Skip to main content
banner image
venafi logo

Using SSH Certificates Instead of SSH Keys

Using SSH Certificates Instead of SSH Keys

what-is-the-future-of-ssh-certificates
September 16, 2022 | A. Morris
What does the future of SSH look like? SSH Certificates.

SSH certificates have been around for several years. But they have not been widely adopted. However, with digital transformation driving exponential growth in the use of SSH machine identities, organizations are starting to consider SSH certificates as a way to avoid some of the risks and complexities that come with managing standard SSH key pairs.

SSH Machine Identity Management for Dummies - Download for FREE Now!

But many organizations are still unsure about the benefits of switching from SSH keys. Below are just a few of the main advantages of using SSH certificates in your organization.

What are the challenges of SSH keys?

SSH certificates offer a fantastic method to solve some of the pain points faced by growing teams and growing infrastructure.

Key sprawl

Many of these challenges result from SSH key sprawl, a problem that is exacerbated by the fact that SSH keys never expire, so they can accumulate over time and can be difficult to locate and manage. Unlike keys, SSH certificates are digitally signed objects that have metadata like username/hostname, restrictions, end date, and more which help avoid many of the challenges and risks associated with traditional SSH keys because usage can be tracked and like TLS certificates, they automatically expire, which allows you to better manage their risk exposure.

Trust on first use

When an SSH connection is first established, the server sends the public key to identify itself to the user. That user then assumes that the connection is trusted. This authentication process is called “trust on first use”. However, if there are changes to the host’s IP, name, or public key, then the user should no longer trust the connection and will see a warning display. Since an IP address and a hostname can be reused many times in a cloud environment, users learn to ignore these warnings. In the case that the connection is unsecure, this can open the door for attackers.

The advantages of using SSH certificates.

Like traditional SSH keys, SSH certificates can also be cryptographically verified and are exchanged between client and host during the SSH handshake. 

SSH user certificates identify clients (in most of the cases these are users or applications) to servers and SSH host certificates identify servers to clients. Like Subject Alternative Name UPN/DNS for X.509 certificates, SSH certificates have a principals field that holds the identity of who is using the certificate. 

Enforcing policies for validity period and revocation

One big advantage of SSH certificates is the validity period. They are valid for a specific period and after that they will not be trusted anymore. The validity period can be days, hours, even minutes. Anyone who’s dealt with the damaging effects of SSH key sprawl can imagine the range of benefits of having automatic expiry with SSH certificates. Reduced key sprawl, preventing keys being shared or compromised, SSH rotation policies being enforced and helping prevent failed SSH audits are just some of the benefits that can come from using SSH certificates.

An additional benefit of automatic expiry comes into play if an employee loses access (e.g., they leave the company), their existing certificate will expire, and they will not be able to get a new one. This passive revocation is a big advantage in case of a compromised private SSH key. If there is a lost or stolen laptop, a short-lived SSH certificate is worthless for accessing internal infrastructure.

These are just a few advantages of SSH certificates but it’s clear that they are here to stay and go a long way to helping enforce SSH policies, reducing the complexity of managing SSH keys and minimizing your threat vector when it comes to SSH.

To learn more about establishing an SSH Machine Identity Management Strategy visit https://www.venafi.com/platform/ssh-protect
 

Related Posts

Like this blog? We think you will love this.
all-about-ssh-key-management
Featured Blog

All About SSH Key Management and SSH Machine Identities

SSH is a secure way to initiate remote computer access and en

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more