwoven network of machines, they can pivot within your network until they locate valuable data.

The good news is organizations can protect themselves by creating secure practices for managing their SSH keys.

Here are four best practices for SSH key management that every organization should follow.


1. Automate and Build an SSH Inventory
You can't protect something about which you don't know. The best place to begin an SSH key management program is to discover all of your SSH servers, private keys, and authorized keys that grant SSH access. You may be surprised by how many SSH keys you have. Many large organizations end up with more than one million SSH keys spread throughout their network. Your organization should ideally use an automated solution to make sure they discover SSH keys stored in user home directories as well as SSH configurations that limit access. You should then continue to actively manage this inventory as they add and/or decommission SSH-based assets.


2. Identify Holes in Your SSH Environment
The next step to strong SSH key management is scanning an inventory for known vulnerabilities and issues. Your organization should use tools to identify threats such as SSH root access, weak keys, back door keys, duplicated private keys, port forwarding, and insecure configurations. Those tools should also help automate the identification process so that companies can respond to issues and vulnerabilities as soon as they detect them.


3. Fix Known SSH Issues
Once you know there's an issue with your SSH environment, you should respond quickly by removing unauthorized keys, replacing old keys, and/or enforcing security controls that limit the accessibility and use of SSH keys. Ideally, your organization should automate these procedures and pair them with your identification tools. Doing so helps ensure consistent policy enforcement of SSH key lifecycle management. It also creates a trackable record of all changes to an organization's SSH assets.


4. Monitor Your SSH Keys for Additional Risks
With the above processes in place, you should continuously manage and track your SSH keys. Specifically, your organization should make a point of conducting SSH audits for compliance violations, assessing risk, and increasing accountability for identity and access management.

Managing Your SSH Key Environment

Organizations can best manage their SSH key environment by gaining complete visibility over all their keys and certificates. This objective includes identifying all encryption assets and monitoring them for vulnerabilities, detecting anomalies, and enforcing policies.

Learn more about machine identity management. Explore now.

NOTE: This blog has been updated. It was originally posted by David Bisson on December 29, 2017.


Related Posts

Like this blog? We think you will love this.
Featured Blog

All About SSH Key Management and SSH Machine Identities

SSH is a secure way to initiate remote computer access and en

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more