Skip to main content
banner image
venafi logo

Collecting SSH Machine Identity Intelligence to Pass SSH Audits

Collecting SSH Machine Identity Intelligence to Pass SSH Audits

November 2, 2021 | Alexa Hernandez

Have you’ve finished collecting a complete inventory of SSH keys, access rights, and related hosts across your network? Congratulations on being one of few organizations to take this vital step to protecting your SSH machine identities! The work, however, does not end here. Now that you have the basics in place, you need to apply that intelligence to find and maintain high-risk connections. A lack of visibility into orphaned, shared, weak or root keys can lead to unauthorized access and must be immediately reported for analytic review. You should also be able to create your own rules to identify out-of-policy practices like cross environment key usage, improper key lengths or aged keys.

Want to Learn More About SSH Machine Identities? Get the e-Book!

Information about who’s using an SSH key and which systems it can access will prove extremely valuable—especially if there’s a security event or audit. Some of the key usage details that you should discover about your SSH machine identities include

Missing controls

As business-critical SSH connections expand, uncontrolled oversight of the SSH keys, owners, access levels, and authorized assets often get lost, which results in a chaotic mesh of trusted connections. One common risk is having an abundance of unnecessary SSH root keys that violate data privacy policies and generate unwanted exposure.

Cybercriminals misappropriate poorly protected SSH keys to bypass security controls and gain privileged access to internal network resources and data. With SSH keys, attackers can appear to be legitimate administrators or trusted machines, enabling them to hide and move around on internal networks  often for extended periods of time without being detected.

Root access orphan keys

Lack of insight and intelligence into ownership of keys, as well as orphaned, shared, weak, or root keys, can lead to unauthorized access  and should be reported immediately for review and corrective action.

All too often, administrators are stuck with the insurmountable task of trying to track down the root access that has been granted in each environment. What can make this task even more challenging is when you have no visibility as to where the private key resides, resulting in an access orphan. Access orphans are especially concerning when they’re root access orphans, which grant superuser privileges.

Duplicate keys

Duplicating unique host keys isn’t all that uncommon especially when a specific virtual machine gets copied and used in identical ways. Identity keys shouldn’t be duplicated (copied to other systems) for interactive users and automated processes. While it’s not recommended, if you choose to allow duplication for interactive users, you should provide guidelines for the acceptable locations where keys can be copied and used.

Shared private keys

Often, administrators may share their private keys out of convenience  perhaps when they’re on vacation or busy with other duties and need other staff members to assist them. If uncontrolled, this process could quickly spin out of control as private keys are shared, stored, and used without limit.

Lateral movements

Many organizations leave themselves open to SSH-based lateral movement because they have no inventory of deployed SSH keys that enable persistent access between systems. You need to be able to monitor usage to prevent cybercriminals moving around and expanding their access on compromised systems. Monitoring helps you prevent a dense and uncontrolled environment of SSH key-enabled connections that allows attackers to move from asset to asset, using keys found in various user accounts.

Additional intelligence

Information about who’s using an SSH key and which systems it can access will prove extremely valuable  especially if there’s a security event or audit. Some of the key usage details that you should discover about your SSH machine identities include

1. Location

SSH configurations can restrict the locations from which each authorized SSH key can be used. But many organizations fail to limit SSH key use by location. When access is limited to the known locations of administrators and machine-to-machine access, it helps to prevent malicious access from other locations.

2. Owner

One of the best ways to prevent the misuse of SSH machine identities is to understand who’s using them. Furthermore, your organization should assign ownership of all access granting SSH keys and monitor and analyze key-based access usage.

3. Protocol versions

Over time, SSH protocol has expanded its encryption algorithms. Also, support for public key certificates was added in SSH, version 2 (SSHv2). As vulnerabilities start to spike, especially for older unsupported versions like SSH, version 1 (SSHv1), and support is no longer guaranteed, information security teams will deal with many configuration variants and ensure exploitable deployments are rooted out.

SSH Mandates and Standards Continue to Evolve

Because of the security threats and operational risks connected with poorly managed SSH keys, auditors are becoming increasingly focused on those risks and the visibility and management of SSH keys. And the audits themselves evolve over time, generally becoming more dynamic and stringent. In recent years, the number of security frameworks and standards that require close inspection of SSH key risks have grown. The most noteworthy include the following:

  • National Institute of Standards and Technology (NIST)
  • Payment Card Industry Data Security Standards (PCI DSS)
  • Health Insurance Portability and Accountability Act (HIPPA)
  • Sarbanes-Oxley (SOX)
An SSH Machine Identity Audit Checklist

Rather than wait for an auditor to check on the health of your organization’s SSH practices, you can be proactive about securing your SSH keys.

Use this checklist to gauge the likely outcome of your next SSH audit. If you’re lacking one or more of these controls to secure your SSH keys, the chance of passing your next SSH audit may be small. Check off these tasks:

  • Put a comprehensive SSH governance program in place
  • Establish effective SSH key authorization and management
  • Evaluate vulnerable SSH protocols and weak SSH configuration settings
  • Automate SSH key generation, rotation, and removal
  • Establish ongoing monitoring of SSH key usage
  • Build an SSH control assurance program

You can also get a FREE risk assessment of your SSH keys with Venafi!


Related Posts

Like this blog? We think you will love this.
how ssh works
Featured Blog

How Secure Shell (SSH) Keys Work

How it works SSH is a type of network protocol that creates a cryptographically secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Alexa Hernandez
Alexa Hernandez

Alexa is the Web Marketing Specialist at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more